As the headlines about ransomware attacks pile up, it is impossible to not think about what may happen if your practice is targeted. Some readers may have already experienced this, hopefully more of you have not. Industry leaders continue to say that it’s not an IF, it’s a WHEN. With the high profits, ease of distribution, and relative low risk for the hackers, there is no sign that ransomware will slow.

Although the FBI does not recommend paying the ransom in an attack, a recent survey commissioned by Sophos found that 26% of companies who experienced an attack chose to pay the ransom to recover data. Yet, this survey finds that organizations who pay ransom end up paying more overall to recover their data than those who are able to recover from backups.

The problem is, many companies find themselves with limited options to recover.

If appropriate backups are in place, restoring operations can be simple. 56% of attacked organizations reported that they chose to recover from backups. If that is not an option, then companies must weigh the risk of paying the ransom, with no guarantee of file recovery, versus the massi

ve cost and lost data of rebuilding their damaged and vulnerable infrastructure. 85% of the surveyed companies had cyber liability insurance, yet only 64% said their policies covered ransomware. Of that 64%, 94% said the ransom was paid by their insurance company. Even then, there is no guarantee of full file recovery. Some companies may find themselves paying the ransom and THEN paying to rebuild or paying litigation over losing data.

The Sophos survey states that “victims of ransomware attacks were asked to provide an estimate cost of the attack, including downtime, staff costs, equipment costs, lost business, and other associated costs. The average cost in cases where the ransom was not paid was $732,520 whereas the cost was around twice that amount at organizations that paid the ransom -$1,448,458.”

If an organization chooses to pay the ransom, which is often sizeable, they are still faced with other costs associated with an attack. Even further down the line, there may be litigation over the data breach or loss. And while recovery by ransom may seem the fastest way to resume normal operations, decrypting endpoints is often a cumbersome and time-consuming process, and you risk data corruption during encryption and decryption.

As the FBI recommends, you should never pay a ransom unless there is no other choice. Paying the ransom only feeds the attackers and ensures that ransomware attacks remain a viable business for decades to come. Organizations should recover their files from backups, and take the appropriate steps to make sure that option is in place, including ensuring multiple backups are made with one copy stored on an air-gapped device. Equally important is testing the backups on a regular basis to make sure they are not corrupted. While these steps may seem like unnecessary expenses, the data shows that not having them is even more costly.