Ransomware attacks have been on the rise in recent years. Victims are often faced with a difficult decision: should they pay the ransom to get their data back? Here we cover the key considerations when deciding whether or not to pay ransomware extortion fees.
What is ransomware?
Ransomware is a form of malware that encrypts files on a device or network. The attackers demand a ransom payment in order to provide the decryption key. Ransomware attacks have surged in the last few years, targeting businesses, government agencies, hospitals, schools and individuals.
Some of the most prolific ransomware variants include Ryuk, Conti, REvil and Phobos. Ransomware is typically spread through phishing emails containing malicious links or attachments. Once the malware is downloaded, it silently encrypts data on the infected system before activating its ransom page.
Should I pay the ransom?
There are arguments on both sides of this issue. Some experts say you should never pay, while others argue that payment may be the most pragmatic response depending on the situation.
Reasons to pay the ransom:
- It may be the quickest and most cost-effective way to regain access to encrypted data, especially if backups are lacking.
- Some ransomware operators honor their word and provide working decryption keys after payment.
- If sensitive or valuable data is at stake, the business impact of permanent data loss may outweigh the ransom amount.
- Paying the ransom avoids disruption to business operations caused by restricted access to data and systems.
- It discourages the attacker from leaking or selling stolen data to other cybercriminals.
Reasons not to pay the ransom:
- Paying ransoms funds and incentivizes cybercrime.
- There is no guarantee you’ll get working decryption keys after paying.
- You may be targeted again by the same group knowing you’ll pay.
- Law enforcement discourages ransom payments.
- Some ransomware uses techniques that make data recovery difficult even with keys.
- The ransom amount could increase if you start negotiating with the attacker.
Consult experts to assess options
The decision of whether or not to pay a ransomware extortion demand needs to be examined on a case-by-case basis. Consult with technical experts to determine if decryption is possible through means other than the attacker’s keys. Work with law enforcement to explore strategic options based on the type of ransomware variant. Hire a cybersecurity firm for help with negotiation and ransom payment, if that path is taken.
How common are ransomware payments?
According to survey data, about one third of businesses victimized by ransomware choose to pay the extortion demand. The percentage that pays varies across industry sectors, with healthcare organizations being the most likely to pay ransoms.
According to Coveware, the average ransomware payment among their clients was around $250,000 in Q3 2022. However, payments can range from a few hundred dollars to millions of dollars depending on the victim, type of ransomware and size of the ransom demand.
Ransomware payment percentages
|Percentage that paid ransom
Source: Sophos State of Ransomware 2022
Should I negotiate on the ransom amount?
Some ransomware operators are willing to negotiate on the ransom price. Skilled negotiators may convince the attackers to accept a lower amount, especially if you can demonstrate it’s all your organization can afford to pay. Negotiation is recommended in cases where you’ve decided paying the ransom is your best course of action.
Keep in mind that negotiating takes time, which only extends the period that systems and data remain locked. There’s also a risk the attackers walk away if no middle ground can be reached on pricing.
Don’t bank on getting decryptors
There is no honor among cyber thieves. Even if you pay up, there is no guarantee the criminals will provide a working decryption tool. In some cases, they may only provide partial decryption, forcing victims to pay more for full restoration. Ransomware gangs are also known to go silent after payment, never providing the promised decryption keys.
According to Coveware, around 3% of organizations that pay ransom fail to get working decryption keys in return. The decryption failure rate is around 5% for Ryuk ransomware attacks specifically.
Paying ransom has downsides
Paying ransomware extortion payments, regardless of circumstance, is controversial. Ethical issues aside, there are several risks to consider if taking this approach:
- Paying the ransom funds more cybercrime down the road.
- You may be targeted again, or by other ransomware groups.
- It can be perceived as weakness, identifying your organization as an easy mark.
- You may run into legal or regulatory problems.
Some governments prohibit ransomware payments, and organizations regulated by the U.S. Government face additional restrictions under OFAC guidelines.
What does law enforcement recommend?
The official position of the FBI is that victims should not pay ransoms. Payment is seen as incentivizing and rewarding criminal behavior. However, law enforcement agencies understand each situation is unique. They generally do not recommend prosecution of victims who choose to pay extortion fees to recover stolen data.
In some cases, the FBI may recommend ransom payment if it’s the best path to mitigate damage from a compromised network. For example, paying to regain access right away versus a prolonged outage while restoring from backups.
Can payments be kept secret?
Ransomware payments, especially large ones, are difficult to keep secret. Word often leaks out through insiders, industry sources or cybersecurity firms that get involved. Ransomware gangs also publicize payments received to encourage other victims to pay up when targeted.
In addition, the money trail may be traced through blockchain analysis of cryptocurrency ransoms. This can reveal ransom payments as well as potentially shine a light on the cybercriminals receiving the funds.
Are there alternatives to payment?
Before deciding whether to pay the ransom, always explore alternative approaches that could restore access to encrypted data. These options include:
- Restore from recent, clean backups not impacted by the attack.
- Utilize backup mechanisms that allow “roll back” to an unencrypted state.
- Disable the malware and wipe impacted systems rather than pay for decryption.
- Try automated decryption tools that can work against some ransomware variants.
- Engage incident response firms to recover data without paying ransoms.
If you can restore operations through backups or wiping systems, payment should be avoided. Unfortunately, many organizations lack offline backups, forcing them to consider the ransom payment option.
Should I hire ransomware negotiators?
Specialist firms exist to handle ransomware negotiations on behalf of victims. They act as intermediaries, communicating with attackers using pseudonyms and demanding proof of decryption capability before any payment. These negotiators take over the discussions, working to lower the ransom demand.
