Organizations are increasingly grappling with the difficult decision of whether or not to pay ransoms in the face of a ransomware attack. The danger posed by ransomware is well-known, with the potential for critical data to be encrypted, exfiltrated, and even posted publicly. The financial implications of ransomware attacks can also be exorbitant, either in terms of fallout or ransom demands. Once a company has received a ransom demand, it is often too late to protect its systems, leaving the organization in the vulnerable position of being a victim.
Many organizations, however, are hesitant to admit if they have paid a ransom to retrieve their critical assets. There is a preference for silence regarding ransomware attacks, which means that negotiations between threat actors and victims are shrouded in secrecy. Despite the advice against paying ransoms, numerous companies choose to do so for various reasons.
One reason is the desire for a faster recovery time. If data restoration takes too long and the company faces a prolonged and costly downtime, paying the ransom may be seen as the quicker and cheaper alternative. Additionally, the damage to a business’s reputation and revenue loss caused by a ransomware attack can be significant. By announcing that they have been victimized by ransomware, companies risk reducing customer confidence. In some cases, the costs associated with recovering from a ransomware attack may exceed the ransom payment, making it a seemingly logical business decision to pay. Lastly, companies may pay ransoms to protect customer or employee data from being exposed. Attackers often threaten to release exfiltrated data to pressure companies into paying.
However, federal agencies and industry analysts caution against paying ransoms, as they believe it does more harm than good to the entire industry. Firstly, paying the ransom encourages attackers by providing them with additional funds to carry out future attacks. There is also the risk of repeat attacks if it becomes known that a company has made a ransom payment. Furthermore, there is no guarantee that paying the ransom will result in the return of data or the provision of decryption keys. According to a report by Sophos, only 29% of organizations that paid a ransom recovered half of their encrypted data.
Legal issues may also arise from making ransom payments. Paying ransomware attackers could potentially be seen as funding terrorism, depending on the nation-state from which the group operates. To break the cycle of ransomware attacks, some experts believe companies should refuse to pay. However, without formal legislation or stricter penalties for paying ransoms, it is challenging to put a stop to the current cycle.
While it is legal to pay the ransom in the United States, cybersecurity experts recommend against it. The U.S. Department of the Treasury has released an advisory stating that companies could face future legal trouble for being involved in ransomware payments. Nevertheless, if a company decides that it is in its best interest to make the payment, experts recommend reporting it to the FBI or the Cybersecurity and Infrastructure Security Agency (CISA).
Law enforcement agencies, such as the FBI and CISA, discourage paying ransoms and offer assistance to organizations dealing with the aftermath of a ransomware attack. They request that ransomware victims notify law enforcement so that they can track incidents and provide support for future prosecution. Organizations can request assistance from CISA when submitting a ransomware report. Additionally, organizations that prefer FBI assistance can submit a report to their local FBI field office.
To help cope with the financial costs of a ransomware attack, some companies turn to cyber insurance. These policies can assist with ransom payments and often offer reimbursement for business downtime, data recovery efforts, breach investigation, and more. However, the popularity of cyber insurance is growing, leading to increased premiums and adjusted coverage.
The decision of whether or not to pay a ransom is not an easy one and often depends on the specific circumstances. Companies must consider the impact on their business outcomes when weighing the choice. To mitigate the need to pay ransoms, organizations should invest in business continuity plans, security awareness training, data restoration capabilities, and phishing training. Additionally, implementing an incident response plan and communicating with law enforcement and affected stakeholders are crucial steps in recovering from a ransomware attack.
In the end, the fight against ransomware requires a collective effort from all stakeholders, including organizations, law enforcement, and government bodies. Stricter penalties and legislation, combined with effective cybersecurity measures, can help break the cycle of ransomware and protect organizations from falling victim to these damaging attacks.