The Most Asked Question:
Should We Pay the Ransom?

"As much as the security person inside me wants to scream, 'No!' the answer is a little more complex than that!"
Pay Attention

A Word from the Author

Over the past five years I (the author—Allan Liska) have delivered more than 300 talks and webinars about ransomware. In almost every case, someone asks whether or not victims should pay the ransom. As much as the security person inside me wants to scream, “No!” the answer is a little more complex than that. Don’t get me wrong: The default answer is always no, but there are sometimes extenuating circumstances that soften the “no” a bit. This page is a more nuanced discussion of what’s involved in paying the ransom and some of the pitfalls.

To Pay? or, Not To Pay?

Ransomware attacks are sometimes even worse than the worst-case scenario for which an organization planned. The data stolen by the ransomware group is so sensitive or damaging that allowing it to be released would destroy the organization. With all other options exhausted, an organization realizes they may have to pay the ransomware group.
What’s next? Before answering that question, it’s important to be sure that paying the ransom is the only option. Sometimes it is, but there are both moral and technical hazards to paying the ransom. The obvious moral hazard is that paying the ransom directly funds criminal enterprises, making their attacks much more effective against the next victims. A ransom payment to these cybercriminals allows them to purchase better tools, acquire exploits, attract more affiliates, and expand their ransomware. Organizations need to think really hard about making cybercriminals better at conducting ransomware attacks.
There's also a technical hazard in paying the ransom. According to a study by Cybereason, 80% of ransomware victims who paid the ransom were hit by another ransomware attack. Most organizations who pay a ransom do so because their network is in disarray after a ransomware attack and they simply have no choice. Ransomware groups know this as well. It’s unknown whether ransomware groups target known victims who paid because they think it will be an easy target or an easy payday. What is certain is that victims who pay are targeted again. Organizations have to conduct an honest assessment of their ability to get back up and running and put ransomware protections in place before the second ransomware attack comes.
If the answer, despite these hazards, is “pay the ransom,” read on.

You Have To Pay the Ransom, 
What’s Next?

First: Hire a ransomware negotiator.

If paying the ransom is necessary, the first thing an organization needs to do is hire a ransomware negotiator. Honestly, a ransomware negotiator should be retained before the decision is made, so they’re not walking in blindly. Having a negotiator on retainer also avoids further delay, because the scope of the services the negotiator will be conducting is determined and the contracts are signed.
Often, outside incident response (IR) companies or cyber insurance providers have negotiators on staff that can be provided if they’re requested by the victim. Again, appeals to these negotiators should be determined before the ransomware attack. Organizations should find out, when they sign the cyber insurance contract or place an IR retainer, whether negotiation services are available and whether there are additional charges. This information should all be documented in the IR plan, including how to get in touch with a negotiator.

It used to be that larger organizations would keep a cryptocurrency wallet ...

... with Bitcoin on hand to pay a ransom if it came down to it. As ransom demands have grown over the last few years, that payment option is generally no longer feasible. Often, a negotiator can facilitate payment on behalf of a client. But if the ransom demand is eight figures or more, the victim has to know where and how they’re going to source that much Bitcoin in a reasonable time frame (ransomware actors can be stalled for only so long). Again, this process should be figured out before the ransomware attack and documented in the IR plan, so there’s no last-minute confusion. Even if the negotiator can’t provide ransom payment, they can often assist with sourcing Bitcoin.
Some ransomware actors demand ransom in Monero because Monero transactions are more difficult to trace. However, trying to source large amounts of Monero in a short period of time isn’t likely to succeed. Just because the ransomware actor wants something doesn’t mean it’s possible.

Get More Ransomware Resources
Directly In Your Inbox

Sign Up To Receive Our 
Monthly Ransomware Newsletter

Don't Worry, We Hate Spam Too.

Listen to the Negotiator

This should go without saying, but organizations make the same mistakes over and over again. One of the biggest is not following the advice of the ransomware negotiator. Ransomware negotiators have often engaged in dozens of negotiations with ransomware groups. Whether an organization brings a negotiator in from the start, or appeals to a negotiator later to salvage a negotiation that has turned sour, it’s critical to listen to what they say.

That may include listening when ...

... the negotiator tells an organization not to pay the ransom. Some ransomware groups are notorious for providing broken keys or decryptors that otherwise don’t work. Most experienced negotiators have worked with many different ransomware groups and offer sound advice about when continuing negotiations makes sense and when it’s time to stop.
It’s also important to remember that ransomware actors are, to put it bluntly, liars. As discussed elsewhere on this site, despite their claims to respectability, they are, ultimately, simply criminals. And, unfortunately, criminals who have a lot of control over victim organizations. This plays out often in chat negotiations such as the one in the image below reported by IBM’s Security Intelligence between the Egregor ransomware and a victim.
Sample chat from the Egregor ransomware group

The Egregor negotiator is attempting to ...

