Why organizations shouldn't pay ransomware demands [Q&A]
Many organizations around the world are opting to pay ransoms to cybercriminals in order to buy back ownership of their data. But this can leave them open to further risk of attack.
Gerasim Hovhannisyan, CEO and co-founder of EasyDMARC, believes it's wrong to pay up and that it's better to establish good defenses. We spoke to him to find out why.
BN: What prompts organizations to pay up when they get a ransomware demand and why is it a bad idea?
GH: A ransomware attack can wreak serious havoc on an organization. It typically means operations grinding to a halt and sensitive internal or customer information being stolen. Organizations are typically left with two choices: spend time and resources trying to circumvent the effects of an attack or pay up.
Many organizations choose to pay up after suffering an attack, mostly because they need to return to business as soon as possible. Sadly, this just encourages ransomware operators to strike again, knowing that they can get what they want out of the deal. The only sustainable path for companies, in the end, must be to ensure they'll never be in a position of being forced to fold to cybercriminals' requests ever again.
BN: Why are businesses still falling victim to ransomware?
GH: Poor email security is a significant reason why ransomware attacks are still a problem.
Many organizations still use email as a primary form of communication both internally and with clients, networks, and partners. So it’s no surprise that email is the main vector cybercriminals use to deploy ransomware.
In 2022 -- according to government statistics -- 83 percent of UK organizations who experienced cyberattacks reported the attack vector as 'phishing,' while 21 percent reported the attack as 'ransomware or malware.' Despite the potential protection that can be offered by solutions such as domain authentication to stop impersonation, these services are still wildly under-adopted.
BN: Which tools should organizations be adopting to help reduce the risk?
GH: To stop email phishing attacks, it is critical organizations start implementing email domain authentication tools like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). These three tools work in tandem to tackle phishing attempts by identifying fraudulent domains, determining the authenticity of senders, and limiting the number of phishing and spoofing emails reaching a receiver's inbox.
Despite the availability of domain authentication tools like SPF, DKIM, and DMARC, they're still woefully under-adopted worldwide. In the US, for example, only 7.8 percent of higher education domains use DMARC, despite there being a weekly average of 2,297 attacks against education and research organisations in 2022.
It is also important that organizations have a comprehensive incident response plan in place to respond to phishing attacks and other cybersecurity incidents. By isolating infected systems, reporting the incident, activating an incident response plan, and enhancing cybersecurity measures, organizations can reduce the impact of an attack and prevent similar occurrences in the future.
BN: How big a role does education and awareness training have to play in combating the threat?
GH: Part of the reason why domain authentication adoption is so low today is due to a general lack of understanding of cybercriminals'’' ever-evolving tactics. For example, generative AI has helped phishers 'supercharge' their scamming efforts by allowing them to send hyper-personalized phishing mailers in massive quantities and in record time.
That means that people need to be educated about the importance of stopping ransomware at the domain level, well before any human can risk running into a phishing mailer. IT and security teams need to be aware of the pivotal role that maintaining domain-level reporting and defense will play in ransomware mitigation, and how to implement it.
BN: How long before we reach a tipping point where technologies like DMARC are universal?
GH: I hope the answer to this will be 'soon,' but this relies on organizations being open and willing to learn and adapt their email security practices. Although, with phishing mailers becoming more sophisticated than ever, I think the tipping point is rapidly closing in on us.
Image credit: belchonock/depositphotos.com