Organizations know the danger ransomware poses. If ransomware isn't detected in time, business-critical data could be encrypted, exfiltrated and posted publicly.
Ransomware can also cost an exorbitant amount of money -- be it in fallout or ransom demands. Once a company has received a ransom demand, it's too late to protect its systems -- the attack is complete and the company is a victim.
The time has come for executives to decide: to pay or not to pay? Plus, many wonder whether it is even legal to do so.
Reasons companies pay ransoms
Many organizations won't admit if they paid a ransom to get critical assets back. They prefer to remain silent about ransomware attacks whenever possible. This means the negotiation between threat actors and their victims is shrouded in secrecy.
Despite advice to not pay the ransom, many companies do pay, often for the following reasons:
- Faster recovery time. If data restoration takes too long and the company faces a long, costly downtime, paying the ransom might be the quicker, cheaper alternative.
- Damage to business. Ransomware can cause revenue loss and reputational harm. Announcing that a company got hit with ransomware can also reduce customer confidence.
- Excessive recovery costs. Paying a ransom is a business decision. If the costs to recover from a ransomware attack exceed the ransom payment, why wouldn't companies take a gamble?
- To protect customer or employee data. Companies don't want customer and employee data exposed. Some attackers threaten to release data they exfiltrated to pressure companies to pay.
Reasons companies should not pay ransoms
Federal agencies and industry analysts agree that paying the ransom does more harm than good to the entire industry. While paying may appear to be a viable option, organizations shouldn't pay for the following reasons:
- It encourages attackers. Paying the ransom provides adversaries with additional funds to run future attacks. Victim companies might even suffer repeat attacks if word gets out they paid.
- It escalates payments. Ransomware groups commonly ask for multiple payments in a double-extortion ransomware attack. The first gets a company the decryption keys, and the second ensures data is not released.
- Data isn't always returned. Even if a company pays, there's no guarantee attackers return the data or provide the decryption key. According to a Sophos report, 92% of organizations don't get all their data back, and of those that paid, only 29% recovered half their encrypted data.
- There could be future legal issues. Making the payment could get a company in legal trouble. Paying ransomware attackers can be seen as funding terrorism, depending on the nation-state the group operates out of.
Paying enables the cycle of ransomware to continue. "We're not going to see attackers reconsider this attack vector until it isn't as profitable," said Allie Mellen, analyst at Forrester Research. To slow the cycle, she said, companies should refuse to pay the ransom. "Attackers will be forced to move onto a different way to make money."
Is it legal to pay after a ransomware attack?
While it is legal to pay the ransom in the U.S., cybersecurity experts recommend companies not pay. Given the criticality of assets stolen, however, a company can decide it has to pay the ransom and it is legally allowed to do so.
The U.S. Department of the Treasury released an advisory that said companies could face future legal trouble. Being involved in ransomware payments -- whether as the victim, a cyber insurance firm or a financial institution -- could potentially violate Office of Foreign Assets Control regulations, the advisory said.
"Formal recommendations from the FBI encourage companies not to pay the ransoms because it just escalates the problem," said Dave Gruber, analyst at TechTarget's Enterprise Security Group. "At some point, to stop ransomware, there has to be some formal legislation in place. How do you stop the current cycle? Either stop paying the ransom or make the penalties for doing so way, way bigger and enforce them."
Even if a company decides it is in its best interest to make the ransom payment, experts recommend reporting it to the FBI or CISA. In his experience, Gartner analyst Paul Furtado said companies report incidents more now than previously, even if they pay the ransom. One of his sources is an organization that acts as an intermediary between bad actors and their targets. "Their business continues to increase quarter over quarter," he said.
Can law enforcement help with ransomware?
All law enforcement agencies recommend against paying the ransom and offer assistance to organizations dealing with the aftermath of a ransomware attack.
The FBI and CISA request ransomware victims notify law enforcement so they can track incidents and assist in future prosecution. When submitting a ransomware report to CISA, organizations can request assistance if they need it. CISA also provides a ransomware response checklist to help organizations start their recovery process.
If an organization submits a report to CISA, it doesn't have to notify other law enforcement agencies. If an organization prefers FBI assistance following a ransomware attack, it can submit a report to its local FBI field office.
Using cyber insurance to make ransomware payments
One way companies can make it easier to survive the financial cost of a ransomware attack is cyber insurance. These policies help with ransom payouts and often assist with business downtime reimbursement, data recovery efforts, breach investigation and more.
The popularity of cyber insurance is growing. A BlackBerry survey reported 55% of organizations have cyber insurance. Companies that do not have a policy might find it difficult to obtain one, however -- standalone cyber insurance premiums increased by 62% in 2022 over 2021. Insurance firms started to adjust the cost of premiums and what policies cover to overcome the high cost of ransomware payouts. "They're very specific. They're segmented into ransom protection, business interruption protection and third-party risk for lawsuit protections," Gruber said. Companies might not receive a quote at all, he added.
To reduce the chance of unaffordable premiums or getting shut out of cyber insurance, companies can determine what coverage they need. They can also reduce risk -- and, sometimes, cyber insurance premium costs -- by implementing multifactor authentication, data backups, patch management and other security best practices.
To pay or not pay ransomware is not an easy decision
"It depends" is a common answer from analysts when asked whether companies should pay or not because each situation is different.
To decide, tie the answer to business outcomes, Gartner analyst Paul Proctor said. "It comes down to when business outcomes are impacted by the lack of the stolen data," he said. "The organization must weigh if the business loss is worth rolling the dice on making a payment."
To make it easier to recover from ransomware -- and thus negate the need to give in to ransomware demands -- companies should implement the following best practices:
How to recover from a ransomware attack
Organizations need to implement a ransomware recovery plan to ensure they can recover from a ransomware attack. The plan should include the following steps:
- Implement an incident response plan. A ransomware incident response plan should include steps to validate and analyze the attack, contain it from spreading further and perform a forensics investigation.
- Communicate with law enforcement, decision-makers and affected stakeholders. Submit a ransomware report to CISA, the FBI or a local law enforcement agency, and contact affected users.
- Restore or rebuild affected systems. Once the ransomware attack is mitigated, bring systems back online, or wipe affected endpoints and systems before deploying data backups.
- Perform an incident response review for future attacks. Once fully recovered, evaluate the ransomware recovery plan for successes and failures, and update the plan as needed.