Ransomware – Considerations For Whether You Should Pay or Not Pay a Ransom

In this week’s bulletin, Charlie discusses the pros and cons of paying a ransom and provides us with some advice about how we can be more resilient when faced with a ransomware threat.

This week, I conducted a cyber exercise with a Housing Association, and I have another upcoming exercise with a senior management team. One of the big questions for executives is whether they should pay or not pay the demanded ransom. In today’s bulletin, I thought I would share some thoughts on what considerations you should take into account when deciding whether you should or shouldn’t pay a ransom. According to Coveware –  a ‘cyber extortion incident response firm’ –  in 2022, 41% of victims paid[1], so if you were to pay, you would not be alone.

So, what are the considerations you should take into account when deciding whether to pay or not?

1. Would you be allowed to pay? Crisis teams need to know whether they have the authority to pay or make the decision to pay, or if the decision must be passed up to the parent company, board, or government, if you are a government organisation. Secondly, would the team have the authority to spend the amount of money a ransom might request, or are there a number of hurdles to have the amount signed off? The ransom amount might be millions or even tens of millions. The decision-making and authorities around paying a ransom should be agreed and discussed in advance of any event.
2. You can usually afford the ransom. Those ransoming the organisation will have often done their research on the organisation and have looked at their ability to pay. They will usually set the amount as affordable, but at the top end of what the organisation might pay. I believe the ransom sent to a Scottish College was exactly the amount of money they had in their bank account when the attack occurred. The hackers don’t always get this right; the hackers of Royal Mail set the ransom at £67m, thinking they had hacked Royal Mail, when they had actually attacked the international parcels business, which didn’t have the same financial capacity. 
3. What is the impact on business operations? What activities have the hackers prevented you from carrying out, and what is the impact on the organisation? For some organisations, if all their data is locked, then they have no business left, while for others, their basic business model is not affected by the hack. The decision to pay or not to pay is about the level of inconvenience the locking out of the data causes.
4. What is the impact of the release of data? If data has been exfiltrated, then what is the impact on the organisation if the data is leaked and made publicly available? You have to look at the impact on the organisation in terms of embarrassment and reputation, as well as those whose data is lost. What would be the effect on staff, customers, and if you handle highly sensitive information, what might the effect be on your business model if this data is made public? 
5. What backups do we have and what are our recovery timelines? If an organisation has backups that are air-gapped so the hackers can’t destroy or encrypt them, then the organisation can recover with a minimum loss of data; there would be no need to pay. If backups are not available, you may have no choice but to pay. If backups are available, then the time taken to restore them and get applications up and running should be known so that the impact of the cyber incident is understood.
6. What will you get if you pay? According to Gartner[2], on average, organisations get back 65% of their data. Some will get more, but you might be the organisation which gets a lot less. Will hackers delete stolen data? Will they sell or disclose it at a later date?
7. Informing authorities. If you pay, then it may not negate your requirements to tell the authorities that you have had a ransomware attack. You should understand exactly what you need to report and when, and this will depend on what data you hold, under which jurisdiction the data is held, and what regulation or regulator your organisation is governed by.
8. Cost-benefit. Norsk Hydro, an aluminium shelter, had a ransomware attack in March 2019. Their response is held up as the ‘gold standard’ in response. I thought the ransom demand was $6m, but I can’t find a reference to confirm this, but if they negotiated the amount down, it could be in the low millions. The cost of the attack, looking at different calculations, was estimated at $45m-$70m. In terms of cost-benefit, it was a lot easier for them to pay and would have saved them money, but on the first day, they made an executive decision they weren’t going to pay, and that was that.
9. The moral and cultural dimension. Paying criminals is a moral decision. If we pay them, this will encourage them to come back for us or another victim. Should you be using shareholder or public money for paying criminals? Is payment in line with your organisational culture? The decision made by Norsk Hydro not to pay was very much guided by their corporate culture. How would your staff, customers, owners, or members of the public, view your organisation knowing you had paid a ransom?
10. Who are you paying? There are a number of organisations for which paying could result in breaking the law, including recognised terrorist organisations or individuals, as well as entities under sanctions. Yes, you need to conduct due diligence on the entity you are paying and ensure that by paying a ransom, or if someone pays it on your behalf, you are not violating your national laws.

When dealing with a ransomware situation, you may experience various emotions such as anger, fear, and loss of control. It is crucial to remember that, in the end, ransomware is purely a business decision. The ransomware gang is essentially making you a business proposition, and you must weigh the advantages and disadvantages of accepting their offer. The ransomware gang will employ all tactics at their disposal to pressure you into making an emotional decision rather than a rational one, including imposing limited time constraints, offering to swiftly resolve the problem, and allowing you to return to normal operations promptly. Approaching the event without emotion and avoiding the gang’s pressure puts you in a much better position to make a rational decision and avoid the emotional response and the poor decision making that the attackers are trying to provoke.

I think this pay-or-not-pay decision should be considered by all organisations, and the organisation’s view should be recorded. For some, it may be that they would never pay; others might say they have to consider the impact against the cost of paying. Sometimes, this can be an easy decision, sometimes it can be very difficult, but I think the conversation needs to be had now rather than when you are in the middle of a crisis.

[1] https://www.coveware.com/blog/2023/1/19/improved-security-and-backups-result-in-record-low-number-of-ransomware-payments

[2] https://www.gartner.com/en/articles/when-it-comes-to-ransomware-should-your-company-pay