To pay or Not to Pay Ransomware: Reasons 15 Companies paid to Restore Data

decision to pay or not to pay ransomware
screenshot of

Ransomware has become a global menace that is bringing multinational businesses to their knees and destroys over 60% small businesses with six months.

Ransomware which is a malicious software that locks a user out from accessing their own data and files stored on a computer system. Often the user is greeted with a ransom note with the message that user's data is in the hands of the malware owner and the user is required to urgently pay a fee in cryptocurrency to get the data restored. Otherwise, it will be permanently deleted or sold off to the highest bidder on the dark web. 

With such a ransomware scenario, many organizations are faced with the question - To Pay or Not to Pay? 

Considering that this is often the first question an organization considers after they are hit with a ransomware attack, the choice is not simple. Authorities and security experts agree that the choice should be not to pay ransom fees to cyber criminals but rather restore organizations data from backups.

Lets look at the organizations that have decided to pay the ransom to understand why its easier to pay the ransom rather than restore data from backups. 

1. Travelex 

Travelex is a London-based foreign currency exchange that has operations in at least 26 countries. The company was a victim of a ransomware attack in January 2020 and paid the ransomware gang a total of $2.3 million. 

The Sodinokibi gang, also called REvil, accessed the company’s networks and encrypted more than 5GB of data. The original ransom demand was $6 million, but several weeks of negotiating saw Travelex pay $2.3 million, approximately 285 bitcoins. 

The reason for paying was to restore customer services in over 1000 stores and 1000 ATMs spread across 26 countries.  

2. City of Valdez, Alaska 

IT networks in the City of Valdez were infected by the Hermes ransomware strain closely tied to North Korean hacking tools and malware in July 2018. The city officials admitted to paying the hackers behind the attack $26,623.97, the equivalent of 4 bitcoins. 

The ransomware attack crippled the city’s networks and infected 170 computers and 27 servers. According to Elke Doom, the incident commander for cyber incident response and Valdez city manager, the payment was necessary to purchase the decryption key from the hackers. 

The payment allowed the city to resume operations as city employees could access the encrypted files in read-only mode while investigations continued. 

3. University of California, San Francisco 

The University of California San Francisco (UCSF), a leading medical research institution developing a COVID-19 cure, was a ransomware attack victim on 1st June 2020. The Netwalker criminal gang was responsible for the attack. 

The hackers noted that the university makes billions annually and demanded a $3 million ransom payment. The criminals also threatened to double the ransom and release the encrypted data, mostly academic work and student details. 

After lengthy negotiations, the university settled on paying $ 1,140,895 million, or 116.4 bitcoins, in exchange for a decryption tool to unlock and restore the data. 

4. Park DuValle Community Health, Kentucky USA

A ransomware attack targeted Park DuValle Community Health Center in June 2019. The attackers used a ransomware program to encrypt the medical records of more than 20,000 patients. 

The attack prevented the hospital staff from accessing the records for nearly two months, impacting the institution’s appointment scheduling tool and medical records systems. 

The hospital used a pen and paper approach to operate for seven weeks. Park DuValle paid a ransom of 6 bitcoins, approximately $70,000, to get the decryption keys and restore the affected data.  

5. Albany Airport, New York 

Albany International Airport, New York, suffered a ransomware attack in December 2019. The Sodinokibi ransomware strain found its way to the airport’s systems through its maintenance servers and spread to other systems. 

The encrypted files included Microsoft Excel documents containing the airport’s budget data and backup storage systems. However, it did not infect the airline’s customer data, such as credit card information, U.S. Transportation Security Administration servers, or daily operations. While it remains unclear the amount paid to the attackers, the amount was under six-figures.

6. La Porte County, Indiana 

La Porte County was the victim of the notorious Ryuk ransomware attack in July 2019. The IT personnel detected the attack and managed to stop it from spreading to all of the county’s networks and computers. 

The staff contained the attack to less than 7% of the IT infrastructure. However, network services were unavailable since the ransomware infected two domain controllers. The combined efforts of a forensic investigation firm and the FBI to recover the information without giving in to the hackers’ demands proved futile. 

The county paid $130,000 to recover the encrypted data, with the insurance provider paying $100,000. 

7. The University of Maastricht, Netherlands 

The University of Maastricht, based in the Netherlands, paid at least $217,000 worth approximately 30 bitcoins to hackers. A historical exchange rate was responsible for the high amount. 

The ransomware attack was first discovered in December 2019 and had infected backup, email, and file servers, putting commercial operations data and valuable research at risk. Investigations tied the attack TA505, a Russian cybercrime group, and identified the ransomware variant as Clop. 

The attackers had also obtained network topology usernames, passwords, and data. The university paid the ransom to obtain a decryption tool and preserve the availability, confidentiality, and integrity of the affected files. 