Hiring professional negotiators can be beneficial if you decide paying the ransom is your only recourse. Negotiation specialists add experience talking with cybercriminals and can sometimes significantly reduce the ransom amount. However, they also charge fees amounting to thousands of dollars or a percentage of the ransom paid.
Can law enforcement help negotiate?
In some cases, law enforcement may be able to step in and negotiate with ransomware attackers, particularly if the attack has national significance. For example, the FBI negotiated with the DarkSide operators responsible for the Colonial Pipeline ransomware attack.
However, most typical ransomware incidents are unlikely to garner law enforcement assistance with negotiations or decryption. Local police lack the resources and technical capabilities to interact directly with ransomware groups. However, they can help by putting you in touch with cybersecurity experts and identifying response best practices.
Are ransoms tax deductible?
The IRS presumes ransom payments to cybercriminals are deductible as theft losses. This view is based on the fact that the payments are often the only way for victims to recover stolen data after a malicious attack. However, a publicized ransom payment could trigger an audit of your tax filings.
Companies that try to disguise a ransom payment as a legitimate business expense may be accused of filing a false tax return. It’s best to be transparent by reporting any ransomware payments on IRS Form 4684 as a theft loss if you intend to claim the deduction.
Does insurance cover ransom payments?
Cyber insurance policies may cover all or part of a ransomware extortion payment, along with costs for investigating the incident, notifying customers, recovering data and restoring systems. However, insurers usually require you to notify them in the event of an attack before paying ransoms.
Make sure you understand your cyber insurance policy’s stance on ransom payments. Some specify the insurer will not reimburse voluntary payments made without their consent. Policies with ransomware-specific coverage tend to provide more leeway for insured companies to make payments.
How are ransoms typically paid?
Most ransomware groups demand payment in the form of cryptocurrency, such as Bitcoin or Monero. Cryptocurrency provides the attackers anonymity since transactions are difficult to trace. Victims usually have to set up accounts on exchanges that allow the purchase of cryptocurrency using standard currency.
Some attackers direct victims to pay ransoms through more opaque means, like prepaid gift cards. Others set up accounts for the victim to wire transfer traditional currency. Cash ransom drops also occur on rare occasions. These payment methods are less common since cryptocurrency remains the preferred untraceable option for attackers.
Should I hire a ransomware recovery company?
Cybersecurity firms specialize in helping ransomware victims recover encrypted data without paying ransoms. They use techniques like analyzing the malware’s encryption, exploiting flaws in the ransomware variant, restoring from backups and leveraging decryption tools.
Hiring a ransomware recovery company costs a significant amount, often exceeding the ransom demand itself. However, their services are worth considering if you want to avoid payment. Reputable firms can sometimes recover up to 80% of encrypted data. They may also reduce long-term downtime by cleaning up and restoring systems compromised by a ransomware infestation.
What mistakes cause ransom payment failure?
Victims sometimes make missteps that result in not regaining access to data after paying ransoms. Common mistakes include:
- Attempting to negotiate a lower ransom amount after the initial payment deadline passes.
- Paying only a portion of the ransom demand.
- Using the wrong cryptocurrency address or botching the transaction.
- Allowing the attackers continued access to the victim’s networks.
- Restoring data from old backups before validating decryption worked.
Work with experienced negotiators to avoid these pitfalls and maximize the chances of payment success. Do not try to handle negotiations independently without proper guidance.
Should I report the attack?
You should always report ransomware attacks to law enforcement, regardless of whether you decide to pay. Reporting to the FBI or Secret Service allows them to gather data on ransomware trends, tactics and groups. It also alerts them to aggressive new variants.
Many victims are reluctant to report attacks because they don’t want publicity or scrutiny around ransom payments. However, agencies say they do not prioritize prosecuting paying victims over the cyber criminals themselves. Filing a report can only help their broader investigative efforts.
How can paying ransoms enable more cybercrime?
Ransomware has exploded into a billion dollar criminal enterprise largely because payments from victims fund continued success. The revenue generated from ransom payments goes toward enhancing the malware, evading detection and launching more attacks.
Widespread payment plays into the attackers’ business model, providing resources and incentive to mount additional, potentially larger campaigns. Refusing to pay ransoms helps slow the growth of ransomware by cutting off its primary funding source.
Does paying the ransom end the incident?
Obtaining the decryption key is unfortunately not the end of a ransomware attack. Before paying ransoms, victims should assess the full impact of the breach and take steps to lock down exposed systems.
Attackers often maintain persistence within impacted networks. Just because your data is recovered does not mean the threat is eliminated. Wipe systems, change credentials, close security gaps and monitor for suspicious activity after ransom payment.
The criminals may also have stolen sensitive data prior to deploying ransomware. Continue monitoring for any signs this exfiltrated information gets leaked or sold on the dark web after paying the ransom and restoring data.
Paying ransomware extortion demands is a controversial decision that depends heavily on each victim’s unique situation. There are reasonable arguments on both sides of the payment issue. In some cases, retrieving stolen data may be worth meeting the attackers’ payment demands.
However, victims should explore other options first before electing to pay. Thoroughly investigate the attack’s scope, check for viable backups and review alternatives to payment. If paying the ransom, take precautions to avoid missteps and maximize chances of getting working decryption keys.
Understand the risks and complexities around ransom payments before deciding on a path forward after an attack. Paying up does not guarantee a clean end to the incident. Continued vigilance is required even after systems are recovered and restored.