Organizations are faced with many difficult questions when victimized by a ransomware attack, including whether or not to pay the ransom. Some businesses feel pressured to quickly decide to pay a ransom to resume operations as soon as possible. Additionally, they might want to reclaim access to crucial files that other techniques cannot recover.
The loss of life or potential for the company to go out of business completely should be the primary consideration when making any ransom payments.
In either case, paying a ransom has consequences. The organization’s risk management, business continuity objectives, downtime costs, regulatory considerations, and legal ramifications play a significant role in deciding whether to pay or refuse to pay a ransom.
Additionally, even if criminals are paid, it’s possible that they won’t provide the tools to decrypt all files or that they’ll try to demand more money.
Normally, all necessary internal stakeholders must be involved in any final decisions regarding ransom payments. The company’s cyber insurance provider’s terms and services should also be understood, and advice from incident response specialists should be sought. Ransom negotiators may be able to share knowledge from prior incidents involving the same cybercriminal group if they are involved in the process.
This article lists the main things companies should consider when deciding whether to pay a ransom.
Paying a ransom doesn’t guarantee recovery
Paying criminals is exactly what it sounds like: giving money to an unreliable person. Since they can vanish as soon as the irreversible payment is made, criminals might not fulfill their end of the bargain after receiving payment. This does happen, though it’s not typical.
Paying a ransom doesn’t equal instant recovery
With a decryption key, recovery is rarely immediate. The process of decrypting files is laborious and time-consuming because each one must be done individually.
In most situations, the recovery effort can be just as complicated as reimaging machines, even if the criminals are paid and given the decryption key. As a result, recovery efforts might be just as expensive as if the opponents had not been compensated.
Paying a ransom can be a federal offense
Ransomware negotiators are a new industry born out of the growing need to compensate ransomware attackers. In this new area, for-profit private companies offer to assist businesses in negotiating and paying ransoms. However, other factors must be considered when determining whether to pay a ransom.
Paying ransom to cybercriminals from nations subject to U.S. government sanctions may be illegal on a federal level. The Office of Foreign Assets Control (OFAC) of the U.S. Treasury issued a warning in 2020 about possible penalties for anyone involved in aiding payments to attackers from sanctioned nations. These nations consist of Iran, North Korea, and Russia. This warning applies to businesses that provide ransomware negotiation services. If you pay a ransom, you risk fines from the OFAC even though your organization might not be able to easily pinpoint the attacker’s identity or location.
Paying cybercriminals strengthens their business model
Paying cybercriminals strengthens their business model, motivates additional criminals to engage in the same activity, and sustainably finances both cybercrime and other crimes aided by that ecosystem. Remember that paying a ransom ultimately encourages adversaries to increase their attack frequency and ransom price.
As mentioned above, the ransom payment may implicate several legal risks that must be carefully considered alongside the inherent commercial and cybersecurity risks. A person or organization that “has materially sponsored, provided financial, or technological support for goods or services in support of any activity of an individual or entity on the Sanctions Lists,” [which may include hackers, hacker groups, and governments known to support hackers] may be subject to prosecution under the Trading with the Enemy Act.
Transactions involving the transfer, payment, exportation, withdrawal, or other dealing in the property or interests of an entity or person listed on the Sanctions Lists by U.S. persons or organizations are prohibited unless authorized or exempt. The risk of significant financial and criminal penalties, which may include fines and imprisonment, are generally included in the potential penalties, which can vary depending on the statutory authority for the sanction. To navigate these issues, businesses that have been the target of a ransomware attack should speak with knowledgeable legal counsel.