Ransom payment after ransomware attacks: Yes or no?

Governments around the world are near-unanimous in their policy toward terrorist hostage takers — no negotiation. The rationale is obvious. If terrorists know governments are willing to have a conversation on acceding to their demands, that could open the floodgates for copycat attacks. Therefore, at least in public, the stance is no compromise. That said, this public position is not always consistent with what governments do behind the curtains. Several nations have been accused of using proxies to secretly pay ransoms in return for their citizens’ safe release. The ransom dilemma is one faced by organizations that find themselves crippled by a ransomware attack. Paying a ransom doesn’t seem legal or ethical. But you may have to contemplate it if that becomes the only thing you can do to regain access to your systems and data in time — and save your business from ruin.

Before paying, though, it’s crucial that you evaluate the pros and cons of your decision.

The cons of ransom payment

Many governments, business decision-makers, and a broad array of cybersecurity professionals won’t even contemplate the ransom payment question. Here’s why.

1. Security agencies discourage ransom payment

Once an organization is hit by ransomware and loses access to its data, the No. 1 priority is regaining access as soon as possible. Each minute the data remains inaccessible can only accelerate the number of customers moving to the competition.

The FBI and other law enforcement agencies do not support ransom payment. Still, the FBI is careful not to unequivocally bar businesses from paying ransom under any circumstances. Rather, they urge the evaluation of all options in the context of safeguarding customer, employee, and shareholder interest.

2. Utilize available support

The prohibitive cost of contracting a third-party security firm to resolve the problem may compel plenty of small and medium-sized businesses to pay up to break the impasse quickly. It’s a logical option when one weighs the costs vs. benefits. The good news, though, is there are actually world-class anti-ransomware resources available online at no cost.

One of the best known is the No More Ransom initiative run by the Netherlands Police’ National High Tech Crime Unit, Europol’s European Cybercrime Centre, McAfee, and Kaspersky Lab. The project helps ransomware victims retrieve encrypted data without the need to pay a ransom. No More Ransom has posted decryption tools for over 85 types of ransomware.

3. Repeat attacks

This is arguably the No. 1 reason why paying the ransom is fraught with risk. Once you remit money in return for access, you will inadvertently have announced that you don’t mind paying. Malicious attackers may continue to keep you in their sights as a dependable target.

You are, after all, dealing with criminals, so there’s no guarantee they’ll keep their word on not attacking your organization in the future. Paying could therefore make you a “regular customer.” Even if you firm up your defenses, there may be plenty of hacking attempts as attackers check whether there’s still a way to get through.

4. No guarantee you’ll regain access

The act of developing and distributing ransomware is inherently criminal. The persons behind such action are performing illegal activities meant to profit from the target’s misfortune. With this backdrop, you have to ask whether there are any guarantees you’ll get back system and data access when you pay the ransom.

Can you say with certainty they’ll release the decryption codes? In any case, you may receive the decryption keys, but a sizable proportion of the files may remain unrecoverable.

5. You slacken on security

Paying the ransom is the easy way out. One successful transaction, and you have all your systems back. Unfortunately, that can also encourage complacency.

You’ll have evaded the inconvenience of a long outage, painstaking recovery, and expensive resumption. With that, you’ll lack the determined drive required to reconfigure your cyber defenses to prevent a recurrence. It’s actually quite possible you’ll leave the environment unchanged without any root cause analysis or process remediation.

The pros of ransom payment

You should avoid paying the ransom as much as you can. The above points show just how unpredictable that path is. Nevertheless, there will be times when an organization determines it’s left with no other option but succumb to the attacker’s demands.

1. Quick restoration of access

Irrespective of the industry you are in, it’s crucial that you respond to customer, employee, and shareholder inquiries with speed. Most organizations cannot be disrupted for a significant period without a massive negative impact on stakeholder interest.

In certain scenarios such as hospitals, disruptions may have life-threatening repercussions. Paying the ransom is appealing since the organization can resume normal operations fairly quickly.

2. Return on investment

We earlier touched on why SMBs would pay the ransom instead of engaging a security consultant. The cost of successfully resolving a ransomware attack could run into millions of dollars. This is money SMBs would be better served redirecting to core income-generating activities.

So, if the attacker asks for a couple thousand dollars’ ransom, that would be extremely attractive compared to the costs the business would otherwise incur if it plays hardball.

3. Invest savings into better security

The savings that come with avoiding expensive problem resolution can be redirected to better security. A ransomware attack should of itself be a wake-up call for an organization’s security architecture. The cost savings the business experiences could be redirected to improving the company’s security posture. Improving controls, training employees, and reducing IT debt are just some things the money could be used for.

Actually, the organization could even contract a third party to work on improving technical controls. Since this is will be taking place under far less distressing circumstances, the costs could be much lower than the business would otherwise pay during a ransomware attack.

4. Cybersecurity insurance covers ransom payment

If you had the foresight to buy a cybersecurity insurance policy, your business can transfer part or all of the financial burden of a ransomware attack to an insurance company. Cybersecurity insurance policies vary considerably, so it’s crucial you go through the fine print. Cyber-extortion may be built into or added onto a cybersecurity policy, but coverage details can be complex.

Some policies may provide recovery costs after an initial waiting period while others tackle recovery assistance once the event is uncovered. That said, most policies will take care of the extortion payment even though that may come with limitations such as requiring the guidance of law enforcement.

To pay or not to pay — each circumstance is unique

Each ransomware attack situation unique in terms of the nature of the attacker, the ransomware used, and the target organization. Therefore, whether one should pay the ransom or not must come down to what the organization considers its top priorities. This is a decision that one should not enter into rashly.

If you aren’t sure of what you need to do, consult cybersecurity experts, talk to industry peers, contract an incident response team, search the Internet, and liaise with law enforcement. Look past the current crisis and think about how to be better prepared if a similar incident occurs in the future.

Featured image: Shutterstock