8. Lake City, Florida 

The officials of Lake City in Florida voted to pay the attackers behind a ransomware attack that had taken down the city’s computer systems. The attack locked out employees and prevented them from accessing their email accounts, while the public population was unable to render municipal payments online. The city paid a ransom of 42 bitcoins, approximately $500,000, to regain access to the city’s IT and computer systems. 

The city’s cyber insurer was responsible for negotiating with the hackers and agreed to pay the ransom. However, it paid only part of it as the city footed the $10,000. According to the city officials, making the payment was the most effective way of regaining access to the computer systems.

9. University of Calgary 

The University of Calgary became a victim of a persistent ransomware infection in June 2016. The attackers accessed and encrypted the email systems belonging to both faculty and staff. 

The attackers demanded a ransom of 20,000 CAD (Canadian Dollars), approximately $14,700, to provide a decryption key for restoring the services. Since the attack prevented the university from continuing with essential academic work, it met the attacker's demands.

10. Nayana, South Korea

Nayana, a South Korean web provider, suffered a ransomware attack on June 2017. The attack infected at least 153 Linux servers leading to a shutdown of more than 3400 websites. The attackers demanded a ransom of $4.4 million, but the company negotiated to pay $1 million

The company paid the ransom to avoid further damage as the hackers deleted some data permanently during the negotiations. In addition to paying the ransom, the company also offered the affected customers to provide free hosting for life, and also refunded them. The company had negotiated the ransom down to $500,000, only for the hackers to double their demands at the last minute. 

11. Unnamed Canadian firm 

A major Canadian firm was forced to pay attackers $425,000 in Bitcoins to restore crippled computer systems after suffering a ransomware attack. The attack encrypted both the production databases and all data backups. 

According to the CEO of Cytelligenc forensics firm, which helped with the investigation, the company had no choice but to pay due to the frozen backups. 

The ransomware attack payout is among the most massive payments in Canada’s history. The investigations revealed that the attack was sophisticated. It started with spear-phishing emails containing a PDF attachment with malicious software. The spear-phishing attacks targeted six senior officials within the firm.

12. Hancock Health 

Hancock Health, based in Greenfield, Ind., was a victim of a successful ransomware attack on January 2018. The attack was a SamSam ransomware that exploits vulnerable servers and propagates across a network, infecting all connected machines. 

The attack affected the hospital’s internal operating systems, electronic health records, and email systems. The responsible adversaries targeted more than 1400 files and renamed them ‘I’m sorry.’ In exchange for a decryption key, the hackers demanded 4 bitcoins, approximated at $55,000. 

The hospital tried operating using pen and paper but later opted to pay the ransom to recover the infected systems. Although a backup was available, the hospital estimated that the restoration process could take days or weeks. 

13. University of Utah 

The University of Utah paid $457,000 after it became a victim of a ransomware attack. The institution paid the ransomware to stop the attackers from leaking student data online. 

However, the university quickly noted that it avoided a devastating ransomware incident since the cyber actors managed to encrypt 0.02% of the data. The university restored the encrypted data from a backup, but the hackers threatened to release the information online. 

It worked with its cyber insurance provider, which offered to pay part of the ransom. Investigations show that the responsible group is the NetWalker ransomware gang. 

14. Romantik Seehotel Jaegerwirt

Romantik Seehotel Jaegerwirt, a four-star hotel based in Austria, suffered a ransomware attack on January 2017. The attackers used crypto malware to shut down the hotel’s entire network which at the time was fully booked with 180 guests. Affected areas included cash desk, reservation systems, and the electronic key. 

The hotel paid a ransom amounting to $1600 in bitcoins to let guests access their rooms. It was then able to restore all the affected services and resume normal operations. 

15. Hollywood Presbyterian Medical Center

Hollywood Presbyterian Medical Center, a health institution based in Los Angeles, was subjected to a ransomware attack on February 2016. The ransomware infection encrypted the facility’s electronic medical record system, such that vital patient data was inaccessible. 

As a result, the attack disrupted the hospital’s everyday operations significantly. The hospital administration decided to comply with the attackers and paid a ransom in 40 bitcoins, worth around 17,000.

And to round it off an extra case..

16. Stratford City, Ontario 

The Canadian City of Stratford was a victim of a ransomware attack in April 2019. Cyber security adversaries installed malware on six of the city’s servers. 

The malware infection encrypted two virtual servers, causing sensitive information to be locked down and inaccessible. The attack compromise personally identifiable information causing the city officials to negotiate a ransom of 10 bitcoins, approximately $71,000, with the cyber insurance provider footing $15,000. 

The city paid the ransom to regain access to the affected information. The incident did not reveal any of the affected data.

Bottom line

The above information is based on publicly available news sources. Regardless of the increase in ransomware attacks reported in 2020, its quite likely that threat ransomware poses is only increasing going forward. 

Many of the organizations above opted to pay the ransom because they did not not have a working backup to use for restoring their critical data and systems. Make sure this does not happen in your case.

Leave us a comment about the story