A lot of the payments for Ransomware come from Insurance Companies under "Business Interruption Insurance". It in fact may be more cost effective to pay the ransom, than to pay for continued business interruption. 

Of course along with paying the ransom, a full forensic audit of the systems/network is conducted. The vector for many of these attacks is via a worm triggered by someone opening an attachment on an email or downloading compromised software from the Internet. Short of not allowing email attachments or blocking Internet access, the best method is to properly train users to not click on attachments or visit "untrusted" sites, but nothing is perfect.

Shane




On Thu, Jun 24, 2021 at 6:01 PM Michael Thomas <mike@mtcc.com> wrote:


On 6/24/21 2:55 PM, JoeSox wrote:

It gets tricky when 'your' company will lose money $$$ while you wait a month to restore from your cloud backups.
So Executives roll the dice to see if service can be restored quickly as possible keeping shareholders and customers happy as possible.

But if you pay without finding how they got in, they could turn around and do it again, or sell it on the dark web, right?

Mike



On Thu, Jun 24, 2021 at 2:44 PM Michael Thomas <mike@mtcc.com> wrote:

Not exactly network but maybe, but certainly operational. Shouldn't this
just be handled like disaster recovery? I haven't looked into this much,
but it sounds like the only way to stop it is to stop paying the crooks.
There is also the obvious problem that if they got in, something (or
someone) is compromised that needs to be cleaned which sounds sort of
like DR again to me.

Mike