Ransomware is a form of malware that encrypts files on a computer or network, preventing users from accessing them. The attackers demand that the victim pays a ransom, usually in cryptocurrency like Bitcoin, in order to receive a decryption key to recover their files. For businesses, a ransomware attack can be crippling, as employees are unable to access critical data and systems. When faced with this, some businesses choose to pay the ransom, while others refuse. There are arguments on both sides of whether paying ransomware is the right choice.
Quick Answers
Does paying ransomware encourage more attacks? Many experts believe that paying ransomware emboldens cybercriminals and makes businesses more likely to be targeted again. However, some argue that for an individual business, paying is the best way to recover quickly.
What percentage of businesses pay ransomware? According to surveys, around 30-40% of businesses end up paying ransomware demands. The majority refuse to pay.
What is the average ransomware payment? The average ransomware payment was around $170,000 in 2020, though payments can range from a few hundred to millions of dollars.
Do you get your data back if you pay? Paying the ransom does not guarantee data recovery, but most cybercriminals do provide working decryption keys. Estimates range from around 75% to 95% success rate in getting data back.
The arguments for paying ransomware
For businesses faced with a ransomware attack that has encrypted essential data and halted operations, paying the ransom can seem like the most expedient way to resume normal functions. Here are some of the main arguments in favor of giving in to ransomware demands:
It is the quickest way to regain access to data
The primary incentive for paying ransomware is to recover access to your files and data as quickly as possible. The decryption keys provided by the attackers can unlock your systems in a matter of days, compared to weeks or months it might take to restore data from backups or re-create it manually. For businesses at a standstill, this can mean being able to serve customers again or resume production within just a short time if they pay up.
It avoids business interruption costs
The business costs of a ransomware attack can add up quickly. With operations halted, profits plunge. There are disruptions across the company to communications, productivity, sales, manufacturing, and more. Paying the ransom promptly can get systems back online faster and avoid drawn-out business interruption costs.
Some cyber insurance policies cover ransom payments
A growing number of cyber insurance policies will cover the costs of ransomware payments, sometimes even including negotiations with the attackers. This can incentivize businesses to pay ransoms, since the insurance provider will bear the cost. However, policies rarely cover the full damage caused by ransomware attacks.
It prevents the attackers from leaking or selling data
Many ransomware groups threaten to publish sensitive stolen data online or sell it to other cybercriminals if the ransom goes unpaid. This data exposure could have compliance, liability, and reputational consequences. Paying the demanded ransom may stop the attackers from leaking confidential information.
Ransom amounts are sometimes relatively low
For small businesses facing ransom demands of a few hundred to a few thousand dollars, paying this modest sum may be preferable to trying to recover the affected systems themselves. The ransom amount can be significantly less than the losses from business interruption or data recovery efforts for minor attacks.
The arguments against paying ransomware
Despite the incentives to pay ransomware, the majority of organizations refuse to give in to these extortion demands. Here are the main arguments against rewarding cybercriminal behavior:
It encourages and funds more attacks
Paying ransoms signals to hackers that ransomware is profitable and worthwhile to continue perpetrating. This may only embolden them to expand operations and prey on more victims with ransomware. Companies that pay are essentially funding criminal organizations to create even more malware and infiltration tools.
There’s no guarantee you’ll get your data back
While most ransomware groups do provide working keys and decryption tools if paid, there is always the risk that your data will remain inaccessible even after paying. The decryption tools could be faulty, or attackers may simply cut communications and choose not to honor the agreement once they’ve been paid.
It reveals the company as an easy target
Making a ransomware payment flags your business as an easy target for future attacks, since hackers will place you on their list of companies open to paying ransoms. This can invite repeat attacks.
It’s unethical and illegal
Paying ransoms to cybercriminals, many operating out of sanctioned countries, is generally considered unethical. It sustains illegal operations. Some countries even prohibit ransomware payments under anti-money laundering laws.
The costs may be prohibitive
While some ransom demands are small, others can be in the millions. Even with insurance, the total costs of paying ransomware, restoring data, bolstering security, and repairing systems can put companies in financial peril. Paying large ransoms should be a last resort option.
It doesn’t address vulnerabilities
Paying ransomware often fixes an immediate crisis, but does nothing to address the security gaps that led to the breach. Attackers can continue exploiting the same vulnerabilities again and again. Companies should focus resources on shoring up defenses instead.
Key factors in the payment decision
The decision of whether or not to pay ransomware depends heavily on each company’s unique situation. Here are some of the main factors businesses weigh when deliberating paying ransom demands:
Size of the ransom request
If the ransom demand is modest, like a few hundred or thousand dollars, businesses are much more inclined to pay it to move on quickly. But if the attackers demand millions, that severely deters payment.
Quality of backups
If a company has excellent, recent backups of all affected data and systems, they are less likely to pay ransomware as they can restore things without the decryption key. Outdated or incomplete backups make payment more likely.
Criticality of the encrypted data/systems
If the encrypted data or systems are vital for core operations and revenue, there is greater temptation to pay ransomware. If the impact is limited, companies can take the time to recover.
