A new report that the number of ransomware attacks has dropped this year does not mean companies and organizations should lower their guard against these threats. While some experts don’t think companies should ever pay ransomware demands, others say it is not such a clear-cut issue. Whether they pay or not, these cyberattacks can create crisis situations for business leaders.
‘An Enormous Mistake’
“It’s an enormous mistake to think that paying ransomware demands will solve anything. The initial payment is only for the start of things,” Etay Maor, adjunct professor at Boston College in cybersecurity and senor director of security strategy at Cato Networks said via email.
Business leaders “should deprive criminals of any possible economic incentives that would allow them to run future attacks,” David Lindner, chief information security officer at Contrast Security, counseled via email.
“Moreover, there is no honor among thieves—paying a ransom does not guarantee that data will be returned safely and only increases the likelihood of repeat attacks on an organization. The bad actors now know that your system is insecure and that you will pay a ransom,” he advised.
When Ransom Payments Are Necessary Or Advisable
Despite the risks associated with paying ransomware demands, there are some who do not automatically rule it out.
“There may be scenarios where payment is necessary or advisable. Organizations—usually critical infrastructure—providing essential services may not have time to restore operations or services, and the impacts may necessitate payment,” according to Matthew Baker, a partner at Baker Botts in San Francisco. He focuses on data privacy, cybersecurity, crisis management, and incident response for various industries.
“In addition, threat actors may have accessed and stolen business-critical IP or other sensitive proprietary information, the release of which may be extremely damaging. That may…necessitate payment to prevent disclosure,” he said via email.
“Finally, savvy threat intelligence negotiators may arrange for an exchange of vulnerability information in addition to the decryption keys for payment. This can help organizations better understand the contours of an attack to prevent future recurrences. Though a more narrow scenario, this may likewise weigh in favor of payment,” Baker observed.
‘There Is No Simple Answer’
“There is no simple answer to whether an organization should pay the ransomware demand,” attorney William J. Roberts co-chair of Day Pitney LLP’s Cybersecurity and Data Protection Practice Group said via email. “An organization must carefully consider various factors with its advisors before making a decision.”
Roberts said those factors include the following:
Availability Of Backups
“Organizations that have fully or nearly-complete backup copies of the data affected by the ransomware generally don’t need to pay a ransomware demand.”
“A ransomware incident’s harm may extend beyond data and may also affect organization operations.”
Verification Of Data Access
“Unless there is clear evidence that your data has been exfiltrated, an organization should consider if the threat actor even has a copy of your data. If they say they do, ask and verify first.”
Risk from release
“Even if you have backups of your data, but you confirm that the threat actor in fact has obtained a copy of it, consider the implications of the threat actor releasing the data if a demand is not paid.”
The Reputation Of The Threat Actor
“Much of the above rests upon the belief that a threat actor will in fact release your systems, destroy your data, or not release your data. And all of this requires you to have a certain level of trust that the threat actor won’t just take your money and run or won’t ask for even more additional payments.”
“Do you have cyber liability insurance and if so, what does it pay for? Responding to a ransomware incident can be expensive and worth seeing if your coverage will reimburse you for the path you take.”
Law Enforcement Request
“The FBI does not recommend paying a ransomware demand. This is because it doesn’t guarantee you will get your systems back online or your data back and it incentivizes threat actors to continue to target companies. And your organization may even become known as an easy mark,” Roberts concluded.