The Conundrum of Ransomware Attacks: To Pay or Not to Pay?

• Cybersecurity

Recently, the world has witnessed a surge in ransomware attacks, with corporations finding themselves in a difficult predicament: to pay the demanded ransom or not? The recent incidents involving MGM Resorts and Caesars Entertainment spotlight this conundrum.

"Trust is impossible when dealing with cybercriminals. Yet, corporations often find themselves in a conundrum: to pay or not to pay?"

The MGM Resorts Attack

In September, MGM Resorts became the victim of a massive ransomware attack, creating havoc in its operations. Prominent casino hotels in Las Vegas, such as the Bellagio, Mandalay Bay, and the Cosmopolitan, were affected. The cyberattack disrupted electronic payments, slot machines, ATMs, and paid parking systems, causing guests to wait hours to check-in. The hackers also managed to steal a massive trove of customers' personal information from MGM's servers. Despite the damage, MGM chose not to pay the ransom, a sum that remains undisclosed but is likely less than the $100 million the company expects to lose in the aftermath of the cyberattack.

The Caesars Entertainment Incident

Contrastingly, an earlier cyberattack on Caesars Entertainment barely made news as the hotel and casino giant decided to pay the hackers to prevent the disclosure of stolen data. This incident reveals a concerning fact: according to a survey by Splunk, about 83% of organizations admit to paying hackers after a ransomware attack, with over half paying at least $100,000, either through cyber insurance or a third party.

The Dilemma of Paying the Ransom

For large organizations with significant financial resources, paying the ransom is often the most efficient and cost-effective solution to restore their networks and recover stolen data. However, there is no guarantee paying the ransom will ensure the safe return or total deletion of the stolen data. The trustworthiness of cybercriminals is fundamentally questionable, and the data remains compromised regardless of whether a ransom is paid.

The Aftermath of Paying the Ransom

While paying the ransom may resolve the immediate crisis, it also signifies a corporation's willingness to pay large sums of money to resolve problems, making it an attractive target for future attacks. A study by Cybereason reveals that a subsequent attack hit 80% of ransomware victims who paid the ransom. Of the compromised organizations, 68% reported that the second attack came less than a month later, with the hackers demanding a higher ransom.

The Legal Implications

While paying a ransom is not illegal, the FBI advises against it as it encourages ransomware gangs to continue targeting new victims. Additionally, organizations might find themselves in legal trouble if they are found to have paid a ransomware gang sanctioned by the U.S. government. Violation of U.S. sanctions laws can lead to criminal prosecution.

In conclusion, while paying the ransom is the easiest and cheapest option, it will likely cost an organization more in the long run. Establishing robust cybersecurity measures can help prevent such attacks, thereby avoiding the dilemma of whether to pay the ransom.