Does paying off ransomware work?

Ransomware attacks have become increasingly common in recent years. These cyber attacks involve malware that encrypts an organization’s data and holds it hostage until a ransom is paid. With personal files, business documents, and even critical infrastructure at stake, many victims feel like they have no choice but to pay up. But does giving in to extortion demands actually work? Here we examine the considerations around paying ransomware ransoms.

What is ransomware and how does it work?

Ransomware is a form of malicious software, or malware, designed to extort money from victims. It works by encrypting files on a device or network, making them inaccessible to the owner. The attackers demand a ransom payment, typically cryptocurrency like Bitcoin, in exchange for the decryption key to unlock the files.

Some common ransomware variants include:

  • CryptoLocker
  • WannaCry
  • Ryuk
  • Conti

Ransomware typically spreads through phishing emails containing infected attachments or links. It may also spread through unpatched software vulnerabilities. Once installed, it silently encrypts files and displays a ransom note demanding payment. More sophisticated versions may also encrypt backups and connect to command and control servers controlled by the hackers.

Should you pay the ransom?

Paying the ransom is a controversial decision. There are arguments for and against giving in to the demands:

Potential benefits of paying:

  • You regain access to your encrypted data
  • It’s often a less costly solution than rebuilding systems and files
  • For time-sensitive data, it may be the quickest way to resume operations

Drawbacks of paying include:

  • There is no guarantee you will get working decryption keys
  • You are funding criminal activity and encouraging more attacks
  • You may face secondary extortion demands
  • The attackers now have confirmation you will pay

Some key factors to consider are the criticality of the encrypted data, the ransom amount versus the cost of recovery, and the projected downtime. There are pros and cons to both options.

What happens when you pay the ransom?

The exact process can vary by ransomware group, but generally:

  1. The victim contacts the threat actors at the specified email, chatroom, or dark website.
  2. The ransom amount is negotiated, including the method of payment.
  3. The payment is made, typically in cryptocurrency.
  4. The criminals provide the decryption key or tools to unlock the files.
  5. The victim decrypts a sample set of files to test for errors.
  6. If the decryption works, the rest of the data is unlocked.

Paying the ransom does not guarantee success. In some cases:

  • The attackers take the money and do not provide working keys.
  • They decrypt a small subset of files but demand more money.
  • The decryption tools they provide are slow, faulty, or overly complex.
  • The original files are corrupted in the encryption/decryption process.

Attackers may even resort to secondary forms of extortion, threatening to release sensitive stolen data if the victim does not pay an additional ransom.

What percentage of companies pay the ransom?

According to surveys, somewhere between 30-50% of ransomware victims pay the ransom. But the numbers vary across industries and geographic regions.

One 2021 Sophos survey of 5400 IT professionals worldwide found:

  • 32% of respondents admitted their organization paid the ransom.
  • 65% of North American organizations paid.
  • 51% of organizations in India and Pakistan paid.
  • Only 20% of German organizations paid.

In general, over half of victims reported paying ransoms of $100,000 or less. However, Sophos noted that the number of high-ransom payments over $1 million doubled in 2021 compared to 2020.

Are there alternatives to paying the ransom?

There are options to try before resorting to payment:

  • Restore from backups – Having clean, unencrypted backup copies of your files can enable you to wipe and restore systems without paying.
  • Ransomware decryption tools – Some free decryption tools exist for older ransomware strains. These are available from security firms.
  • Data recovery experts – In some cases, digital forensic firms can recover scrambled data through backup snapshots or by disabling malware.
  • Negotiate a lower ransom – You may be able to bargain down the ransom demand to a more manageable level.
  • Law enforcement assistance – In some cases, the FBI or other agencies can help victims who agree not to pay the ransom.
  • Legal action – Suing ransomware groups is extremely difficult, but if identified, they can be prosecuted.

However, these options do not always work or fully restore encrypted data. That leads many victims back to considering payment.

What are the risks of paying the ransom?

Paying the ransom carries multiple risks:

Failed decryption

There is no guarantee decryption will be successful after payment. The hackers may not provide working keys, or the provided tools may be slow or fail to restore all files. Any corruption from the encryption process is likely irreversible.

Refusal to decrypt

Attackers may accept the payment but still refuse to hand over decryption keys. Or they may only decrypt a portion of files, demanding additional ransoms.

Data or credential theft

Sophisticated ransomware often also exfiltrates data for secondary extortion. Even if you pay, your stolen information may still be leaked online or sold to other cyber criminals.

Future attacks

Payment makes you a proven target. Criminals now have evidence you are willing to pay. This may lead to repeat attacks on your organization by the same or other ransomware groups.

Legal and regulatory issues

In some jurisdictions, paying ransoms may violate anti-money laundering laws. It may also violate data privacy regulations if personal information is subsequently exposed.

Funding criminal activity

Ransom payments fund development of new ransomware tools, hacking efforts, and criminal enterprises. Non-payment helps disrupt this cycle.

Should ransomware payments be illegal?

