Should companies pay after ransomware attacks? Is it illegal?
It's not a question of whether a company will fall prey to ransomware, but when. Executives should focus on deciding to pay or not pay the ransom and on any legal fallout.
Companies know the danger ransomware poses and that a successful attack is inevitable. If ransomware isn't detected in time, business-critical data could be encrypted, exfiltrated and posted publicly on file-sharing sites.
Once a company has received a ransom demand, it's too late to protect its systems. The attack is done, and the company is a victim. The time has come for executives to decide: to pay or not to pay the ransom? Is it even legal to do so?
Reasons companies pay ransoms
While many companies won't admit it, they've paid the ransom to get critical assets back. Companies prefer to remain silent about ransomware attacks when possible. This means the negotiation between threat actors and their victims is shrouded in secrecy.
Given how ransom payment amounts climb every year, many companies decide to pay the ransom. There are several common reasons this is the case:
- Faster recovery time. If data restoration takes too long and the company faces a long, costly downtime, paying the ransom looks like the better, and cheaper, alternative.
- Damage to business. The harm a company suffers can include revenue loss, reputational harm, etc. Announcing to customers following a data breach that a company got hit with ransomware will hurt its reputation and reduce customer confidence.
- Excessive recovery costs. Paying a ransom is a business decision. If the costs to recover from a ransomware attack exceed the ransom payment, why wouldn't companies take a gamble?
- To protect customer or employee data. Companies don't want customer and employee data exposed. Some attackers threaten to release data they exfiltrated to pressure companies to pay.
Reasons companies should not pay ransoms
Federal agencies and industry analysts agree that paying the ransom does more harm than good to the entire industry. While paying may appear to be a viable option, here is why your business shouldn't:
- It encourages attackers. Paying the ransom provides hacker groups with additional funds to run future attacks. Victim companies might even suffer repeat attacks if word gets out they paid.
- It escalates payments. Ransomware groups now commonly ask for another payment. The first gets a company the decryption keys, while the second pays to ensure data is not released.
- Data isn't always returned. Even if a company pays, there's no guarantee attackers will return the data or that the decryption key gets data back where it was before the attack. According to a 2021 Sophos report, 92% of organizations don't get all their data back. Only 29% of those organizations that paid recovered even half the encrypted data.
- Potential future legal issues. Making the payment could get a company in legal trouble. Paying ransomware attackers can be seen as funding terrorism, depending on the nation-state the hacker group operates out of.
Paying enables the cycle of ransomware to continue. "We're not going to see attackers reconsider this attack vector until it isn't as profitable," said Allie Mellen, analyst at Forrester Research. One way to slow the cycle, she said, was to refuse to pay the ransom. "Attackers will be forced to move onto a different way to make money."
Is it legal to pay after a ransomware attack?
For the moment, it's legal to pay the ransom in the U.S., though cybersecurity experts recommend companies do not pay. Given the criticality of assets stolen, a company may decide that it has to pay the ransom and that it is legally allowed to do so.
The U.S. Department of the Treasury released an advisory in October 2020 that said companies could face future legal trouble. Being involved in ransomware payments -- whether as the victim, a cyber insurance firm or financial institution -- the advisory said, could potentially violate Office of Foreign Assets Control regulations.
"Formal recommendations from the FBI encourage companies not to pay the ransoms because it just escalates the problem," said Dave Gruber, analyst at Enterprise Security Group, a division of TechTarget. "At some point, to stop ransomware, there has to be some formal legislation in place. How do you stop the current cycle? Either stop paying the ransom or make the penalties for doing so way, way bigger and enforce them."
Even if a company decides it is in its best interest to make the ransom payment, experts recommend reporting it to the FBI or Cybersecurity and Infrastructure Security Agency. In his experience, Gartner analyst Paul Furtado said companies report incidents more now than previously, even as they pay the ransom. One of his sources is an organization that acts as an intermediary between bad actors and their targets. "Their business continues to increase quarter over quarter," he said.
Using cyber insurance to make ransomware payments
One way companies can make it easier to survive the financial cost of a ransomware attack is with cyber insurance. The policies offer more than ransom payouts, often assisting with business downtime reimbursement, data recovery efforts, breach investigation and more.
The popularity of cyber insurance has grown over the last couple years. According to a U.S. Government Accountability Office report, the percentage of companies buying cyber coverage rose from 26% in 2016 to 47% by 2020. Unfortunately, companies that do not yet have a policy might find it has become more difficult to obtain. Premiums for cyber insurance increased 28.6% in 2020, and the industry's loss ratio grew to 72.8%.
To overcome the high cost of ransomware payouts, insurance firms started to adjust the cost of premiums and what policies cover. "They're very specific. They're segmented into ransom protection, business interruption protection, third-party risk for lawsuit protections," Gruber said. You might not receive a quote at all, he added.
To reduce the chance of unaffordable premiums or getting shut out of cyber insurance, companies can determine what coverage they need. They can also reduce risk by implementing multifactor authentication, data backups, patch management and more.
To pay or not pay ransomware is not an easy decision
"It depends" is a common answer from analysts when asked whether to pay or not because each situation is different.
To decide, tie the answer to business outcomes, Gartner analyst Paul Proctor said. "It comes down to when business outcomes are impacted by the lack of the stolen data. The organization must weigh if the business loss is worth rolling the dice on making a payment."
To make it easier to recover and reduce the temptation to pay, companies can follow best practices:
- Invest in business continuity (BC) plans and security awareness training. For BC, companies need a backup and restore process.
- Consider immutable backups.
- Train IT in data restoration so downtime is minimal.
- Prevent infiltration with phishing training.