Should You Pay a Ransomware Attacker?

For many businesses, it’s a worst-case scenario. 

You open your laptop and try to access your latest presentation, report, or financial statement. However, when you click on the files, all you see is gibberish and error messages. 

On your desktop, you discover the dreaded ransom note with instructions: “If you want your files back, you must pay $250,000 in Bitcoin. If you don’t pay within 24 hours, your data will be destroyed for good.” 

What would you do? Most cybersecurity experts will advise you not to pay. Let’s be real though: there is no hard-and-fast rule about paying a ransom—especially when the clock is ticking and dollars are burning. Some examples:

• When Colonial Pipeline—one of the United States’ major fuel pipeline operators— was hacked in 2021, they chose to pay a $4.4 million ransom because the consequences of disrupting the U.S. fuel supply were too dire. 

• Travelex, a currency exchange service, paid $2.3 million in January 2020 after employees were forced to revert to pen and paper, creating a customer service disaster across the U.K.
  
• JBS USA, a meatpacking company, paid $11 million in Bitcoin to hackers in 2021 as the disruption on their system led to huge financial losses. 

In each scenario, the company had to make a call based on their unique circumstances. They also did so with no guarantee that the hackers would actually provide them with a decryption key, or that it would work properly. 

Whether you ultimately decide to pay or not, it’s important to take every scenario into account and make an informed decision. 

Reasons Not to Pay

Law enforcement generally recommends against paying ransoms. While paying a ransom might seem like a quick fix, it’s a risky decision with no guarantee of success. Here are the reasons most experts advise against paying: 

1. It doesn’t protect you against data losses 

In some cases, decryptors provided by hackers will make the situation worse. For example, the Prolock ransomware attack corrupts files larger than 64 MB, leading to 1 byte of data loss per Kb for larger files. If victims paid the ransom, they would still suffer significant data corruption and losses. 

Nearly half of ransomware victims who paid the ransom (46%) regained access to their information, only to discover that their data was corrupted. In fact, 3% of victims that paid didn’t receive any of their data back at all. 

2. You may open the door for another attack

Here’s another scary stat from the whitepaper quoted in the first point: 78% of victims who paid the ransom were breached again, and 63% faced an even bigger ransom demand than they did before. 

When you make a payment, you send a message to hackers: you’re not only unprepared for an attack, but you are willing and able to pay an exorbitant price to get your files back. 

3. It may lead to penalties

Bear in mind that when you are paying a hacker group, you’re effectively funding a criminal organization. The group may even be involved in domestic or international terrorism. 

That is why the U.S. government discourages ransomware payments and is willing to penalize organizations that pay ransomware attackers. It’s enforced by the Office of Foreign Assets Control (OFAC), a department within the Treasury. OFAC maintains a list of sanctioned individuals and organizations. If the ransomware attacker is on this list, paying them is considered “material assistance,” which violates sanctions. Strict liability applies, which means an organization can be penalized even if it didn’t know the attacker was sanctioned.

4. The possibility of double extortion

Many ransomware attackers go further than just holding your data for ransom. There’s a tactic called “double extortion,” whereby attackers steal a copy of your data before encrypting it. They then hit you with a double threat:

• Pay the ransom to get your data decrypted.
• If you don’t pay, the attackers will then threaten to release the stolen data publicly.

In other words, paying only gives you back control of your encrypted data, but it doesn’t guarantee they’ll destroy the stolen copy. Bear in mind that even if you pay ransom, you may still suffer from all of the fallout of a data breach—including loss of revenue and reputational damage—because of this tactic. 

What Happens If You Pay?

Let’s say you decide to take the risk and make the payment anyway. In the ideal scenario, the attackers will provide you with a decryption key so that you can restore your information. Unfortunately, this ideal scenario rarely plays out in real life. A very small percentage of companies get all of their data back. 

Usually, you’re able to restore most of the lost data. But encrypted files aren’t easily recoverable, decryptors often crash, and data recovery is a slow and laborious process. And even if you do pay, your information could still end up on the dark web. 

Remember, the people that hit you with ransomware are criminals; they’re already committed crimes by even putting your company in this position. Thinking they won’t commit another crime if it benefits them is naive, because what else do they have to lose?

If you do decide to make a payment, there are a few things you should consider:

1. Hire a ransomware negotiator 

Your incident response (IR) team or insurance agency may have a negotiator on staff. Find out if that’s the case before you enter into a retainer so that you know who to turn to in the event of an emergency.

2. Consider a Bitcoin safety net

You may think about having a Bitcoin wallet set up and funded as part of an IR plan so that you can make a quick payment. Sourcing crypto on short notice can be difficult.

3. Contact your insurance company

Find out what your insurance will cover. You may have cyber insurance in place, but you have to know what you are covered for before making any payments. Some insurers will not cover ransoms paid. 

4. Trust those with experience

Ransomware attacks happen everyday. Listen to the advice of your IR team and ransomware negotiator. It may seem obvious, but they have your best interests at heart and should handle the negotiation from start to finish. They may even advise you not to pay the ransom because the group that hacked you has a reputation for providing broken keys or selling data regardless of receiving the ransom.

Remember, even if you do pay, you haven’t officially recovered your data yet. It can take weeks to get back up and running. And according to some research, paying the ransom may even double your recovery cost. 

To Pay or Not to Pay?

We would strongly recommend not making a payment, but every ransomware attack should be evaluated on a case-by-case basis. Your business and the well-being of your customers may depend on you paying the ransom. For example, if you work in the medical field, there’s the possibility your patients’ lives may depend on it. 

Weigh the pros and cons before making a decision. Reach out to experts and find out what your insurance covers. Yes, you may be able to retrieve most of your data and get back to business quickly. And you may even do the math and find out it’s cheaper to pay a ransom than to hire data recovery specialists to get you back up and running. 

However, it’s important to note that most ransom payments aren’t the silver bullets the cyber crooks may say they are. You may still lose your data (and a significant chunk of cash) after paying. 

The best thing you can do is start implementing preventative measures and contingency plans beforehand. Backup your data, apply the principle of least privilege and access controls to limit the damage, and cultivate a cyber-aware culture at work. 

If you can avoid a ransomware attack altogether through stronger preventative measures, you might never have to face this impossible question.