While most regulators in APeJ discourage the payment of ransom during an attack, there are no laws particularly restricting the transaction
As ransomware continue to top the list of cyberattacks, affected organizations are often faced with the ultimate decision to make, to pay or not to pay the ransom? According to IDC's latest Survey Spotlight Will Your Organization Pay the Ransomware? almost half (44%) of the respondents who participated in the IDC Security Services Global Incident Readiness Survey indicated the willingness to pay the ransom in hopes of retrieving affected files, either internally or through insurance payout.
While the list of countries included in the survey is not exhaustive, Asia/Pacific countries, Australia and Singapore, top the group that is more willing to pay a ransom, with 60% and 49% of organizations in the respective countries indicating they will be paying the ransom during an attack.
Figure: Willingness to pay during a ransomware attack
Ransomware attacks significantly hinder operations as files are being encrypted, compromising the availability of critical resources required to carry out daily business processes. This is a key factor that forces the hands of victim organizations especially when no incident management or contingency plans are made. The choices are limited, either to rebuild affected parts of the infrastructure, which usually results in prolonged disruptions, or pay the ransom in hopes of receiving the decryption keys to restore files promptly.
APeJ legislations around ransomware payment are fuzzy at best. While most regulators in the region discourage the payment of ransom during an attack, there are no laws particularly restricting the transaction. In a separate study IDC Future Enterprise Resiliency Survey, 49.4% of APeJ organizations that encountered a ransomware incident chose to pay the ransom, 82.4% of those who paid managed to retrieve a working decryption key, meaning almost 20% paid the ransom but got nothing in return.
“Even though a ransom payment may resolve the particular incident at the point in time, the actual benefits to the organization’s security posture is marginal. IDC believes that a structured investment in enhancing the infrastructure's cyber resiliency and incident management will reap a more tangible benefit as compared to paying a ransom,” says Jeff Xie, Senior Market Analyst, for Trust, Security and Blockchain research at IDC Asia/Pacific.
IDC believes that the rise of cyber insurance products in the APeJ region also contributes to the willingness to pay during a ransomware attack. Since the financial liability of the payment is balanced out by the insurance payout, coupled with the potential resolution of disrupted activities with minimal resources, one can understand why the sentiment to resolve a cyberattack of this nature via the requested payment is preferred over the traditional approach.