HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Paying a Ransom Doesn’t Put an End to the Extortion

The healthcare industry has been extensively targeted by ransomware gangs and victims often see paying the ransom as the best option to ensure a quick recovery, but the payment does not always put an end to the extortion. Many victims have paid the ransom to obtain the decryption keys or to prevent the publication of stolen data, only for the ransomware actors to continue with the extortion.

The advice of the Federal Bureau of Investigation (FBI) is never to pay a ransom following a ransomware attack, as doing allows the threat actors to put more resources into their attacks, it encourages other threat groups to get involved in ransomware, and because there is no guarantee that paying a ransom will allow the recovery of data or prevent the misuse of stolen data.

A recent survey conducted by the cybersecurity firm Venafi has helped to quantify the extent to which further extortion occurs. The survey has provided some important statistics about what happens when victims pay or do not pay the ransom demands. The survey was conducted on 1,506 IT security officers from the United States, United Kingdom, Germany, France, Benelux, and Australia and explored the rapidly growing risk of ransomware attacks.

67% of companies with 500 or more employees said they had experienced a ransomware attack in the past 12 months, and 83% of ransomware attacks involved double or triple extortion tactics, where sensitive files are stolen and payment is required to decrypt files, prevent the publication of data, and prevent attacks on customers and suppliers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

According to the survey, 38% of attacks involved threats to extort victims’ customers using stolen data, 35% involved threats to expose stolen data on the dark web, and 32% involved threats to inform customers that their data had been stolen.

16% of organziations who did not pay the ransom had their data exposed on the dark web. 35% of victims said they paid the ransom but were still unable to recover their data, and 18% of victims said they paid the ransom to prevent the exposure of stolen data, but the information was still exposed on the dark web. 8% said they refused to pay the ransom and then the attackers attempted to extort their customers.

Many ransomware gangs now operate under the ransomware-as-a-service (RaaS) model, where affiliates are recruited to conduct attacks for a cut of any ransoms they generate. While the RaaS operators often provide playbooks and issue guidelines for conducting attacks, there is little enforcement of compliance. Ransomware gangs often operate for short periods and try to extort as much money as possible from victims before shutting down their operations and rebranding and starting again. There have also been cases of ransomware gangs providing stolen data and access to networks to other cybercriminal groups regardless of if the ransom is paid, showing quite clearly that ransomware gangs cannot be trusted. Some ransomware gangs have taken over negotiations with victims from their affiliates and have cut the affiliates out and have not issued payment, showing there is also no honor among thieves.

“Organizations are unprepared to defend against ransomware that exfiltrates data, so they pay the ransom, but this only motivates attackers to seek more,” said Venafi vice president, Kevin Bocek. “The bad news is that attackers are following through on extortion threats, even after the ransom has been paid!”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.