Cyber insurance coverage
As mentioned earlier, having cyber insurance that covers ransomware paymentsinfluences some companies to pay, since insurance will handle thecosts. But most policies have limits on how much they’ll cover.
Timeliness of operations restoration
Businesses that need to resume serving customers or manufacturing quickly are inclined to pay ransomware for fast decryption of files to limit downtime. Those who can withstand longer interruptions are less pressured to pay ransoms.
Regulatory requirements
In some heavily regulated industries like healthcare, there are strict data recovery and uptime requirements that pressure companies to pay ransoms. Other industries have more leeway to refuse payment.
Scenarios where payment may be warranted
While many experts caution that paying ransomware should be a last resort, there are some scenarios where organizations may have little choice but to give in to demands. Situations where payment becomes more justified include:
The encrypted data is essential and irrecoverable
If the affected data is vital for sustaining life or critical infrastructure, and no usable backups exist, the urgency of recovering it may warrant paying ransom. For example, hospitals may have to pay if medical records and devices are encrypted.
The ransom demand is low
As mentioned earlier, if the ransom demand is a few hundred or thousand dollars, it can be less than the cost of repairing the damage from the attack. Paying a modest sum can make sense for financial reasons.
The business can’t survive extended downtime
Companies at risk of going bankrupt from delays in operations, manufacturing, sales, etc. due to ransomware may have to pay to quickly restore functionality. The losses from prolonged downtime could otherwise put them out of business.
Required compliance deadlines are at risk
In financial services, healthcare, and other regulated industries, ransomware could prevent meeting legally mandated deadlines for reporting data, submitting filings, or making disclosures. Fines and sanctions compel payment.
You lack the resources for data recovery
If a business lacks the budget, expertise, and capabilities required to properly recover encrypted data and systems on their own, paying experienced ransomware negotiators may be the most viable option.
Steps to take before deciding on payment
Before choosing to pay or not pay ransomware, companies should take some preliminary steps, including:
- Consult experts on ransomware response, like law enforcement, digital forensics firms, etc.
- Evaluate cyber insurance and legal implications
- Assess the technical feasibility of recovering data without paying
- Determine if you are legally able to pay the ransom
- Try negotiating the ransom demand lower
This analysis provides the foundation to make an informed, thoughtful payment decision that is right for each unique situation.
Alternatives to paying ransomware
For companies that choose not to pay ransomware demands, or are unable to pay, there are alternatives to be considered instead, such as:
Restore data from backups
If thorough, recent backups exist, encrypted files and systems can be restored without giving into extortion demands. This requires keeping backups offline and protected.
Bolster incident response plans
Having robust incident response and business continuity plans can improve resilience and minimize business interruption from ransomware attacks without needing to pay ransoms.
Seek help from external experts
Consulting professional incident response firms can help mitigate damage from ransomware and recover the affected systems without paying ransoms.
Enhance cybersecurity defenses
Strengthening digital defenses by adopting new tools, training staff, and improving practices reduces the risk and impact of future ransomware attacks.
Use data recovery tools
Specialized tools exist that can decrypt some ransomware variants without access to the criminals’ private keys. This data recovery option works for some ransomware strains.
Wipe and restore infected systems
In some cases, it may be most practical to simply wipe infected computers and restore data from clean backups or re-image systems from scratch to recover functionality.
Should you pay the ransom?
Whether to pay ransomware or refuse to give in to extortion demands depends heavily on each company’s specific circumstances. There are reasonable arguments on both sides of the debate. Here are some final considerations when deciding on your ransomware response:
- The more victims refuse to pay ransoms, the less incentive there is for criminals to continue ransomware operations.
- However, for individual businesses in crisis, payment may be the most viable option in some cases.
- Focus on resilience by strengthening backups, detection tools, and incident response plans.
- Carefully weigh the short-term benefits vs. long-term risks before deciding on payment.
- Working with trusted outside experts can help inform your response strategy.
- Share information with authorities to help prevent future attacks.
With thorough preparation, investigation of options, and an understanding of the trade-offs, businesses can determine the most appropriate response to ransomware extortion demands.
Sources
This article synthesized information from expert analyses and studies to provide an overview of the ransomware payment debate facing businesses. Here are some of the sources consulted:
- Princeton University CITP Ransomware Task Force Report
- Sophos “State of Ransomware 2022” Report
- Cybersecurity & Infrastructure Security Agency (CISA) Ransomware Guide
- Unit 42 Ransomware Threat Report
- ID Ransomware ransomware identification site
- Emsisoft ransomware analysis blog
- Articles in IT trade publications like CSO, ZDNet, ThreatPost, etc.
The issue continues to be widely debated, but following cybersecurity best practices provides the best foundation for ransomware resilience.
Conclusion
Ransomware presents extremely difficult dilemmas for businesses that have critical operations halted or sensitive data encrypted. There are reasonable points to be made for paying or refusing ransoms. In some situations and industries, payment may be warranted if systems and data cannot be recovered any other way. But in general, giving in to ransom demands incentivizes and rewards criminal behavior. The most sustainable approach is cultivating resilience through comprehensive backups, security defenses, and incident response preparations. With adequate safeguards, businesses can hopefully avoid being forced into difficult ransomware payment decisions and manage crises effectively.