US infrastructure crisis: a third illegally pay ransoms

A recent study by global cybersecurity firm Bridewell has revealed that over a third of critical infrastructure organisations in the United States have breached the law by paying ransoms to cybercriminals.

The alarming statistics were gathered from a survey of 519 cybersecurity decision-makers working in essential sectors including aviation, finance, and energy.

The research highlighted that 36% of breached US-based critical infrastructure organisations succumbed to ransomware attacks by paying the demanded ransom. This action exposes these organisations to potential criminal prosecution and civil penalties, with the average cost of a ransomware breach now standing at USD $509,942. Additionally, the study found that two-thirds of the surveyed organisations had experienced at least one such attack in the past year.

The data further disclosed that nearly one in three organisations reported facing up to five ransomware attacks, while a notable minority (32%) experienced more than a hundred such incidents. In some cases, when a firm has no means to recover from an attack independently, paying the ransom may appear as the only viable option. However, this choice can contravene both UK and US laws against transacting with sanctioned entities or individuals. Although prosecutions remain rare, there is ongoing governmental consideration of a potential payment ban.

The repercussions of ransomware attacks extend beyond legal risks. The survey indicated substantial psychological effects on employees in 36% of the organisations, as well as operational downtime and data loss for 43%. Other notable impacts include reputational damage (41%) and operational disruptions (40%). Financially, more than a third of the organisations had to grapple with increased insurance premiums (36%) and legal costs or fines (35%).

Another significant finding was the average response time to ransomware incidents, which currently stands at 16 hours. The slow response time exacerbates the challenges and increases the likelihood of organisations opting to pay the ransom. Almost all respondents (91%) agreed that ransomware attacks are becoming more sophisticated, with the rise of ransomware-as-a-service (RaaS) models and the involvement of organised crime groups from various criminal backgrounds.

Anthony Young, CEO of Bridewell, commented, “If you fall victim to a ransomware attack, paying the ransom should always be your last resort. Aside from the risk that cybercriminals may not restore access upon payment, there are also potential legal consequences to consider.” He added that in situations where recovery is impossible without paying the ransom, this could be considered the only practicable option aside from rebuilding systems from scratch. However, he stressed the importance of a robust security strategy to avert such scenarios.

“Building a relationship with a trusted security partner who understands your environment and the complex challenges faced by critical infrastructure can help you mitigate this risk by having the right expertise, resources, and support if the worst were to happen,” Young advised.

Amid these growing threats, the research underscores the urgent need for critical infrastructure organisations to enhance their cybersecurity measures and prepare for the increasing sophistication of ransomware attacks.