Ransomware is a form of malware that encrypts files on a device and demands payment in order to decrypt them. It has become an increasingly common cyber threat in recent years, with high-profile attacks on businesses, governments, hospitals and other organizations. When ransomware strikes, the victim faces a dilemma – should they pay the ransom in hopes of regaining access to their files, or refuse to pay, risking permanent data loss? In this article, we will examine the key considerations around paying or not paying ransomware demands, and look at whether paying the ransom improves the chances of file recovery.
What is ransomware and how does it work?
Ransomware is a type of malware that encrypts or locks files on a device, rendering them inaccessible to the user. It is delivered through various infection vectors, including phishing emails, infected websites, and exploit kits. Once installed, the ransomware encrypts files using cryptographic algorithms, essentially scrambling the data so it cannot be read without the encryption key.
After encrypting files, the ransomware displays a ransom note demanding payment, usually in cryptocurrency like Bitcoin, in exchange for the decryption key. The ransom amounts vary but can range from a few hundred to tens of thousands of dollars. The note provides instructions for payment and threats about destroying files if payment is not received.
Some notable examples of ransomware variants include CryptoLocker, WannaCry, Ryuk, Maze, and Conti, among others. The techniques used by ransomware are continuously evolving to be more sophisticated and evade detection.
What are the options when hit with ransomware?
When faced with a ransomware attack, the victim has two main options:
1. Pay the ransom – This means paying the demanded amount, often via cryptocurrency, in the hopes of obtaining a decryption key from the attackers. This is a risky option as there is no guarantee the criminals will provide a working key after payment.
2. Refuse to pay – The victim can choose not to pay, understanding they may lose access to encrypted files forever. However, security experts typically recommend against paying ransoms. Non-payment may motivate attackers to simply move on to another target.
Some other options include:
– Attempt to restore files from backups, if available. Reliable, offline backups can enable restoration of files without paying criminals.
– Leverage decryption tools, if available. Security researchers sometimes crack ransomware strains and release free decryption utilities.
– Engage a cybersecurity firm for help recovering files through data forensics. This is an expensive option with no guarantees.
– Wipe infected devices and reinstall the operating system and software from scratch. Data will be lost unless recoverable from backups.
– Report the attack to law enforcement and cybersecurity professionals. This can help mitigate broader threats even if files remain locked.
What are the risks of paying the ransom?
Paying the ransom is a controversial decision. Some of the notable risks associated with paying ransomware criminals include:
No guarantee of file recovery
There is no guarantee attackers will provide the victim with a working decryption tool once ransom is paid. The criminals may simply take the money and disappear, leaving files permanently inaccessible. Unlocking files depends on the honesty of untrustworthy hackers motivated by financial gain.
Possibility of repeat infections
Paying the ransom does not eliminate the initial infection on devices. Attackers may attempt to re-infect and re-ransom the same target repeatedly. Effective remediation requires completely cleaning malware from systems after decryption.
Funding criminal enterprises
Ransom payments fund cybercriminal operations and incentivize continued attacks. The money may go towards developing more ransomware, hacking more victims and even non-cyber criminal activities. Refusing payment hampers these enterprises.
Possibility of increased ransom demands
Submission to initial ransom demands may embolden attackers to target similar victims for even larger amounts. Paying signals cybercriminals that crimes are profitable.
Reputational damage
Publicity around ransom payments can damage an organization’s reputation with clients and partners. It raises questions around lax cybersecurity and ongoing vulnerability.
What happens if you don’t pay the ransom?
Refusing or inability to pay the ransom demand essentially means the victim organization must write off encrypted files. However, there are some other potential outcomes if payment is not made:
Permanent loss of data
Without the decryption key, encrypted files may remain locked forever unless cracked through brute computing force. Some data may be irretrievable.
Disruption to operations
Loss of critical files and data can significantly impact business operations, productivity and revenue. Recovery requires rebuilding systems from scratch.
Reputational impact
Data losses resulting from unpaid ransoms can undermine stakeholder confidence in an organization’s cyber resilience. However, non-payment may also signal steadfastness against criminals.
Cybercriminal retaliation unlikely
Despite threats, attackers rarely retaliate when ransom goes unpaid. Encryption itself is punishment enough in most cases. Retaliation risks law enforcement attention.
Eventual decryption possible
Researchers may eventually crack the ransomware strain and release free decryption tools, enabling file recovery without payment. But this could take months or years.
Future attacks deterred
Refusing payment may deter ransomware criminals from targeting the organization again after realizing it will not pay. It sends a message that cybercrime does not pay.
What are the arguments for paying ransomware demands?
Despite significant risks, some arguments exist for paying ransomware demands:
File recovery
Paying the ransom provides the best chance of restoring access to encrypted files by obtaining the decryption key. This restores operations and prevents data losses.
Cheap option
Ransom amounts often cost less than expenses from business disruption, lost revenue, recovery efforts, reputational damage and other impacts of unpaid ransomware. Paying may be the cheaper overall option.
No alternatives
If the victim lacks backups, decryption tools and other options for file recovery, then payment may be the only viable way to get data back. The business may have no alternative but to pay.
Speedier file access
Obtaining the decryption key provides quicker access to locked files than waiting for researcher decryption tools or restoring from backups. This minimizes downtime.
Reduce public attention
Quietly paying ransom can prevent public disruption, scrutiny and reputation damage associated with known infections, particularly for organizations like hospitals.
