If your organization opts to pay a ransom, you have an 8% chance of getting your data back in-full. And, just because your organization has contended with a ransomware attack doesn’t mean that you couldn’t see a second attack; either in the near future or further out.

“Payment of ransoms is no guarantee that you will get your data back – and certainly no guarantee you won’t be attacked again – in fact, advertising a willingness to pay makes someone a more interesting prospect,” says Lindy Cameron of the UK’s National Cyber Security Centre.

Cost of ransomware increases

Across the past year, the cost of ransomware has doubled. Research shows that the average organization spends $1.85 million in order to recover from a ransomware attack; as compared with $761,106 in 2019.

Although ransom extortion fees vary, some organizations have reported demands for as much as $10-50 million. These days, incident response for ransomware commonly involves a set of ransom negotiators, who assist organizations in negotiating smaller payment sums.

When a ransomware attack occurs

In the event that your organization is hit by ransomware, or even faces a second attack threat, or a third attack threat, Check Point Software’s incident response team recommends the following:

  1. Maintain your level-headed thinking. Avoid slipping into panic mode. Reach out to your security team and take a photo of the ransom note. You can then send this photo to law enforcement, who can assist with an investigation.
  2. Isolate compromised systems. Remove the affected device or devices from the rest of the network immediately, if possible. In some cases, isolating affected devices may not be possible, as the attack may have been hiding in systems for an extended period of time. In the event that you can isolate the compromised system, doing so can prevent further damage and assist investigators later on.
  3. Beware of backups. Cyber criminals are aware of the fact that organizations may try to circumvent ransom demands by restoring systems from backups. Attackers may attempt to locate, modify or delete backup systems. Ahead of launching data from backups, ensure that your backup data has not been compromised.
  4. Avoid reboots or system maintenance. Modifications to systems amidst a ransomware attack can unnecessarily complicate clean-up and remediation attempts. Additionally, if you reboot your system, you may permanently lose files. This is because hackers may be in the process of attempted file deletion.
  5. Collaboration is key. In the event that your organization experiences a ransomware attack, ensure that you communicate the message to local law enforcement, and national authorities, if necessary. You’ll also want to inform employees about the incident, providing them with instructions to help them continue with their job duties.
  6. Identify the ransomware type. In some cases, hackers’ ransomware notes state which type of ransomware is in use on a given system. However, in the absence of this information, free tools can assist. Organizations can use the No More Ransom Project website to determine what kind of ransomware they are contending with and whether or not decryption tools exist.
  7. Wondering if your organization should pay a ransom? The decision is not an easy one. If your organization considers payment, the data is not guaranteed to be decrypted or returned in-full. Ninety-two percent of organizations do not receive their data back in its original state.

    Do not rush into a decision. Evaluate all options in a comprehensive way. Paying a ransom should really be a last-resort. And remember, if you pay the first time around, your organization could experience a second attack, where hackers will expect another extortion payment.

For more on ransomware threats, second attacks, ransomware payment decisions and more, visit ZDNet.