Infiltrate, Extort, Repeat – The Ransomware Pandemic. Part 3: The Hostage Dilemma – Should You Pay the Ransom?

This question raises a number of issues for businesses, including ethical dilemmas, practical and operational difficulties, legal complications, financial challenges and public relations headaches.  In all cases, the decision to pay a ransom needs to be taken carefully, with a very small group of senior stakeholders and the input of external advisors where appropriate. 

The initial answer is usually: “No – we will not negotiate with the attackers.”  However, many businesses do often decide that ransoms are a price worth paying when faced with the alternative of an unknown period of business disruption, potentially combined with the prospect of sensitive data either being leaked or irretrievably lost.

Richard Hanlon of Aon Cyber Solutions thinks that “paying the ransom is the tip of the iceberg” and that “whatever the business, it’s better to understand ransomware losses in the context of business interruption, because that’s the single biggest threat from a ransomware attack”.  The UK’s National Health Service incurred £92 million of costs to restore its services in the months following the 2017 WannaCry attack.  It is also important to note that losses can extend well beyond remediation expenses, as victims may find themselves exposed to long-term impacts such as loss of business, third-party claims and reputational damage. Research by Sophos estimated that, last year, the average cost of rectifying a ransomware attack, when considering downtime and the costs associated with recovery, sat at $1.85 million with 26% of victims choosing to pay ransoms. In the first part of 2021, this figure had risen to 32%.

Whilst the payment of a ransom may ultimately be a commercial decision, there are a number of other considerations that a business will want to take into account when choosing whether or not to pay:

Attacker credibility/reliability: If cyber specialists are able to identify the likely attacker, it will be helpful for your business to understand whether that particular attacker/ group has a reputation for ceasing an attack and returning stolen data when they receive a ransom payment.

Governmental and societal pressures: Depending on the nature of the business and the jurisdictions impacted, victims may want to consider what view government bodies may take of paying a ransom.  Experts within the cybersecurity industry remain deeply divided on whether victims should pay ransoms.  The Ransomware Task Force, a global coalition of cyber experts, has made nearly 50 recommendations to governments across the world to help curb the burgeoning illicit industry but were unable to come to an agreement on whether countries should ban ransom payments.  In the United States, the FBI does not advocate the paying of ransoms, in part because it does not guarantee that access will be regained, while in the last year the US Department of the Treasury’s Office of Foreign Assets Control has looked to impose financial penalties on organisations that make ransomware payments and in doing so “may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims”.

Legal restrictions: It will also be important to consider if there are any legal restrictions that prevent or restrict the payment of ransoms in the affected jurisdictions.  For example, in the UK, whilst the payment of ransoms is not illegal in most situations, there is a risk that making such a payment could be considered a criminal offence under the Terrorism Act 2000 if it is known or there is reasonable cause to expect that the person receiving the payment will or may use it for the purposes of funding terrorism.

Ethical stance: Many businesses will also want to consider their own moral stance on paying a ransom.  These payments typically involving the funding of a criminal enterprise that is likely to repeat the offence elsewhere and funnel the funds into further illegal activities.  This reality will have to be weighed against the costs of any potential harm that may arise from the attack continuing, such as the release of huge amounts of sensitive data.  Increasingly, organisations are implementing policies that set out their position on the payment of ransoms in different circumstances.

Reputational risk: Whilst many businesses will try to keep details of any ransom payment confined to a small number of senior individuals, there remains a risk of a leak.  Therefore, careful consideration of the public relations impact will need to be considered and a communications plan implemented.

Financial impact: Businesses should take a holistic view of the financial impact of paying a ransom, considering not just the payment itself but also the cost of the attack continuing and the impact of the attack of revenues generally (whether or not a ransom is paid).

Practicalities: Importantly, if a business does decide to make a ransom payment, there are a number of practicalities to consider.  In particular, access to cryptocurrency will be needed in short order and an organisation will need to decide who will need to sign off on and make the relevant payment.  In addition, depending on the jurisdiction, businesses may also want to inform law enforcement of an intention to make the payment to ensure transparency and to enable them to provide any assistance.

Concluding this miniseries

The COVID-19 pandemic provided a breeding ground for cyber criminals to infiltrate organisations on a scale not seen before, with ransomware the malware of choice for many seeking to cause maximum disruption to businesses during already challenging times.  The ethics of paying a ransom still divide opinion across the world but the devastating effects of not doing so means businesses face a very real dilemma when making this tough decision. The most effective way to address the threat of these attacks is to invest in strong defences and experienced personnel whilst implementing robust processes and procedures so that a business stands ready to react, respond and remediate any incidents that occur. We can help you with this; speak to one of our cybersecurity experts today.

This article was created for ICLG.com. Read parts 1 and 2 of this miniseries, linked in the Recommended Content section below, or click the button to download the full piece.