As we move into a new year, it seems remarkable that the topic of ransomware remains a constant sore spot for organisational leadership. Yet judging by the number of data leak posts ransomware groups make to their sites, many companies are continuing to struggle with post-breach resilience.

Whilst certain security controls remain in place, the omission of ransomware-specific policies in the organisation’s business continuity plan often leads to senior leadership scrambling onto lengthy Zoom calls mid-incident, and making key decisions in haste.

However, by thinking beyond just the technical risks, organisations can be truly prepared for the ruthless professionalism of attackers.

No longer a basement activity

We have all seen the image plastered across media stories covering cyber-related attacks: a nefarious looking individual with face obscured by a dark hoodie, hunched over a keyboard. This stereotype fails to address the professionalisation of digital criminal groups, and none more so than the as-a-service criminal ransomware groups who have evolved far beyond lone hackers operating in isolation.

Today, most attacks are the work of professional criminal enterprises, mirroring legitimate businesses with profit structures, R&D teams, and affiliate recruitment. This structured approach lets them scale operations and continuously innovate. Further, it has been typified with the migration from an attack on availability (e.g., encrypting data) to that of confidentiality (e.g., exfiltrating data).

Those groups that now focus on data exfiltration have been able to garner greater leverage when attempting to extort victims, and this has contributed to the rise in average ransomware demands.

This shift means backups are no longer enough, nor for that matter is the availability of a free decryption tool. Stolen data can cause irreversible damage to a company’s reputation and stakeholder trust, and that’s where the money now is.

I have personally observed this pressure tactic in action when leading the response to an incident that affected a large multinational enterprise. In that instance, the senior leadership felt compelled to pay because the ransomware group threatened to leak the compromised data. The leadership team viewed this as a significant risk to partner relationships, ultimately deciding to pay in the hope of preventing the leak.

The change in extortion tactics is a direct response to efforts to tackle ransomware. Industry initiatives like ‘No More Ransom’, a non-profit that provides guidance and file decryption tools, have helped curb the impact of attacks, so threat groups have innovated to maintain their profits.

The chilling emotional disconnect in ransomware crime

The growing organisation of ransomware also means that groups treat negotiations as routine business transactions, conducted with a disturbing level of professionalism.

One of the most chilling aspects of ransomware is the utter emotional detachment of its perpetrators. Cyber-criminals rarely witness the suffering they inflict, which allows them to dehumanise their victims entirely. I’ve seen first-hand the devastating impact these attacks can have, from small businesses unable to operate, to deeply personal extortion cases.

This disconnect is amplified by the digital nature of the crime, turning victims into numbers on a balance sheet. For the targets, it can be life-shattering. For the criminals, it’s just business. Cyber-criminals are often holding hundreds of victims to ransom at the same time. Moreover, we have to acknowledge that digital extortion extends beyond corporations, with individuals also being targeted.  

Lessons for businesses: proactive preparation

Ransomware is heavily geared around shock and awe. The assailants are banking on their victims being so overwhelmed by the financial or emotional implications of the attack that they will fold and comply with ransom and blackmail demands.

So, a lack of preparation is an absolutely colossal mistake for any organisation. Businesses often struggle to answer basic questions like whether to pay the ransom, their payment limits, or who will negotiate on their behalf. These decisions must be made before an attack, not under pressure.

I challenge any employee concerned about ransomware to ask if their company has a payment policy in place. This isn’t just about deciding whether or not to pay; it’s about knowing your stance, defining procedures, and identifying the resources you’ll need.

For example, establishing retainers with incident response specialists in advance can ensure immediate access to experts during a crisis, reducing the stress and expense of finding available experts on the fly.

It’s also critical to recognise that ransomware is not just a technical issue, it’s a business issue. Since paying a ransom means directly financing organised crime, it’s also a deeply moral issue, and not a decision to be taken lightly or quickly.

Decisions about ransoms belong at the highest leadership levels, with CEOs, boards, and CISOs working together to avoid reactive responses. Above all, the default approach should be to never pay the ransom.

Aside from the moral implications, there is simply no guarantee the criminals will uphold their end of the deal. Instead, businesses must prioritise preparation, prevention, and resilience.

Digital extortion is a critical issue that has impacted wider society, so organisations must make every effort to prepare. Those who take the time to follow guidance from industry and government resources, and who take the time to get proactive policies in place, will have the best chance of not becoming another victim to this billion dollar industry.

Raj Samani SVP Chief Scientist Rapid7

Raj Samani is a computer security expert responsible for extending the scope and reach of Rapid7’s research initiatives. Raj joins Rapid7 from McAfee where he served as McAfee Fellow and Chief Scientist after serving as VP and Chief Technical Officer in EMEA. Raj has assisted multiple law enforcement agencies in cybercrime cases, and is special advisor to the European Cybercrime Centre (EC3) in The Hague.