Prevent catastrophic damage
If ransomware encrypts truly mission-critical or life-threatening systems, paying may be justified to restore operations and prevent worse outcomes like patient deaths.
What are the arguments against paying ransomware demands?
There are also compelling arguments against paying ransomware extortion demands:
Rewarding criminal behavior
Payment incentivizes and rewards cybercrime, fueling further ransomware development, infections and payments from future victims. Refusing payment deters cybercrime.
Funding other malicious activity
There are no controls on how ransoms get used. Funds could support terrorism, human trafficking, drug trade, child exploitation or other criminal purposes.
Violates cybersecurity best practices
Paying ransoms contradicts recommendations from law enforcement and cybersecurity experts. It signals acceptance of extortion.
No reimbursement guarantees
Attackers may fail to provide working decryption tools after payment or repeatedly ransom the victim. Criminals provide no guarantees or warranties around reimbursement.
Future attacks more likely
Paying marks the organization as an easy target for repeat attacks with potentially higher ransom demands. News of payment may even spread on the dark web.
Sets dangerous precedent
Publicly paying may establish expectations of payment and prompt other organizations to pay ransoms when attacked. This furthers the ransomware business model.
Ethically problematic
Paying cybercriminals with shady motives is ethically difficult for organizations, even if necessary for file access. It indirectly assists lawbreaking.
Key factors when deciding whether to pay ransomware demands
The decision around ransom payment involves weighing multiple complex factors:
Importance of encrypted data
If the locked data is non-essential, disposable, or easily replaced from backups, then paying the ransom is harder to justify. But if the data is mission-critical or irreplaceable, then payment becomes more compelling.
Ransom amount
If the ransom demand is relatively small, then paying may cost less than all the disruption, lost revenue and recovery efforts associated with non-payment. But larger sums require greater scrutiny.
Likelihood of decryption tool
If the ransomware strain is older, poorly designed or commonly cracked, then free decryption tools may emerge soon. But newer, robust strains may necessitate paying for tools.
Operational disruption
The scale of business disruption and loss of access to systems factors into ransom decisions. Greater disruption ups the incentive to pay quickly and restore operations.
Legal obligations
Regulations around data privacy, medical care, publicly traded companies and other areas may compel payment if needed to meet compliance standards and fulfill duties.
Law enforcement advice
Consulting FBI, international agencies and cybersecurity experts provides useful perspectives on dealing with specific ransomware incidents. Their insights guide decisions.
Insurance coverage
Organizations with cyber insurance may get coverage for ransom payments and even negotiate on behalf of victims. This can influence the pay or not pay decision.
Public relations impact
The PR optics around ransom payment or refusal can significantly impact an organization. This PR angle often factors into deliberations around paying.
Should individuals and businesses have a policy on ransomware payments?
Given the complex considerations around ransomware extortion, cybersecurity experts recommend organizations proactively develop policies to guide response to ransomware incidents. Ransomware payment policies aim to remove emotion from decision-making and provide a deliberate, rational process for evaluating options during crises.
Key considerations for ransomware payment policies include:
– Outlining criteria for evaluating payment vs non-payment tradeoffs
– Clarifying who gets authorization power for ransom decisions
– Developing secure communication channels for ransom negotiations
– Reporting protocols to involve cyber insurers, law enforcement etc.
– Accounting procedures for handling cryptocurrency payments if warranted
– Post-payment verification processes to confirm decryption works
– Remediation steps following any ransom payment to prevent repeat attacks
– Media and public disclosure plans around ransomware incidents
For individuals without policies, experts recommend not paying ransoms due to high risks and the need to discourage cyber extortion. However, businesses should adopt customized ransomware response plans reflecting their unique risk profiles.
Have ransomware payment trends changed over time?
Ransomware payment trends have notably shifted over time as both attackers and victims evolve their behaviors:
Increasing payment rates
One survey found the rate of organizations paying ransomware ransoms increased from 26% in 2020 to 32% in 2021, suggesting a rising willingness to pay.
Growing ransom demands
The average ransomware payment grew 82% from 2020 to 2021, according to a report by Palo Alto Networks. Larger demands enable bigger payouts.
Shift to tailored extortion
Modern ransomware gangs research victims’ finances to make tailored, cost-effective demands based on ability to pay. This increases payment rates.
Focus on deep-pocketed targets
Cybercriminals increasingly target ransomware with big ransoms at organizations perceived as capable of paying large sums like hospitals, schools, and corporations.
Growth of Ransomware-as-a-Service
The emergence of RaaS empowered less technical cybercriminals to execute ransomware campaigns, expanding the ransomware-on-demand market.
Declining utility of payment
With the rise of ransomware backups, payment provides less assurance of file recovery. Cybercriminals also frequently fail to honor decryption promises.
Conclusion
Deciding whether or not to pay ransomware demands involves complex cost-benefit analyses weighing odds of data recovery against risks of encouraging and funding cybercrime. Key considerations include the importance of encrypted data, scale of business disruption, legal duties, law enforcement advice, PR impact, and ethical tradeoffs.
While payment trends have shifted towards rising rates and demands, the utility of paying ransom has declined given frequent failure to regain data access. Cybersecurity experts caution that payment rewards and propagating ransomware even if necessary for short-term continuity. Organizations should have planned policies guiding ransomware response.