The Most Asked Question:
Should We Pay the Ransom?

Pay Attention

Over the past five years I (the author—Allan Liska) have delivered more than 300 talks and webinars about ransomware. In almost every case, someone asks whether or not victims should pay the ransom. As much as the security person inside me wants to scream, “No!” the answer is a little more complex than that. Don’t get me wrong: The default answer is always no, but there are sometimes extenuating circumstances that soften the “no” a bit. This page is a more nuanced discussion of what’s involved in paying the ransom and some of the pitfalls.

If paying the ransom is necessary, the first thing an organization needs to do is hire a ransomware negotiator. Honestly, a ransomware negotiator should be retained before the decision is made, so they’re not walking in blindly. Having a negotiator on retainer also avoids further delay, because the scope of the services the negotiator will be conducting is determined and the contracts are signed.

... with Bitcoin on hand to pay a ransom if it came down to it. As ransom demands have grown over the last few years, that payment option is generally no longer feasible. Often, a negotiator can facilitate payment on behalf of a client. But if the ransom demand is eight figures or more, the victim has to know where and how they’re going to source that much Bitcoin in a reasonable time frame (ransomware actors can be stalled for only so long). Again, this process should be figured out before the ransomware attack and documented in the IR plan, so there’s no last-minute confusion. Even if the negotiator can’t provide ransom payment, they can often assist with sourcing Bitcoin.

... the negotiator tells an organization not to pay the ransom. Some ransomware groups are notorious for providing broken keys or decryptors that otherwise don’t work. Most experienced negotiators have worked with many different ransomware groups and offer sound advice about when continuing negotiations makes sense and when it’s time to stop.

... speak authoritatively about the cost to the victim of not paying by simply making up numbers that aren’t backed up by any research.

Executive Corner

Many leaders assume that if they ever find themselves in the position of having to pay a ransom, their cyber insurance policy will cover the cost of the ransom for the organization. For a while, that was true, but the situation is changing. As the number of ransomware attacks spiked in 2020, leading to a huge increase in the number of cyber insurance policy payouts, cyber insurance companies lost significant money.

Those losses are expected to continue at least through 2021 and have resulted in an average 18% premium increase in the first quarter of 2021. That’s not all: Some cyber insurance companies are refusing to pay the ransom going forward. Many cyber insurance companies are making renewal difficult by applying increased scrutiny on their clients’ security practices.

The important takeaway is that cyber insurance and cyber insurance coverage are changing. Organizations need to ensure that they understand what’s covered and what’s no longer covered by their policy. As always, they need to check the policy before they’re hit with a ransomware attack.

... is the risk that you’ll bring down legal sanctions by paying a ransom to or through a sanctioned entity. In the United States, the Department of Treasury’s Office of Foreign Assets Control (OFAC) is responsible for issuing sanctions against foreign entities. In October 2020, OFAC issued specific guidance about the risk of making ransomware payments. As part of that guidance it explained:

... that a ransomware actor was sanctioned isn't going to help an organization avoid fines. This is another reason why it’s so important to get a negotiator involved. The negotiator will know which groups are sanctioned and which aren’t, and can help organizations avoid costly mistakes.

... on the part of Evil Corp. A negotiator is going to know that they’re a sanctioned entity and inform victims of the consequences they can expect from OFAC if a ransom is paid. It’s possible to pay a ransom to a sanctioned ransomware group, like Evil Corp, without reporting the payment, and thereby escape a fine. There’s a pretty good chance that an organization could even get away with that, but if OFAC does find out, executives at the organization that authorized payment will likely face jail time. The problem with doing that is that the victim is paying money to an organization that knows they’re sanctioned and that has no moral values whatsoever. What is to stop Evil Corp from reaching back out several months or years later and demanding additional ransom to not report the victim to OFAC??

More recently, OFAC issued sanctions against SUEX, a cryptocurrency exchange that operates largely out of Russia and over the years has helped launder $160 million for ransomware groups and other cybercriminals. The sanctions against SUEX may hinder the ability of ransomware groups to launder money, but it’s not expected to slow down the pace of ransomware attacks. Only time will tell what the impact of these sanctions will be.

... ransomware groups are notoriously bad. It’s likely that any decryption tool provided as the result of a ransom payment will need to be rewritten by the IR company. Besides, it’s not a great idea to allow a tool from a group that just encrypted all of a victim’s files back into that same network. There are no documented cases of ransomware groups embedding malware in a decryptor, but it’s still a significant risk at a time when the victim’s network is most vulnerable. Fortunately, rewriting a decryptor tool doesn’t take long.

The next thing an organization has to decide (and hopefully this is already part of the disaster recovery plan) is whether to restore the files on the existing systems or replace those systems then restore the files. This site has highlighted all of the ways that ransomware actors can move stealthily around a network. This means there are likely still artifacts from the ransomware actors sitting on these encrypted machines. It’s possible to remove all signs of the ransomware group from the encrypted systems, but even the best forensic analyst sometimes misses things.

... out new machines and move the decrypted files from the old systems to the new ones. That takes time and is expensive. Not as expensive as a second ransomware attack, but expensive nonetheless.

Finally, the organization will likely need upgrades to its security systems. Those upgrades may come in the form of new technology or additional staff, but they will have to come. Every organization has some level of technical debt. A ransomware attack is often caused by that technical debt, which, left unattended, can be used by the ransomware attacker to gain access and spread. Now the ransomware attack can be used as a catalyst to remove a good deal of technical debt at once. No matter what steps are taken after a ransomware attack, the recovery process generally takes months to fully complete.