To pay or not to pay: the ransomware dilemma

The ransomware headlines keep coming, don’t they? Hospitals, government bodies and private companies both big and small keep getting hit, and a frightening 64% of businesses were disrupted by ransomware last year.

You might feel you’ve got your bases covered and can catch any attack at an early stage, whether through flagging suspicious network activity, missing files or changing file extensions. But all too many organisations don’t realise they’ve been compromised till their systems are already encrypted and a note splashes across a desktop screen: pay up promptly, or suffer the consequences. 

Almost every business knows they shouldn’t pay the hackers, and that giving in to criminals' demands just encourages more crime. But when it's your critical assets encrypted, your functions are offline and your company’s future under threat, there’s a lot riding on that call. So when should you pay a ransom, and when should you reject it? What does the law say about making ransomware payments? 

What to do when you suffer a ransomware demand 

The Australian Cyber Security Centre and Cert NZ have guidance on how to respond to a suspected ransomware attack. Both advise reporting the attack and not paying the demand, with the ACSC’s advice typical: “Never pay a ransom: There is no guarantee you will regain access to your information. You may also be targeted by another attack.” 

For smaller organisations without a dedicated cybersecurity team, now may be time to call in external experts. Larger organisations may have an incident response plan covering off ransomware, and now is the time to follow it to the letter, rather than making panicked decisions. It should detail next steps and key stakeholders across IT, legal, communications and your executive team. 

Key early concerns will include assessing the extent to which your systems can still function and determining exactly what the attackers have in their possession. One problem here is that ransomware negotiations are always shrouded in secrecy. While one survey found that 54% of Australian businesses paid the ransom, few of them – for obvious reasons – have gone public about the process they went through or the amount they paid. Ransomware gangs, meanwhile, may lie about the amount of data they have extracted or encrypted, and may not restore your data even if you do pay up. 

Paying a ransomware demand may actually save you money 

While paying up is risky and contradicts most official advice, it has advantages: 

1. It may be cheaper. If the cost of recovery is much higher than the cost of the ransom payout, there’s a strong business case to be made for simply paying up. 

2. Most systems should be up and running quicker than if you go through a laborious data restoration process. Especially if your backups are poor or contain old data, paying up may allow you to dodge some downtime – and the considerable costs it involves. 

3. You may be able to keep things quiet. Announcing a ransomware attack may damage your reputation and profits, but if you can pay up and move on (and aren’t legally required to notify officials or customers) your public profile may remain undented. 

4. Some criminals have moved beyond ransomware into extortion, threatening to release personal data or trade secrets that they’ve exfiltrated. A payment may not just get your data back – it may save you from further disaster. 

5. Some insurance policies may cover ransom payouts. 

While hackers aren’t trustworthy, if no one ever got their data back the ransomware model would collapse. That’s supported by a survey that found that 76% of businesses that paid the ransom did get their data back. 

But paying a ransom may be just the start of your problems 

As we’ve seen, around three-quarters of businesses that pay the ransom get their data back. But that still leaves a quarter both out of pocket and without access to their data. 
 
Those that get their data back may not be out of the woods yet. Decryption keys may work for some assets but leave others corrupted. Some may crash or fail, requiring you to build a new tool by extracting keys from the attacker’s kit. All this will take up more of your time and money – the very thing that paying up was meant to safeguard. 
 
The ransomware group, meanwhile, will know that your company pays ransoms. They may strike again within weeks, or demand a second payment to ensure your data isn’t publicly released. And, whatever you do, that data may still be sold on the dark web to the highest bidder, giving other attackers insights into your business. 

Ransom payments may not be illegal, but they’re not exactly encouraged 

Governments around the world are increasingly seeking to mount coordinated responses that starve ransomware gangs of cash. In Australia, it is already an offence to knowingly fund criminal activities, and the Ransomware Payments Bill will make it mandatory for all organisations with a turnover of more than $10 million to report ransomware incidents. In that climate, the “pay up and keep quiet” response to attacks looks increasingly unsustainable. 
 
Both the Australian and New Zealand authorities instead advise organisations to report incidents and speak to law enforcement, with the aim of both cracking down on the gangs and helping victims find alternatives to paying up. 

How you can reduce the risk of being caught out by ransomware 

With good preparation, organisations can make themselves harder targets for ransomware groups – plus bounce back faster and act more decisively if they are breached. Key strategies include: 

1. Building cyber resilience through threat monitoring, network segmentation and awareness training. 

2. Producing and sharing comprehensive incident response and business continuity plans that cover ransomware and the decision-making process, and keeping them up to date. 

3. Lining up third-party security specialists who may be able to work with you if a major incident takes place. 

4. Rehearsing incident response and ensuring responsible parties are able to perform their tasks as required. 

5. Strengthening backups (ideally, backups will be near-constant) and working to ensure IT are fully trained in system restoration. 

6. Insurers have become wary of ransomware in recent years, but some policies may be worth considering. 

Ransomware is hitting almost every business 

In the aftermath of a ransomware attack, one question looms larger than any other: to pay or not to pay. Paying the ransom is an easy solution that can help your firm get back to speed fast. But it can also bring problems in its wake, from incomplete data recovery to repeat attacks. 
 
The best defence against ransomware is preparation. That comes via training and hardening that can stave off attacks. But it also comes via incident response plans that can make recovery and decision making easier – even in the eye of a ransomware storm.