What is a Ransom Payment?
A ransom payment is the transfer of money or valuables to criminal actors in exchange for the release of hostages, data, or systems held under ransomware attacks. Ransom payments are made as a response to ransom demands, which are threats that extort money by blocking access to critical data or systems until payment is received.
According to Collins Dictionary, a ransom payment is “a sum of money or other consideration paid for the release of someone or something from captivity.”
Ransomware attacks involve malware that encrypts files and systems, preventing the rightful owner from accessing them. Perpetrators demand ransom payments in cryptocurrency to provide decryption keys. If victims refuse to pay, they risk permanent data loss. Examples of ransomware attacks include WannaCry, NotPetya, and Ryuk.
Ransom payments fund and incentivize criminal activity. However, victims often view paying the ransom as the most expedient way to regain access and minimize downtime. The legality and ethics of ransom payments remain controversial.
History of Ransom Payments
Ransom payments have a long history dating back thousands of years. In ancient times, ransoms were often demanded for the return of captured nobles, royalty, or warriors taken prisoner during wars or battles. Famous examples include Julius Caesar being held for ransom by pirates in 75 BC and Richard the Lionheart being captured and held for ransom during the Crusades.
Over time, the practice of hostage taking and demanding ransom payments became an established fundraising method for pirates, bandits, and terrorist organizations. Pirates would capture ships and ransom the crew and cargo, while bandits would kidnap wealthy individuals and demand payment from their families for their safe return.
In the 20th century, ransom payments started being demanded more frequently by terrorist groups and political extremists, seeking funds to support their causes. Groups like the IRA, ETA, FARC, and more recently Al-Qaeda and ISIS have engaged in kidnappings for ransom. The rise of international terrorism increased the frequency and visibility of hostage situations involving ransom demands.
According to the Middle East Institute, Qatar in particular has a long history of paying ransoms to terror groups in order to secure the release of hostages. While the ethics are debated, paying ransoms can serve political purposes for some governments. Ransom demands today often involve sophisticated negotiations and millions of dollars in payments.
Sources:
https://middle-east-online.com/en/qatar%E2%80%99s-long-history-ransom-payments-terror-groups
How Ransomware Works
Ransomware is a type of malicious software that blocks access to a computer system or data until a ransom is paid. Here is an overview of how ransomware typically works:
1. Initial infection – The ransomware code makes its way onto a victim’s computer through various infection vectors like phishing emails, compromised websites, or software vulnerabilities. The user may unknowingly download a file or click a link that installs the ransomware.
2. Search and encrypt – Once on the system, the ransomware searches for files, folders, drives, or connected devices to encrypt. It targets valuable data like documents, photos, databases, and other critical information.
3. Encryption – The ransomware encrypts the located files using a complex algorithm. This essentially locks people out of their own data by scrambling the contents into unreadable code.
4. Ransom demand – After encrypting the files, the ransomware displays a ransom note demanding payment, usually in cryptocurrency like Bitcoin. This note explains what happened and how to pay to get a decryption key.
5. Payment – If the victim pays the ransom, in theory the hackers provide the key to unlock the encrypted data. But there is no guarantee they will comply.
6. File recovery – With the decryption key, the original files may be recovered. But if the key is not provided or does not work, the data often remains encrypted forever.
Ransomware can spread quickly and encrypt entire systems within minutes. Preventing infection is crucial, as the encryption process is difficult to reverse unless the hackers cooperate after payment. Sources: https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/, https://www.unitrends.com/solutions/ransomware-education
Types of Ransom Payments
Cybercriminals typically demand ransom payments in cryptocurrency, such as Bitcoin, Monero or Ethereum, to preserve the criminal’s anonymity. Cryptocurrency ransom payments increased by over 300% in 2020 according to Chainalysis (Chainalysis 2022). The UN estimates that as of 2021, cryptocurrency accounts for 98% of ransomware payments (Alston 2022).
However, ransomware criminals may also demand payment in the form of money, gift cards, or other digital assets. According to the US Cybersecurity and Infrastructure Security Agency (CISA), besides cryptocurrency, 29% of ransomware victims reported paying ransoms with money and around 7% paid with gift cards (CISA 2021). The FBI also warns that criminals may resort to extorting assets or sensitive data if the initial ransom demand is not met.
Motivations for Ransom Payments
Ransomware attacks have become big business for cybercriminals. The FBI estimates that over $140 million in ransom payments were made in 2021, up from just $30 million in 2020 (Source 1). For criminals, ransomware offers a lucrative payout with relatively low risk. Demanding a ransom payment allows them to monetize the encrypted data they’ve stolen.
On the victim side, the main motivation for paying is to regain access to your files and systems. For businesses, downtime and data loss from an attack can have catastrophic consequences. Paying the ransom, even if distasteful, may be the quickest path to restoring operations. According to one survey, nearly 3 in 10 companies hit by ransomware opted to pay (Source 2). However, there are risks, as criminals may delete data even after payment.
