Ransomware is a type of malware that encrypts files on a victim’s computer and demands a ransom payment in order to decrypt the files and restore access. Over the past decade, ransomware attacks have become increasingly common, with victims ranging from individual home users to large corporations and government agencies. When a ransomware attack occurs, the victim faces a difficult decision: refuse to pay the ransom and risk losing valuable files and data, or pay the ransom in the hopes of getting everything back. But what actually happens when the ransom is paid? Does the victim get their files decrypted as promised? And does paying the ransom simply encourage more attacks? Here is an in-depth look at what happens when ransomware ransoms are paid.
Do victims get their files back when ransom is paid?
In the majority of cases, paying the ransom does result in the victim getting their files decrypted and restored. Most ransomware operators are criminal enterprises, but even criminals have incentives to establish a reputation for “honoring” ransom payments in order to keep their extortion racket going. If word gets out that a particular ransomware gang does not decrypt files after payment, fewer victims will be willing to pay up.
According to analysis by cybersecurity firm Coveware, in 2021 around 93% of victims who paid ransom to common ransomware strains such as Ryuk, Conti or REvil got working decryption tools and had their files successfully restored. Major ransomware groups often operate online customer service portals where victims can negotiate and make payments, then get technical support for using decryption software. Essentially, ransomware acts as a criminal business model, extracting maximum profit requires providing working decryption to paying “customers.”
However, there are exceptions. Some less sophisticated ransomware may be buggy and fail to properly decrypt. Newer ransomware groups may not yet have established reputations or efficient payment/support systems. And in a minority of cases, victims who pay do get ignored and receive no working decryption key, especially if the attackers believe little additional profit can be extracted.
Paying the ransom encourages more attacks
While paying a ransom often does lead to file recovery for the victim, it also emboldens and enriches cybercriminal networks to continue mounting ransomware operations. Ransom payments are the lifeblood of the criminal ransomware economy, providing funds for software development, hacking infrastructure and money laundering networks.
Some key insights on how ransom payments fuel further attacks:
– Lucrative business model – Ransomware is highly profitable, with the average payment around $200,000. Total ransom payments exceeded $400 million in 2020. High payouts incentivize hackers.
– Funds development – Ransom payments finance improvements to ransomware code, evasion techniques, encryption methods and malware delivery tools. More sophisticated capabilities lead to more infections.
– Resources for scale – Revenue from ransoms allows ransomware gangs to hire more malware developers, purchase infrastructure like botnets, and scale up operations. More resources means more victims.
– Data leaks as additional leverage – Many ransomware groups now double extort victims by threatening to publish sensitive stolen data. Ransoms finance data leak sites and services.
– Money laundering enables cybercrime – Cryptocurrency laundering services are an essential piece of the ransomware ecosystem. Ransom funds access to money laundering networks.
– Higher ransom demands – Demonstrated willingness to pay leads attackers to increase demanded ransom amounts in future attacks, often into the millions. News of large payouts drives higher demands.
Case study: Colonial Pipeline ransom payment
In May 2021, a ransomware attack forced major fuel pipeline operator Colonial Pipeline to shut down for nearly a week, leading to gas shortages and price spikes. Colonial reportedly paid a 75 bitcoin ransom worth around $4.4 million to the DarkSide ransomware group to obtain a decryption key and restart operations.
The FBI was eventually able to recover most of the bitcoin. However, many experts believe the willingness to pay a multi-million dollar ransom likely emboldened DarkSide and other groups to pursue more ambitious targets with even higher payment demands. These concerns materialized just weeks later when REvil ransomware extracted an $11 million payment from meat processor JBS Foods.
Other consequences of paying ransomware ransoms
Beyond perpetuating future ransomware attacks, paying ransoms can have other negative consequences:
– Funds other criminal activity – Ransomware gangs are often involved in other cybercrime. Payments may fund criminal endeavors like data breaches, stolen credit cards, money laundering, and more.
– Violates regulations – In some industries like finance and healthcare, paying ransoms could violate data privacy or compliance regulations. Fines for violations can be steep.
– Loss of leverage for negotiation – Once a ransom is paid, attackers have little incentive to continue communications or negotiating a lower ransom. Paying removes bargaining power.
