Why companies say ‘No’ to cybercriminals’ ransom demands

While Canadian companies aren’t yet going militant when refusing ransomware payments to cybercriminals, recent stats show ransomware payments are starting to fall off.

“At the start of 2019, 85% of victims of ransomware attacks paid a ransom following a [cyberattack],” a Coveware report found, as cited in The HIPPA Journal in January 2024. “By the middle of 2021, the percentage had fallen to 46%, and in Q4, 2023, only 29% of victims paid the ransom.”

Canada is in line with those global trends, reports Lindsey Nelson, head of cyber development at CFC. She notes companies used to make ransomware payments simply because they received a threat. Things are different now.

“From a CFC perspective, it is a trend we’re seeing all over the world, but markedly, I’d say, it’s not as steep of a decline in Canada,” she tells Canadian Underwriter.

Canadian businesses were paying just over 20% of any ransom demands made of them, and that was in Q3 last year. That was when it was the one of the higher peaks.

“This most previous quarter, it’s halved to 10%. So yeah, it’s gone down 50%.”

Nelson says it’s too soon to tell exactly what may be causing this trend. She cautions ransomware payments are cyclical and will ramp up or fall, based on a variety of circumstances.

Driving ransom refusals

The current downward trend in ransomware payments is “attributable to many factors — resiliency, maturity — but also, we’ve learned a lot,” says Meredith Schnur, regional cyber practice leader for U.S. and Canada at Marsh Specialty.

“Do we really have to pay?” she poses. “In some circumstances, absolutely yes. Healthcare is one. You’re talking about life and death, the hospital being open or closed. I mean, these are the decisions that we have to make with our clients about what we do here.”

Some say cybersecurity controls requested by insurance underwriters are helping. For example, it’s a staple of any cybersecurity plan to have system backups to prevent cyberattacks from paralyzing a business.

But there are no foolproof systems, cyber insurers warn.

“Some backup products back up data to file shares accessible over corporate networks,” as Boxx Insurance reports on its website. “Further, many organizations still use the default directory name created by these backup products to store these backups.

“The default names of these directories are readily accessible in the documentation published by backup providers. Some creators of ransomware figured this out a while ago. As part of their malware that finds and encrypts data on production servers, they also probe corporate networks for these default backup directories and encrypt the backups in these directories.

“In so doing, they increase the possibility that companies cannot recover from backups.”

Nelson says it’s a good idea for clients to test their backups. Overconfidence in security systems can lead to a bad result when negotiating ransom payments with cybercriminals.

“We’ve got a really famous case study at CFC where there was a ransomware demand made to the company,” Nelson tells CU. “They encrypted their files. The company called us just as a precautionary measure to say they were handling it. Everything was going to be fine, and no notice to be made.

“[But] when they went to go recover from their backups, which influenced that decision [about not making a ransomware payment], they realized that the backups hadn’t been working for months, and so all of their data was corrupted and lost.

“They had to recreate it all completely from scratch. And that extra expense coverage under the cyber policy paid to the tune of hundreds of thousands of dollars just for that simple error with backup.

“The main takeaway from that is backups are one piece of the puzzle. The threat actors are always one step ahead of the curve. And equally, cybersecurity never provides 100% protection.”

Red light, green light

Another simple reason for falling ransomware payments is because governments are increasingly making it illegal to pay them. The theory is, if you’re not allowed to pay the ransom, there will be fewer ransomware attacks.

“We’re seeing most threat actors emanate from sanctioned entity territories, which means if a business does opt to pay a ransom to those ransomware groups, it’s going to a sanctioned entity, and [the companies] do face a lot of legal and regulatory pressure because of that,” says Nelson. “They have to answer as to why they made that payment.”

At least one cyber insurer offers a traffic light system to advise businesses whether their cyber attackers are sanctioned (Red light = Do not pay the ransom. Yellow light = It’s unclear if the attacker is sanctioned. Green light = Payment is an option).

Of course, just because you pay a ransom doesn’t mean you’ll get your data back. Some cybercriminals will double-cross the company and not release the data. Other threat actors want to be seen as credible, to ensure they’re taken seriously in future attacks, and will de-encrypt the data.

Security officers and former police officers, who often make up part of a cyber incident response team, may have encountered some of these threat actors in previous negotiations. And so, their experience will tell them whether or not the groups are credible.

This article is excerpted from one appearing in the October-November 2024 print edition of Canadian Underwriter. Feature image courtesy of iStock.com/megaflopp