Ransomware: To Pay or Not to Pay
Ransomware is a dangerous cyberthreat that has made waves in recent years. According to PurpleSec, 121 ransomware incidents were reported in the first half of 2021—a 64% increase compared to previous years. The report further stated that the average ransomware payment increased by 82% yearly to $570,000.
Knowing how to detect ransomware is no longer optional, but vital for small and large businesses alike.
The malware locks confidential data, files, or systems that legitimate users can no longer access.
The damage is done, and the attacker now demands a ransom in exchange for restored access. At this point, the company’s executives and stakeholders must decide whether or not to fulfill the demand.
That’s how ransomware works in short. So, should companies pay ransomware attackers? Read on to find out the risks, ethics, and legalities surrounding this dilemma.
There are always risks, whether you pay the ransom or not. It’s a tough and nuanced decision for organizations, so all aspects must be considered. Of course, the best way to avoid these risks is to know how to prevent ransomware attacks in the first place.
But that’s not always a foolproof solution. It doesn’t help much if your company’s in the midst of an attack, either. Knowing how to stop ransomware in action can help mitigate the damage. When you’re left with no option, though, you must weigh up the risks of paying the ransom or not.
When You Pay
First, you should know that paying the ransom doesn’t necessarily mean your organization will get restored access to the encrypted data. Even if the attacker releases it, there’s a chance you’ll end up with corrupt files. Or, they might insert other malware for future attacks.
A typical example was the ProLock ransomware strain in May 2020. Bleeping Computer reported that the FBI discovered that ProLock decryptor is likely to corrupt files bigger than 64MB. It was also reported that victims were likely to suffer an integrity loss of about 1 byte per KB for files over 100KB.
What about the ransomware payment statistics?
Well, in a recent Cybereason ebook titled Ransomware: The True Cost to Business, almost 46% of respondents who paid the ransom gained access to their data, but some (if not all) the data were corrupted. Also, 51% claimed they successfully recovered all their encrypted data after paying, while 3% claimed the attacker didn’t restore access after paying.
When You Don’t Pay
Making a ransomware payment encourages attackers to keep launching ransomware attacks because they see it as a profitable venture. This is why the FBI insists that you do not pay ransomware attackers.
What happens if you don’t pay the ransomware demand, though? The next course of action lies in your hands. First, attackers can threaten to leak your confidential information to the public or sell it on the dark web. This can damage your reputation and ruin the trust relationship with your customers and business partners.
On the other hand, if the encrypted data is critical to your operations, you might suffer a setback until access is restored. However, this can only happen if you have an updated backup recovery plan. In extreme cases, your operations can cease and your business may be ruined.
There’s no sure-fire method on how to get rid of ransomware without paying. Besides the risks, you need to consider several ethical issues before deciding whether to pay the ransom or not.
When You Pay
One ethical issue, in particular, arises when you make a ransomware payment. It encourages cybercriminals. Once they know your organization is willing to pay the cyber ransom, future attacks can happen.
The decision to pay might be to restore operations, like in the case of Colonial Pipeline CEO Joseph Blount. He paid a $4.4 million ransom for a decryption tool to restore oil operations.
He further mentioned that paralyzing effects on the country drove his decision. While this can be true in some circumstances, a ransomware payment may also prompt the attackers to blackmail victims and demand a second payment.
According to ZDNet, 80% of organizations that agree to pay the ransom suffer subsequent attacks, with 46% believing it originated from the same attacker.
When You Don’t Pay
Before you decide not to pay a ransom, consider the consequences to yourself, your organization, or in the case of Colonial Pipeline, the entire country.
Having a robust backup plan is critical when dealing with ransomware. Also, you can implement a zero-trust security approach where you assume your network is already compromised and then act accordingly.
Is it legal to pay ransomware attackers? Ransomware payments may violate government regulations, risk customer privacy, breach commercial agreements, or have other legal implications.
Using ransomware payment services may also be illegal. Let’s look at the legal implications of paying vs. not paying.
When You Pay
The FBI frowns upon paying ransoms because it doesn’t guarantee deletion or access to stolen data. Organizations should also take note of the recent advisory from the United States Department of Treasury’s Office of Foreign Assets Control (OFAC) before engaging with any criminal.
The OFAC claims that paying a ransom means funding cyber terrorism or strengthening attackers’ financial prowess to attack other organizations or countries. Also, it’s important to note that you can be prosecuted even if you’re ignorant of your involvement in making a ransomware payment.
As OFAC explains, they might impose civil penalties for sanction violations based on strict liability. This means a person or organization under US jurisdiction might be held civilly accountable even if ignorant or having no reason to know it was engaging with a person prohibited under OFAC’s sanctions laws and regulations.
When You Don’t Pay
Refusing to pay the ransom can result in production or delivery issues. This can cause the organization to breach commercial agreements, purchase or delivery orders, or other contractual obligations. In this case, customers or partners may decide to sue the company.
When a ransomware attack locks critical data, individuals and organizations are often left to decide whether to pay the ransom or not. However, the reality is that ransomware attacks are always a possibility, so preparation is crucial.
While you can put measures in place to detect, prevent, and deal with ransomware attacks, you can still face the decision of paying vs. not paying the ransom. Carefully consider the risks, ethics, and legalities of both scenarios before deciding.
Besides ransomware, there are other attacks that organizations must be aware of. You can also check out our Ransomware vs. Malware vs. Phishing article to find out more.