... speak authoritatively about the cost to the victim of not paying by simply making up numbers that aren’t backed up by any research.
This lack of good faith underscores why it’s so important for organizations to listen to their negotiators when they find themselves in the unfortunate situation of having to pay a ransom.
Executive Corner

Don’t Rely on Cyber Insurance 
to Pay the Ransom

Many leaders assume that if they ever find themselves in the position of having to pay a ransom, their cyber insurance policy will cover the cost of the ransom for the organization. For a while, that was true, but the situation is changing. As the number of ransomware attacks spiked in 2020, leading to a huge increase in the number of cyber insurance policy payouts, cyber insurance companies lost significant money.
Those losses are expected to continue at least through 2021 and have resulted in an average 18% premium increase in the first quarter of 2021. That’s not all: Some cyber insurance companies are refusing to pay the ransom going forward. Many cyber insurance companies are making renewal difficult by applying increased scrutiny on their clients’ security practices.
The important takeaway is that cyber insurance and cyber insurance coverage are changing. Organizations need to ensure that they understand what’s covered and what’s no longer covered by their policy. As always, they need to check the policy before they’re hit with a ransomware attack.

The Work Is Just Beginning

Paying a ransom isn’t the end of the recovery process; it’s just the beginning. There’s a long road to recovery. According to one study, organizations who pay the ransom pay double the recovery cost of organizations that don’t. The recovery decisions that are required when restoring from backups are still required using a decryptor, plus there are additional costs associated with IR, the negotiator, and the ransom payment itself.

For starters, decryptors provided by ...

... ransomware groups are notoriously bad. It’s likely that any decryption tool provided as the result of a ransom payment will need to be rewritten by the IR company. Besides, it’s not a great idea to allow a tool from a group that just encrypted all of a victim’s files back into that same network. There are no documented cases of ransomware groups embedding malware in a decryptor, but it’s still a significant risk at a time when the victim’s network is most vulnerable. Fortunately, rewriting a decryptor tool doesn’t take long.
The next thing an organization has to decide (and hopefully this is already part of the disaster recovery plan) is whether to restore the files on the existing systems or replace those systems then restore the files. This site has highlighted all of the ways that ransomware actors can move stealthily around a network. This means there are likely still artifacts from the ransomware actors sitting on these encrypted machines. It’s possible to remove all signs of the ransomware group from the encrypted systems, but even the best forensic analyst sometimes misses things.

The accepted best practice is to build ...

... out new machines and move the decrypted files from the old systems to the new ones. That takes time and is expensive. Not as expensive as a second ransomware attack, but expensive nonetheless.
Finally, the organization will likely need upgrades to its security systems. Those upgrades may come in the form of new technology or additional staff, but they will have to come. Every organization has some level of technical debt. A ransomware attack is often caused by that technical debt, which, left unattended, can be used by the ransomware attacker to gain access and spread. Now the ransomware attack can be used as a catalyst to remove a good deal of technical debt at once. No matter what steps are taken after a ransomware attack, the recovery process generally takes months to fully complete.

What’s the Answer?

Should You Pay?

Should organizations pay a ransomware extortion demand? The short answer is no, but the longer answer is much more complicated. Despite how it sounds, that’s not a copout. There are a lot of factors that need to be considered in that decision. The continued existence of a business may rely on paying a ransom. In the case of hospitals, despite all the redundancies they have in place, patients’ lives may depend on a ransom being paid.

Make an Informed Decision

There are real-world considerations to ransom payments, and some argue that banning ransom payments would actually be counterproductive in the short term. The important thing is that victims have to make informed decisions. In order to do so, they have to be aware of all the risks of paying the ransom, as well as getting an honest assessment of their ability to successfully recover from the ransomware attack.

Liked This? Get The Free 313 Page Book:
Ransomware: Understand. Prevent. Recover

Get the Book 
in Your Inbox

how-to-remove-ransomware-infographic

Download The 
"How To Recover From Ransomware"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "How To Recover a From Ransomware Attack" resource on your site or blog using this code.

Share this Infographic On Your Site

how-to-remove-ransomware-infographic

Want More?

This site is adapted from a book on Ransomware. 
If you would like to learn more keep reading ...
READ MORE ABOUT HOW RANSOMWARE WORKS
Label
apartmentenvelopebubble linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram