Ransomware is a type of malware that encrypts files on a device and demands a ransom payment in order to decrypt them. The number of ransomware attacks has skyrocketed in recent years, with over 623 million attacks reported worldwide in 2021 alone according to aag-it.com. This represents a staggering 105% increase from 2020. Ransomware poses a serious threat to businesses, organizations, and individuals, potentially causing significant financial damage and disruption.
With attacks becoming more frequent and sophisticated, an important question arises – should companies pay the ransom when hit by ransomware? There are reasonable arguments on both sides of this issue. Paying the ransom might allow an organization to quickly regain access to encrypted files, but it also incentivizes and funds criminal networks to continue attacks. On the other hand, refusing to pay could lead to permanent data loss and disruption. This article will provide an in-depth exploration of the dilemmas around paying ransomware demands.
Prominent Examples
Some of the most damaging ransomware attacks on companies in recent years include:
Colonial Pipeline – In May 2021, this major U.S. fuel pipeline operator was hit with a ransomware attack that forced a six-day shutdown. The company paid a $4.4 million ransom to restore operations. Total costs from the incident exceeded $90 million from business interruption and remediation efforts. The attack highlighted vulnerabilities in critical infrastructure networks (AMERICA’S DATA HELD HOSTAGE).
JBS – Just weeks after Colonial Pipeline, this major meat supplier suffered a ransomware attack in June 2021 that disrupted operations in the U.S., Canada, and Australia. The company paid an $11 million ransom. The White House estimated the attack cost the company $50 million in revenue loss and remediation costs (AMERICA’S DATA HELD HOSTAGE).
CNA Financial – In March 2021, this major U.S. insurance company was hit with a ransomware attack that compromised thousands of computers and servers. CNA paid a $40 million ransom, one of the largest known ransom payments. Total costs exceeded $100 million, including business interruption and recovery expenses (Ransomware case study).
Why Attackers Demand Ransom
Cybercriminals launch ransomware attacks primarily for financial gain. By encrypting an organization’s data and systems, attackers can essentially hold the business hostage until a ransom is paid to decrypt and restore access. Ransom amounts can range from a few hundred dollars to millions of dollars depending on the size and vulnerability of the target (Forbes, 2023).
Attackers focused solely on profit may be willing to negotiate the ransom amount. However, some ransomware groups are more motivated by causing disruption than making money. These attackers often demand exorbitant ransoms with no intention of providing decryption keys even if paid (XCitium, 2022). Their goal is to inflict maximum damage on the victim organization.
Ransomware has become a lucrative criminal enterprise. It offers a high return on investment for attackers, since deploying ransomware requires relatively low effort compared to more manual hacking techniques. The rise of ransomware-as-a-service has also lowered the barrier to entry for less sophisticated cybercriminals (Stanford, 2023).
Pressures to Pay Ransom
Companies face immense pressure to pay the ransom demand in order to resume operations as quickly as possible. The longer systems remain unavailable, the more business operations suffer. Paying the ransom is often seen as the fastest way to regain access and limit downtime. According to one source, if data restoration takes too long and the company faces a costly downtime, paying the ransom can be perceived as the preferable option to resume operations quickly.
There is also pressure to pay in order to prevent stolen data from being leaked publicly. The attackers often threaten to release sensitive documents or customer information if the ransom is not paid. For companies handling healthcare records, financial data, intellectual property or other confidential information, there are strong incentives to pay in order to avoid having such data exposed. Paying the ransom demand may be the only way to prevent irreparable damage to the company’s reputation and customer relationships if sensitive information is made public by the attackers.
Arguments Against Paying
There are several arguments against paying ransomware demands. First, paying the ransom rewards and enables the criminals behind the attacks. According to the FBI, paying ransoms only encourages more ransomware attacks by demonstrating to cybercriminals that extortion is profitable (Source).
Second, paying the ransom does not guarantee recovery of data. The hackers may intentionally withhold data even after receiving payment. Or they may simply lack the capability to restore systems and data after staging an attack (Source). Victimized organizations that pay have lost data permanently in some cases.
Tips to Avoid Paying
One of the best ways for companies to avoid paying ransomware is to implement strong cybersecurity practices and policies. According to the Cybersecurity and Infrastructure Security Agency (CISA), organizations should focus on the following tips:
Backup data regularly and keep backups offline and secure. CISA recommends maintaining regularly updated backups offline and verifying their integrity and restoration process. This way, if systems get locked down by ransomware, companies can restore data from backups rather than paying the ransom. See https://www.cisa.gov/stopransomware/how-can-i-protect-against-ransomware for more.
Provide cybersecurity training to employees. Many ransomware attacks start with a user clicking on a malicious link or attachment. Training employees to identify risks can help avoid infections. The Center for Internet Security (CIS) recommends training on phishing risks and policies around clicking links. See https://www.cisecurity.org/insights/blog/7-steps-to-help-prevent-limit-the-impact-of-ransomware/ for more tips.
Keep systems patched and updated. Unpatched vulnerabilities are often exploited to deploy ransomware. Applying the latest security patches to operating systems, software, firmware, and platforms closes security gaps. CIS recommends regularly checking for and installing updates to limit vulnerabilities.
Insurance Options
Many organizations purchase cyber insurance policies to help cover the costs associated with ransomware attacks and provide funds to pay ransoms if necessary. Cyber insurance policies often include coverage for extortion payments, data restoration, network downtime, and liability arising from data breaches caused by malware. According to Marsh, cyber insurance has reliably paid claims related to ransomware for over a decade.
The cyber insurance market has grown substantially with the rise in ransomware, though premiums are much higher than a few years ago. Companies can purchase specialty cyber insurance plans or add-on coverage to general liability policies. Policies cover not just the ransom payment but other costs like hiring forensic investigators, notifying customers, and restoring systems. According to Forbes, cyber insurance claims related to ransomware hit a historic high in 2022 with an average claim of $1.2 million.
Though insurance can provide funds to pay ransoms, some experts argue this simply encourages more attacks. Insurers are responding by limiting coverage, requiring better security controls, and not covering ransoms related to sanctioned entities. Organizations need to weigh options carefully when ransomware strikes balancing business continuity, ethics and legal liability.
Law Enforcement Perspective
Law enforcement agencies like the FBI generally advise organizations not to pay ransomware demands. According to the FBI, paying ransoms emboldens attackers and doesn’t guarantee you’ll regain access to your data 1. Paying also makes you a target for future attacks.
The FBI, Secret Service, and other agencies work hard to apprehend and prosecute ransomware attackers. This includes efforts to track payments, seize cryptocurrency wallets, and dismantle criminal networks. However, attribution is difficult with attacks often originating from overseas. Despite increasing arrests, the problem continues growing.
Law enforcement encourages organizations to report ransomware incidents so they can gather information and try to prevent future attacks. But investigations take time, and there is no guarantee attackers will be caught or funds recovered.
Ethical Considerations
Paying a ransom to cybercriminals in response to a ransomware attack raises complex ethical questions for companies and organizations. Is giving in to extortion demands morally right, even if it quickly restores systems and data? There are reasonable arguments on both sides.
On the one hand, paying ransoms provides resources and incentives for criminals to continue attacks, potentially putting more individuals and organizations at risk. This can be seen as morally questionable. However, refusing to pay could lead to prolonged outages that negatively impact employees, customers, and stakeholders who rely on availability of systems and information. Businesses have obligations to serve their stakeholders, so paying may be the most ethical option in some cases.
Ultimately there are no easy answers, and context matters. The ethical dilemma cannot be reduced to universal principles. Factors organizations should weigh include: likelihood of decryption, impact of downtime, data sensitivity, legal/regulatory obligations, insurance coverage, and the ability to prevent future attacks. Paying or not paying both involve risk. Leaders must strive for solutions that balance competing responsibilities in a responsible way.
Source: The Ethical Dilemma of Ransomware Payment: To Pay or Not to Pay?
Conclusion
In summary, the key arguments around whether companies should pay ransomware center around the immediate need to restore business operations versus the long-term consequences of rewarding criminal behavior. Companies who pay ransom may resume operations quickly, but contribute to the profitability of ransomware and put a target on themselves for future attacks. With proper preparation including backups, security protocols, and insurance, companies can often recover from attacks without paying ransom. The consensus among law enforcement and cybersecurity experts is to avoid payment unless absolutely necessary, as this perpetuates the problem.
In conclusion, companies faced with a ransomware demand should thoroughly investigate all options for restoration before considering payment. Implementing comprehensive backups, security controls, and incident response plans can reduce reliance on ransom payments. Companies should also evaluate cyber insurance and keep open communication with legal authorities. While each case merits individual analysis, thoughtful preparation can provide companies targeted by ransomware the resilience to withstand attacks without capitulating to criminal extortion.