Some policymakers argue that governments should outright ban ransomware payments to curb the dramatic rise in attacks. Proposed legislation could:

  • Impose fines or criminal penalties on paying victims.
  • Block ransomware payments through cryptocurrency exchanges.
  • Make the receipt of ransom payments illegal for threat actors.

However, opponents counter that such laws could unfairly punish victims without reducing attacks. Banning payments might also encourage data theft and exposure as groups seek alternate forms of extortion.

Arguments for banning ransom payments

  • Stops funneling money to cyber criminals
  • Forces victims to pursue stronger security
  • Removes the profit motive driving attacks
  • Consistent policy for public and private sectors

Arguments against banning payments

  • Punishes victims, not attackers
  • Forces victims to try riskier recovery methods
  • May increase data leaks and exposure
  • Difficult to enforce bans across jurisdictions

Ultimately, the debate involves balancing individual rights to pay for stolen data against the public good of deterring cyber crime. There are reasonable arguments on both sides.

Should you use cyber insurance to pay ransoms?

Cyber insurance can cover ransomware response costs, including negotiators and cybersecurity services. Policies may also reimburse ransom payments within policy limits. This gives victims an intermediate option between paying ransoms themselves vs. relying on backups or decryption.

However, the rising costs of ransomware attacks have caused insurers to limit and exclude coverage. Insurers may refuse ransom payouts or dramatically increase premiums for policyholders who have been victimized.

Benefits of insurance coverage

  • External experts to negotiate and evaluate options
  • Potentially faster resume of operations
  • Reimbursed costs up to policy limits
  • Insurance advisors offer perspectives

Drawbacks and risks

  • Limits on ransomware payments coverage
  • Increasing insurance costs due to claims
  • Excessively high deductibles
  • Coverage gaps or exclusions
  • Non-renewals after an incident

Carefully evaluating cyber insurance policies is important for managing the risk of payments. But coverage limits and rising premiums may reduce the viability of insurance-funded ransom payments going forward.

Should companies disclose ransomware payments?

Only about one quarter of organizations disclose ransomware payments publicly, according to surveys. Most victims keep quiet to avoid attracting scrutiny.

However, regulations increasingly require disclosure:

  • U.S. SEC guidelines say material cybersecurity incidents should be disclosed.
  • States like New York and Ohio now require reporting to government agencies.
  • In healthcare, HIPAA rules require disclosing data breaches.

Reasons to disclose payments

  • Transparency to stakeholders
  • Public interest for high-risk sectors
  • Compliance with regulatory mandates
  • Demonstrate security commitment

Reasons companies may avoid disclosure

  • Prevent damage to brand reputation
  • Reduce risk of follow-on attacks
  • Hide security gaps or data loss
  • Avoid liability issues

Organizations should weigh ethical obligations, legal duties, and security risks when deciding on transparency around ransomware incidents and payments.

How can companies regain access to data without paying?

There are several methods to potentially get encrypted data back without paying ransoms:

Restore from backups

Backing up systems and files then isolating backups from the network offer the best chance of recovery without payment. Test restoration regularly.

Try free decryption tools

Free ransomware decryption tools are available from Kaspersky, Emsisoft, Avast and other security firms. These work on some older strains.

Disable the malware

If the ransomware is still active, disabling it may stop file encryption. This risks damage to files already locked.

Hire data recovery firms

Forensic experts can sometimes recover scrambled data by examining encrypted files, volumes, memory, and backups.

Seek law enforcement assistance

The FBI and international agencies may help decrypt files in some cases if victims agree not to pay ransoms.

Wait for weaknesses

Ransomware code sometimes weakens over time. Attackers also occasionally release free master keys.

However, these options do not guarantee recovery. Preventing ransomware through security best practices remains crucial.

What steps can organizations take to prevent ransomware?

robust cybersecurity measures to prevent, detect, and mitigate ransomware attacks include:

  • Employee security training – Train staff on phishing detection, safe web use, and reporting suspicious activity.
  • Endpoint protection – Install advanced antivirus and anti-malware tools on all devices.
  • Email security – Filter malicious attachments and links with tools like email gateways.
  • Vulnerability management – Patch apps, OSs, and devices promptly.
  • Firewall usage – Enable firewalls on networks and hosts to limit lateral movement.
  • Backup regularly – Maintain regular backups disconnected from networks.
  • Access controls – Limit users through need-to-know access and privilege tiers.
  • Incident response plan – Have an IR plan to contain and remediate threats.

Layered security across an organization is key to reducing the risk of ransomware outbreaks.

Conclusion

Paying ransomware demands is a complex dilemma with arguments on both sides. While payments can quickly restore stolen data, doing so fuels criminal organizations and perpetuates a cycle of extortion.

To make the best decision, organizations should carefully weigh the risks of payment versus non-payment, the criticality of impacted data, and capabilities for restoration. Proper precautions are still the best way to avoid being put in this situation.

Ultimately, there are no easy choices for ransomware victims. But understanding the tradeoffs can help inform the least-worst option when attacks occur.