HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Study Suggests Paying a Ransom Doubles the Cost of Recovery from a Ransomware Attack

Organizations that experience a ransomware attack may be tempted to pay the ransom to reduce downtime and save on recovery costs, but a survey commissioned by Sophos suggests organizations that pay the ransom actually end up spending much more than those that recover files from backups.

The FBI does not recommend paying a ransom as giving attackers money enables them to conduct more attacks and could see a victim targeted further and there is no guarantee that valid keys will be supplied to decrypt data. The increased cost can now be added to the list of reasons not to pay.

The survey was conducted by market research firm Vanson Bourne between January and February 2020 on approximately 5,000 IT decision makers at companies with between 100 and 5,000 employees across 26 countries including the United States, Canada, and the United Kingdom.

51% of the people surveyed said they had experienced a ransomware attack in the previous 12 months, 73% of whom said the attack resulted in the encryption of data. 26% of attacked organizations paid the ransom and 73% did not. 56% of firms said they were able to recover their files from backups. Out of the firms that paid the ransom, 95% said they were able to recover their data. 1% of firms that paid the ransom said they were unable to recover their data.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

84% of organizations said they had a cyber insurance policy, but only 64% said that policy covered ransomware attacks. Out of the 64% that did have coverage for ransomware attacks, 94% said the ransom was paid by their insurance company.

Victims of ransomware attacks were asked to provide an estimate cost of the attack, including downtime, staff costs, equipment costs, lost business, and other associated costs. The average cost in cases where the ransom was not paid was $732,520 whereas the cost was around twice that amount at organizations that paid the ransom -$1,448,458.

The ransom payment must be covered, which is often sizable, and many of the costs associated with an attack have to be covered even if the ransom is paid. It may be an attractive option to pay the ransom to recover more quickly, but the reality is recovery may not be shortened considerably even if the ransom is paid. Oftentimes a separate decryption key is required for each endpoint so recovery will still be an incredibly time-consuming process, which may not be straightforward. It is also not unusual for data to be corrupted during encryption and decryption.

The take home message is to make sure that you have the option of recovering files from backups, which means ensuring multiple backups are made with one copy stored on an air-gapped device. Backups must also be tested to make sure data hasn’t been corrupted and file recovery is possible. You should then follow the FBI’s recommendations and not pay the ransom unless you have no other choice.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.