To Pay or Not to Pay: That is the Ransomware Question

Ransomware has become one of the greatest scourges faced by organizations worldwide. These attacks, where malicious actors encrypt an entity’s data or systems and demand a ransom for its release, can cripple operations and result in substantial financial losses.

Even worse, bad actors are now using double and triple extortion methods, where they threaten to publicly expose exfiltrated data if the victim refuses to pay up.

As ransomware incidents continue to skyrocket, it begs a critical question for businesses and governments alike: whether to pay or not to pay the ransom. This is a far-reaching dilemma that goes beyond recovering vital data. A slew of ethical considerations and long-term consequences must be considered.

Understanding the complexities of this situation is vital for any organization that might find itself in the crosshairs of notorious ransomware gangs like REvil, LockBit, Black Cat, or BlackBasta.

Gored on the Horns of Dilemma

Before paying the ransom, an affected entity must consider ethical factors. Paying funds for criminal activities empowers malefactors to invest in more sophisticated attacks to expand their operations.

This perpetuates a cycle of crime and encourages more criminals to engage in ransomware attacks. Even relatively low-skilled individuals can rent Ransomware-as-a-Service (RaaS) platforms on the dark web to carry out attacks, which should be discouraged at all costs.

When businesses pay the ransom, they reinforce to bad actors that their tactics are working. Emboldened, malicious actors will carry on attacking companies, confident in their ability to extort money from victims. Paying also increases the chances of repeat attacks, marking the organization as an easy target for future extortion.

Paying up is no guarantee that the encrypted data will be restored. Attackers often provide fake decryption keys, demand more money, or simply vanish without fulfilling their promises. This leaves companies worse off, losing their data and money.

However, while it is logical to say “do not pay,” it may not be the right approach for every organization. For example, it may be an accepted and calculated risk for a retailer to refuse a ransom demand even though downtime is costing the business revenue while recovery efforts are underway. But what about a hospital that urgently requires access to systems where any delays could pose a risk to human life? In these cases, the decision on whether to pay a ransom demand is more complicated.

Advising on the Best Course of Action

Having a professional on board can help in the event of a ransomware attack. Cybersecurity companies that specialize in incident response, threat intelligence, forensics, and ransomware negotiation and recovery bring expertise and experience. They can guide businesses through attack response, including negotiating with attackers, assessing risks, and advising on the way forward.

Moreover, a professional can help organizations evaluate the risks and weigh the potential outcomes of paying or not paying. They consider factors such as the likelihood of data recovery, the financial impact of prolonged downtime, and the ethical implications.

There have been instances where cybersecurity firms have intervened and negotiated lower ransom demands or data release without payment. In some cases, they have managed to decrypt data using tools released by researchers.

The problem with publicly released decryptors is that they tip the attackers off to flaws in their payloads, which are usually corrected swiftly, so the decryptors rarely work for more than a few days and are generally considered to be PR motions to generate publicity for the vendor who released it.

Mitigating the Impact

Being proactive about incident response is key to mitigating the impact of ransomware attacks. This involves creating and regularly updating an incident response plan that outlines the steps in the event of an attack.

Regular data backup is crucial, ensuring companies can restore their systems and data without paying the ransom, which can run into the millions. Businesses need to be aware that attackers also target backups for encrypting them. Therefore, backups should be stored offline or in a secure cloud environment to prevent them from being accessed or encrypted during an attack.

Even if backups are considered a necessity, businesses must be aware of the following considerations:

  • The restore process is laborious as each device needs to be wiped and reimaged individually, which means weeks of downtime.
  • If data was exfiltrated during the attack, the victim will still be extorted.

The importance of training the workforce on cybersecurity best practices cannot be overstated. This lessens the likelihood of a successful attack, as it will help employees recognize phishing emails, avoid suspicious downloads or links, and ensure they follow their company’s security protocols.

Law Enforcement Involvement

Most law enforcement agencies, including the FBI, advise against paying ransoms for all the reasons mentioned above. Moreover, depending on the jurisdiction, paying a ransom can have legal implications. Some countries have laws that require entities to report ransomware attacks and payments. Failure to comply with these regulations can result in legal penalties and further complications.

Collaboration between cybersecurity companies and law enforcement is critical. Cybersecurity firms provide technical expertise, while law enforcement agencies offer investigative resources and legal support. This leads to more effective resolutions and possibly catching the perpetrators.

There have been cases where law enforcement agencies successfully intervened in ransomware attacks. For example, Europol reported that as part of “Operation Cronos,” a group of agencies arrested two LockBit members in Poland and Ukraine, took down 34 data servers, and froze over 200 cryptocurrency accounts.

Despite the takedown attempt, LockBit is still very active, and they are just one of hundreds of groups, so the long-term impact of these law enforcement operations is in question.

Practical Steps and Strategies

There are several steps organizations can take should they fall victim to ransomware:

  • Isolate affected systems: The first step during a ransomware attack is to isolate affected systems to prevent the spread of the malware.
  • Notify Stakeholders: Informing relevant stakeholders, including IT teams, management, and external partners, is crucial for coordinated response and crisis management.
  • Consult with Professionals: Engaging cybersecurity professionals early in the process ensures that the response is guided by expertise.

There are also robust, long-term strategies for protecting against ransomware

  • Implementing Robust Cybersecurity Frameworks: Comprehensive cybersecurity frameworks (NIST 2.0, ISO 27001) help reduce cyber risk. These include implementing multi-layered security measures like firewalls, intrusion detection systems, and antivirus software.
  • Regularly Updating and Patching Systems: Regularly updating and patching systems closes vulnerabilities that bad actors can exploit.
  • Conducting Regular Security Audits and Assessments: Regular security audits and assessments identify chinks in an organization’s cybersecurity armor. Addressing these vulnerabilities proactively reduces the risk of successful attacks.
  • Consider Cyber Insurance: While it’s a grudge purchase, cyber insurance provides financial cover against the expenses associated with ransomware attacks. This includes ransom payments, legal fees, and the costs of getting systems restored.

A Formidable Challenge

Ransomware attacks are a formidable challenge for businesses in every sector, and the critical question of whether to pay up or not is neither simple nor straightforward.  While paying may seem like an expedient (albeit expensive) solution, it comes with ethical and practical risks. These need to be weighed and backed by the expertise of cybersecurity professionals and law enforcement.

Although there’s no silver bullet, proactive measures, including incident response planning, regular backups, employee training, and robust cybersecurity practices, help defend against ransomware.




Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications. She is also a regular writer at Bora.


To Top

Pin It on Pinterest

Share This