– No guarantee of avoiding data leaks – Even after paying, sensitive stolen data may still be leaked or sold by ransomware groups to maximize profit. Ransoms do not guarantee preventing damaging data leaks.
– Tax deductibility challenges – Businesses often cannot deduct ransom payments as expenses, increasing the financial hit. Insurers may also deny reimbursement if ransom payment violates policies.
High-profile examples of post-ransom data leaks
– CNA Financial: Large insurance company CNA paid $40 million ransom but still had sensitive files released.
– JBS Foods: Meat supplier paid $11 million but extortion continued, requiring an $11 million payment to prevent more leaks.
– Brenntag: Chemical distributor paid $4.4 million but cybercriminals still leaked sensitive documents.
Should ransoms be paid?
With all the downsides and risks associated with paying ransomware demands, many security experts caution strongly against paying, if any alternative recovery options exist. However, each victim faces a unique situation in terms of the value or sensitivity of encrypted data, potential business disruption, legal liabilities, and capabilities for response. There are arguments on both sides:
Reasons some experts argue against ransom payment:
– Encourages more attacks against other victims
– Funds criminal activity
– No guarantee of data recovery
– Alternate recovery options may exist
Reasons for paying ransom in some cases:
– Retrieve data that is highly valuable or impossible to recreate
– Meet regulatory requirements for availability of systems
– Avoid costs of downtime that exceed the ransom
– Lack alternatives to decrypt critical systems
There is no universal answer on whether to pay or not. Each victim needs to weigh the tradeoffs specific to their situation. However, having contingency plans for high-impact disruptions can provide options that reduce the desperation that fuels ransom payments.
Recommendations for managing ransomware attacks
While there are no guarantees against ransomware attacks, organizations can take steps to prevent infections, limit damage, and plan alternate recovery options that avoid rewarding cybercriminals with payments:
– Maintain regularly updated backups that are isolated and inaccessible to the network where primary copies reside. Backups allow file restoration without paying ransom. Use the “3-2-1 rule” – 3 copies, on 2 different media types, with 1 isolated copy.
– Keep offline backups of critical data and software configurations necessary to restore systems. Air-gapped backups break the encryption chain.
– Install and update antivirus, endpoint detection, firewalls and analytics tools that prevent malware delivery and detect ransomware behavior.
– Train employees on secure practices like multi-factor authentication, complex passwords and avoiding suspicious links/attachments. Human errors enable many ransomware attacks.
– Regularly patch and update operating systems, software and firmware to eliminate vulnerabilities. Unpatched software is the number one delivery route for ransomware.
– Segment networks and limit user permissions to restrict lateral movement if malware penetrates defenses. Ransomware often spreads rapidly on flat networks with excessive user privileges.
– Maintain an incident response plan for cases where ransomware infiltrates systems. Having a response plan can limit damage and support recovery.
– Consider cyber insurance policies that cover ransomware response costs, negotiate with carriers about paying ransoms. Insurance can offset financial impact.
Paying ransomware demands is like getting out of jail by paying the criminals who locked you up. The temporary relief encourages future harm. With preparation and resilience, organizations can reduce reliance on appeasing attackers through ransom payments.
Conclusion
Paying ransomware ransoms often does lead to recovery of encrypted files for the victim, as most ransomware groups provide valid decryption tools to demonstrate the “value” of paying. However, each payment fuels the criminal ecosystem to create even more potent and disruptive malware. Ransomware groups use the profits to hire talent, build infrastructure and develop capabilities that result in higher success rates, more downtime inflicted, and skyrocketing ransom demands.
Ultimately, the short term convenience of recovering data by paying ransoms leads to greater long term risk, as hugely profitable criminal enterprises dedicate more resources toward ransomware and expand their attacks. By paying, organizations unintentionally underwrite the next wave of cybercrime. Companies and institutions must weigh all these factors when deciding if paying ransomware ransoms makes sense for their unique situation. But in general, developing proactive defenses, resilient backups, and effective response plans provides a better path through the ransomware minefield than attempting to appease and negotiate with cyber extortionists.