Should I Pay Ransomware? What to Consider in a Crisis

Should I Pay Ransomware? What to Consider in a Crisis

July 15, 2022

Ransomware is getting worse, and the odds of getting hit are increasing. The frequency of successful ransomware attacks nearly doubled across 2021, and every organization is a potential target – even small businesses are at risk! The cost of the ransom is bad, and the cost of downtime is often even worse. If you can’t resolve the loss of the data you need to do business, you’re dead in the water.

Therefore, it’s important to have a plan in case of a ransomware attack. Backups can protect you if properly deployed, but backups can be compromised too. What do you do if the absolute worst comes to pass? It’s a thoroughly unpleasant idea, but many organizations will ultimately pay their attackers for the decryption key to their valuable data.

However, is that the right call? Should you pay ransomware demands?

There are a lot of reasons not to pay.

The overwhelming response from cybersecurity professionals is “no,” and it’s not just on principle – there are also many practical reasons that paying ransomware won’t even get you what you want. Although it seems like a straightforward (if upsetting) transaction, paying a ransomware demand often comes with a number of complications that make the initial deal an even worse one than you might think.

You won’t get everything back.

First, the good news: you’re likely to get some data back. 99% of organizations hit by ransomware in 2021 got at least a portion of their data back, either through restoring their backups or through paying the ransom. And ransomware attackers are incentivized to give you something, because it encourages future organizations to see payment as worthwhile. So in the event of an attack, remember that all is not lost.

Unfortunately, while all is not lost, a large portion probably is. Ransomware is a crime so there are no regulations to protect your transaction. The encryption method might corrupt files, or the attackers might only provide some of the decryption keys. On average, organizations that pay a ransomware demand only get about 60% of their data back. And only 4% of payers get everything back! The attackers will likely give you something, but probably not everything you need.

And even if you get a legitimate decryption method for all your data, the cost in time and effort might still be staggering. Your data might be encrypted in chunks, requiring extra time and effort to piece together. In one notable incident, an error in the attacker’s encryption code meant that every file in the organization was encrypted separately – which meant manually entering individual decryption keys for millions of files! Even if you technically got the decryption key you paid for, the effort to decrypt everything often simply isn’t worth it.

You don’t know what else was left behind.

In addition to the risk that something was lost from your data, there is a very real danger that something “extra” was added in. If cyber attackers are able to encrypt your network, they are more than capable of planting backdoors or footholds that would allow further attacks in the future – and in fact, that’s what many of them do. Of organizations that pay a ransomware demand and get attacked again, it’s suspected as much as 50% of repeat attacks come from the original attackers.

Restoring your data via backups instead of the attackers’ decryption service isn’t a perfect solution, but it’s exponentially more likely to remove at least some of the malware used by your attackers – especially anything put in post-breach. Instead of working within a compromised environment that’s already been breached once and might have had its defenses lowered even further, you can begin your rebuilding, breach investigation, and damage control with a (theoretically) safer position. Although starting from a backup doesn’t automatically solve the problem, it is a much better first step on your recovery journey.

The difficult truth is that you likely won’t ever know every detail of the initial compromise. Who knows whether or not your attackers can do it again? There’s always a risk, but that’s not a reason to give up – it’s a reason to give yourself the best possible chance! The harder you make it on the attackers, and the less reward they see from the effort, the less likely they are to remain focused on you.

It paints a target on your back.

So much of modern cybersecurity is about camouflage and inconvenience: attackers are looking for easy targets, and if they can’t find one, they’ll move on. The best way to prevent cyberattacks is to ensure your organization possesses two qualities:

  • Hard to find
  • Not worth attacking

Unfortunately, paying a ransom demand undermines both of these goals.

Cyber attackers don’t get any inherent benefit from only encrypting an organization’s files. Sure, attackers might sell the data they steal to other bad actors – but that’s only profitable if the organization is big enough to have data worth buying. Small- to medium-size organizations are therefore not usually worth attacking…unless they pay up. Even small organizations’ data is important to them, of course, which is why they’re often willing to pay to get it back! But if these organizations don’t pay (choosing instead to restore or rebuild their infrastructure), there’s no profit in it for the attacker, and fewer reasons to fixate on the organization further – why not look for other targets that will pay?

