It's early in the morning, the weather is good, the birds are chirping, and you're looking forward to the upcoming workday. But what awaits you at your workplace doesn't bode well. As you start your computer, suddenly nothing seems to work anymore. The screen flickers, and you can't log in, let alone perform any other action on the computer. Suddenly, a window appears with the message, "Pay CHF 2,000,000.00 in Bitcoin, and we will release your IT system. Recipient: Jane and John Doe (...)." Your IT system is infected with ransomware in the form of an encryption or extortion trojan (see: https://www.teichmann-it.com/services/ransomware-negotiations.html).
This blog post outlines your options after a ransomware attack with a ransom demand. In principle, you have three options:
First and foremost, remain calm, do not panic, and do not act impulsively. A structured, thoughtful response to the cyberattack is crucial. Gather the facts and get an overview of the situation. Then assess your options. Through a risk assessment, determine the best option for the individual case. Naturally, restoring the IT infrastructure without paying a ransom and without data loss is the ideal scenario in all cases. However, this scenario is not always realistic. Attackers use their excellent technical skills for malicious purposes. Dependency on IT systems often places modern companies at a disadvantage. The notion that IT systems are always (under reasonable conditions) recoverable is seldom true in practice. This makes it particularly important to involve specialists in the individual assessment. Restoring the system requires comprehensive and specialized knowledge, specific infrastructure, and both human and financial resources. Therefore, the company’s ability to meet these requirements must be assessed.
It is also essential to assess whether restoration measures are proportionate in terms of: direct costs, which should not be excessively high (e.g., exceeding the ransom demand); time, as the IT system is often nonfunctional during the restoration process; disruption to regular business operations; and financial losses flowing from suspension of business activities. If the conditions for a proportionate restoration attempt are not met, other options must be identified and considered.
Teichmann International (IT Solutions) AG strongly advises against paying a ransom. Such payment offers no guarantee that the attackers will leave you alone. Rather, it suggests vulnerability, which could lead to further demands. In particular, a high-profile extortion story in the news involving a paid ransom could make you an attractive target for other attackers. An extortion spiral must be avoided at all costs. Even if the attackers do release your systems, your data may have been misused (e.g., sold) already. Equally relevant is reputational damage: if the company pays, loss of trust and subsequent loss of customers could result. Another relevant consideration is that payment finances the perpetrators' actions, making the extortion model a lucrative business. It is clear that payment should only be made if the company is financially well-positioned. Even then, a cost–benefit analysis should be conducted before deciding to pay. Taking these aspects into account allows for an informed risk analysis. If this analysis indicates that paying the ransom is a valid option, it is imperative to consult specialized professionals who can assess the legal permissibility of such payment.
It is extremely important for the entire process to be guided by specialists to help you develop an informed solution strategy. Teichmann International (IT Solutions) AG offers you precisely this tailored, all-encompassing service, which also includes outstanding legal advice.