Dangers of saying ‘yes’ to ransomware

by Mark Rowe

Edwin Weijdema, Global Technologist, at the data protection and back-up software company Veeam, pictured, writes of how to say ‘no’ in the face of a ransomware attack.

With more than 236 million ransomware attacks taking place in the first half of 2022, attacks are growing in volume and intensity and now affect nearly every industry sector. This is driven by an influx of new ransomware criminals and bolder efforts to secure greater ransom payments from existing bad actors.

But, while many organisations rush to pay the ransom when attacked, this still provides no guarantee that you’ll get your data back. According to recent research, 52pc of global organisations with encrypted data paid the ransom and successfully recovered their data, but one in four who paid couldn’t recover it. As a result, the debate around whether to pay or not continues to be highly contentious. While some pay to try and quickly get back online and resume operations, others who’ve planned for the inevitable can recover without paying.

However, instead, we need all organisations to reach a point of ‘no fear’ where they have the power to refuse payment safely in the knowledge that their data backup is tight enough to ensure that recovery time is low, and data loss is zero.

Before organisations can reach this point of ‘no fear,’ there are many steps they need to take, but first, they need to consider why they pay demands and understand the danger of saying ‘yes’.

Fundamentally, they’re scared and trying to avoid several harmful consequences. Reputational damage is a big one, as well as security departments’ concerns about repercussions for their jobs. This drives organisations to make payments in the hope that they’ll stay out of the news, and that the disaster will reach a quiet resolution.

On a more serious note, the methods used by ransomware criminals often make organisations feel they have no choice. Ransomware gangs target backups, leaving organisations in a difficult position: even though they backed up their data, this formed part of the attack. Looking into the mind of a ransomware criminal, you can see why they would target back-ups – after all, it’s the most valuable, sensitive, and business-critical data that is prioritised for back-up, so attackers know that what they’re getting is crucial to business function, rather than data that organisations can do without.

Unfortunately, as we know, paying the ransom doesn’t mean data will be successfully recovered and the case closed. In fact, in many cases paying the ransom sets off a chain reaction. If you pay your ransom demands, you’re telling your attackers that you’ll do whatever they ask of you, and this leads them to exploit you even further. Only about one in four organisations suffered just one attack – instead, bad actors came back for more, launching further attacks and making more demands. This is known as double or triple extortion.

Double extortion is also sometimes known as ‘name and shame extortion’, and this very clearly communicates why it is such a threat to organisations, and why they pay in the hopes of avoiding it. This type of ransomware attack entails not only the theft and encryption of data but also its dissemination. Attackers will extort their targets by threatening to share the stolen data, with their competitors for example.

Triple extortion adds more pressure to the double extortion tactic, by also threatening a Distributed Denial-of-Service (DDoS) attack if the payment is not made on time. When this happens, organisations can feel truly desperate: not only have they had their data exfiltrated and encrypted, but they also face its publication as well as the complete shutdown of their business should a DDoS attack come to fruition.

Unfortunately, more often than not this is what happens when you pay your ransomware demands, and the best way to avoid it is to make sure your backup strategy is strong enough for you to be able to say no.


Your back-up is your last line of defence against ransomware attacks, but not all back-ups are created equal. It is not enough simply to have a back-up in place as back-up repositories were targeted in 94pc of attacks, and almost 70pc of cyber events saw at least some repositories impacted.

This means you can only say no to ransomware demands if you’re protecting the right data in the right way. To do this, you need to be very sharp when it comes to your data classification. These days, organisations have and continue producing a lot of data, which means it can be difficult to know what the important parts are, and where they reside. However, to fortify your data protection strategy you need to make sure you know what data you have, and what you need to backup.

Unclassified data is not tagged or identifiable, and this also makes it harder to assign a risk level to datasets. If you’re aiming to protect mission-critical data, first you have to identify it. On top of this, tagging your high-priority data is also a significant part of data recovery. Often, businesses cannot be sure which of their datasets have been breached in an attack, and this is another force driving them to pay the ransom, as they are unable to rule out the possibility that their most sensitive data has been compromised, as well as being unable to locate specific sets to recover.

As well as ensuring data is classified, it’s essential that you follow the golden rule of ‘3-2-1’ backup, but with a twist.

We’ve developed this age-old rule, which insists upon three copies of each dataset, saved across a minimum of two different media, and with one of the copies stored off-site. We’ve added a few more numbers to the end of this rule, making it ‘3-2-1-1-0’. In addition to the usual steps, we view a few other things as non-negotiable.

Firstly, one copy of backup data must be hosted offline, one must be air-gapped or immutable, and overall, there must be zero errors in the testing stage. It may seem a simple point to make, but it’s often overlooked: your backup is only useful to you (in the event of an attack, or more generally) if it is verified to ensure there are no errors at all. Otherwise, you cannot recover as planned. This is achieved by daily monitoring – backups should not be left alone as something saved for an emergency, they should be seen as living and in need of constant attention.

Becoming recovery-focused

Ransomware attacks will inevitably happen. It’s a matter not of ‘if’, but ‘when’. This means that even if you’ve mastered your backup strategy, this is only half the battle.

The other half is concerned with making sure that you’re prepared to optimise your data restoration and recovery time objective (RTO). This is a process that absorbs a lot of time. It takes organisations on average 18 days to complete their data remediation, but for 15% of organisations, this process can take place over a matter of months (one to four months). Aside from being labour-intensive, this also means that business function is interrupted during this downtime. To avoid this happening, it’s important to make sure that you have the right infrastructure to support rapid recovery.

Again, this can be aided by a modern approach to data backup – if you back your data up on-prem and in the cloud, you give yourself the capability to recover data from both servers at once. Importantly, you also have an additional line of defence, as 40pc of servers experienced unexpected outages. If you take this into account and strategise accordingly, you can give your organisation more power to say no to ransom demands, safe in the knowledge you have multiple backups at your fingertips.

Organisations tend to rely on incremental data recovery, as it’s considered a more economical option. Yet, as the cost of ransomware attacks increases, it’s worth undertaking the work needed to support full-scale recovery. This entails the redesign of infrastructure so that it can enable organisations to recover data at speed, meaning they can get back to business as usual in a much shorter timeframe than 18 days.

Once you address the factors which lead to ransomware payments, it becomes significantly easier to generate the power needed to refuse. Organisations need to leave behind their fear, empowered by a revamped backup strategy that ensures peace of mind.

Related News

  • Interviews

    Manage when working remotely

    by Mark Rowe

    Working remotely? Manage and protect your identity, writes Steve Watts, co-founder of SecurEnvoy. Businesses are becoming increasingly concerned with the amount of…

  • Interviews

    Cyber report

    by Mark Rowe

    You and me are the threat to cyber-security, a new UK report suggests. No matter how secure your system, how comprehensive your…


Subscribe to our weekly newsletter to stay on top of security news and events.

© 2023 Professional Security Magazine. All rights reserved.