Law enforcement agencies advise against paying ransoms. But for some victims, the potential damage of not paying exceeds the ransom amount itself. Still, paying may incentivize further attacks. It’s a difficult choice, especially when critical systems and data are at stake.
Ethics of Paying Ransoms
There is an ongoing ethical debate around whether paying ransoms fuels further criminal activity. On one hand, paying ransoms provides incentives for criminals to continue taking hostages and demanding money, potentially funding operations to capture more victims. According to one analysis, ransom payments to terrorist groups increased from $25 million in 2011 to $66 million in 2014 (Source). However, refusing to pay ransoms can endanger the lives of hostages. Families of hostages argue that governments should help them pay ransoms to save lives. According to one estimate, denying ransom payments could have cost the lives of 1,500 hostages from 2008-2014 (Source). There are arguments on both sides, with paying ransoms potentially furthering crime but also saving lives in the short term.
Notable Ransom Payment Cases
Some of the highest-profile and large ransom payments in recent history include:
In 2021, the Colonial Pipeline company paid a ransom of $4.4 million in Bitcoin to the DarkSide ransomware group after a cyberattack forced the company to shut down a major US fuel pipeline.
In 2020, foreign exchange company Travelex paid a ransom of $2.3 million in Bitcoin to hackers after its systems were infected with ransomware known as Sodinokibi or REvil.
In 2016, the University of Calgary in Canada paid a ransom of $16,000 in Bitcoin to decrypt its computer systems after getting hit by ransomware.
In 2015, Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in Bitcoin to hackers to regain access to its computer systems which were infected by Locky ransomware.
Some other major ransom payments over the years include the kidnapping cases of Bobby Greenlease Jr. for $600,000 in 1953 and Ronald Grove for $150,000 in 1992.
Costs and Statistics
Ransomware attacks have become a major financial drain on organizations and governments. According to cybersecurity firm Emsisoft, the total global cost of ransomware in 2020 was nearly $20 billion.
The average ransom payment has also been steadily rising. In 2020, the average payment was $154,108, more than double the average of $61,557 in 2019 (https://blog.checkpoint.com/security/the-new-ransomware-threat-triple-extortion/). By the first quarter of 2023, the average payment reached a record high of $250,000 (https://gridinsoft.com/blogs/ransomware-attacks-decline/).
Not only are ransom amounts increasing, but attacks are becoming more frequent as well. One report found a 105% year-over-year increase in ransomware attacks from 2019 to 2020. Healthcare, education, government, and technology were among the sectors hit hardest.
Paying the ransom demand does not guarantee recovery of data. Estimates suggest around 20% of victims who pay never get their data back. Yet for many organizations, paying the ransom can seem like the only option.
Preventing and Responding
There are several key ways organizations and individuals can help prevent and mitigate the impact of ransomware attacks. According to Trend Micro, the most important are:
- Backing up critical data regularly and keeping it offline or immutable. This ensures data can be restored without paying the ransom.
- Keeping systems patched and up-to-date. Out-of-date software often contains vulnerabilities attackers exploit to install malware.
- Using security software and services that can detect ransomware behavior and stop it from encrypting files.
- Educating employees on cybersecurity best practices like not opening suspicious attachments.
Palo Alto Networks also recommends limiting access and user privileges, monitoring for abnormal activity on networks, and developing an incident response plan. If ransomware does infect a system, the plan can guide efforts to contain and eradicate the malware.
If prevention fails, organizations must decide whether to pay the ransom or attempt restoring data from backups. Most experts advise against paying, as it incentivizes and funds criminal activity. However, some opt to pay if absolutely critical data is impacted and unrecoverable otherwise.
Outlook and Future Trends
The future of ransom payments is uncertain, according to experts. While ransoms have proven lucrative for cybercriminals in the past, increased regulation and law enforcement pressure may curb the practice. Some predict ransomware attacks will decline as hackers turn to more profitable forms of cybercrime like cryptojacking.
However, the decentralization of ransomware gangs will make stopping payments more difficult. Ransomware-as-a-service lowers barriers to entry, allowing less sophisticated actors to launch attacks. Cryptocurrencies also provide anonymity for receiving ransom payments.
Some analysts forecast that ransom sizes will continue rising exponentially. This could make ransomware increasingly catastrophic for businesses and infrastructure. Victims may have no choice but to pay enormous sums to regain access and avoid collapse.
The maritime sector is expected to remain a prime target. Ships’ critical systems and data make operators highly vulnerable to disruption. However, increased security training and measures like data backups could reduce the impacts of attacks.
According to the source (https://piracyreport.com/index.php/post/1017/Future_of_Ransom_Payments_Uncertain), the future of ransom payments hangs in the balance. Much depends on evolving cybercriminal motivations and law enforcement capabilities to respond. But ransomware’s potential for profit ensures it will remain a threat for the foreseeable future.