The worst thing you can do for your reputation amongst cybercriminals is pay their demand. It sends a clear message: “this organization’s defenses are known, their defenses can be breached, and the decision-makers are willing to pay.” And in fact, that’s exactly what does happen: a full 80% of businesses that pay ransomware demands suffer a second attack – again, half of those by the original attacker!

In contrast, by not paying a ransomware demand, you can send a different message: “there’s no reward to be found here – move along.” Even if the attackers pulled off an initial breach, if they don’t profit from their attack, they will have fewer reasons to attack again…or point other attackers your way.

You’ll be supporting cybercrime – and might be liable for it.

Paying a ransomware demand doesn’t just make attacks against you more likely: it makes attacks in general more likely! Ransomware is a crime – one that’s often conducted by organized groups, nation-state terrorist organizations, and other big-picture malevolent entities. Paying a ransom rewards this criminal behavior, and encourages further attacks by demonstrating how lucrative they can be.

But it’s not just a moral concern; it also could put you in legal trouble.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory in September 2021 that domestic organizations paying a ransomware demand could receive civil penalties for essentially funding cyberterrorism. This advisory only applies if the payment is going to certain terrorist or nation-state groups who have been sanctioned by OFAC...but that distinction is hazy. Many cybercrime organizations cloak themselves in proxies to hide their trails, so unless you work directly through law enforcement to identify the source, it can be next to impossible to know who you’re actually paying! However, OFAC has made it clear that ignorance is not an excuse, so paying a demand is like rolling the dice on your own liability.

It’s difficult to know the likelihood of a given ransomware attack coming from one of these sanctioned groups, and some law experts question the feasibility of enforcing this advisory…as well as whether OFAC truly has the motivation to pursue every violation. As a result, many organizations continue to pay ransomware, and some cyber-insurance providers advise or even require paying the demand. However, Mytech believes the implications and risks are almost always too great: whether or not paying will actually put you in legal trouble, there is no question that paying a ransomware demand encourages future cybercrime, which hurts everyone except the bad actors.

You might have to pay, even if you don’t want to.

Despite all of these reasons you shouldn’t pay ransomware, the hard truth is that, depending on your cybersecurity profile, you might have to. Robust backups are an essential element of your security posture, but they are not perfect. Even the strongest backup solutions can be corrupted or compromised, and unless you keep multiple copies of your data offsite, an advanced attack is capable of completely locking you out of everything.

If all else fails, sometimes paying the ransom is truly the only way you will get your data back – the only other option being a full-scale rebuild from scratch, at which point the effort required is often not worthwhile. And depending on company size, the cost of paying the demand (average of $800K, but sometimes as low as $10K) is dwarfed by the cost of the entire organization grinding to a halt for days, weeks, or even months without business-critical data, jeopardizing both employee and customer wellbeing.

Cyber insurance providers might make that decision for you.

Cyber insurance is a critical component of modern IT security for situations precisely like these. Insurance can help when rebuilding or restoring after a cyber disaster, but it can also get involved when a ransomware attack happens and your backups fail. Cyber insurance providers are prepared for ransomware demands, and many will take the decision to rebuild or pay out of your hands.

As the experts in cyber disaster and cyberattack aftermath, cyber insurance providers have the skills and assets to navigate restoration, ransomware negotiations, and payment. Depending on your coverage, cyber insurance can ease the pain of some of the most fraught cybersecurity decisions you may ever have to make. It may be a pricey, complicated investment, but the difference to your peace of mind when disaster strikes is incalculable.

Invest ahead of time, so you don’t have to face this choice.

Of course, there’s another way to avoid having to confront one of the most agonizing decisions in IT security: prevent the ransomware attack before it’s executed.

That’s easier said than done, of course. With an entire industry and hundreds of products dedicated to cybersecurity, knowing what to prioritize can feel like a full-time job all on its own. Some IT security choices are so straightforward that every organization should be deploying them – such as mandatory Multi-Factor Authentication, which reduces login compromise attacks by 99 percent! However, other security choices like threat detection and monitoring solutions are multilayered, complex tradeoffs.

In the face of a turbulent threat landscape and an ever-shifting list of cybersecurity “must-haves,” the need for a strategic IT partner has never been greater. The best way to guard against ransomware attacks and other disasters is to find an IT partner that understands your specific challenges and investments, and can help you proactively make the hard choices that are right for your organization – so you don’t have to face an even harder choice if you do ever get breached.

Share this post