Paying the Ransomware: The Heated Debate Around It

Whether or not ransomware attacks are on the rise or on the decline with cryptojacking attacks taking precedence is irrelevant to the victims. The dread users and enterprises feel seeing a message saying their files are encrypted and demanding payment for their return remains very real. Even if it is not lucrative digital attack, it can still be a major disruption to enterprises’ online business, interrupting their daily services and damaging their reputation. And with the attack on Atlanta still ongoing, a recurring question in cybersecurity has arisen again: should enterprises consider just paying the ransomware?

Paying the Ransomware is a Tempting Option

We’ve said in multiple previous articles that paying the ransomware is never the correct choice for victim enterprises. The FBI sternly warns against the practice, and U.S. government policy is never paying the ransomware and not engaging with the cybercriminals.

But ransomware is not so easy for enterprises to refuse in practice. Ransomware often targets the most important files in an enterprises’ servers—files that the enterprise may not be able to function without. Further, there are outside factors to consider. Paying the ransomware promptly may reduce the liability costs an enterprise faces in the wake of an attack and reduce the overall recovery costs. Getting their networks back online quickly can also restore the public’s confidence in the enterprise, which is essential to maintaining their future financial health. For many enterprises, it comes down to a question of profitability.

In short, many enterprises’ find paying the ransomware to be the fastest and most affordable option in the crisis. Almost as if that’s the intention…

Paying the Ransomware Feeds into Scare Tactics

Paying the ransomware is designed to seem like the best option. The ransom amounts tend to be targeted according to the victims’ means to appear far more economical than other means of resolution.

Further, ransomware will often use fear tactics to exploit the psychological torment victims go through and coerce them into paying. Countdown timers and threats of permanent deletion are common. Other cybercriminals will bargain with their victims, to make them seem reasonable. But all these tactics feed into extorting money from innocent people and enterprises.  

Why Not Paying is the Best Option

Paying the ransomware has serious drawbacks, not only by encouraging more ransomware attacks (which it does) but by the inherently one-sided nature of the ransomware attack.

Ransomware is the product of digital criminals. And there truly is no honor among thieves. A recent study by the CyberEdge Group found that 55% of surveyed cybersecurity professionals suffered a ransomware attack in 2017. Of those, about 38% ended up paying the ransomware, and then another half of those (19% in all) ended up getting their files back. The other half were not so lucky. Altogether, 27.6% of victims lost their data regardless of whether they paid or not.

Ransomware criminals may not have any intention of unlocking the files in the first place, regardless of whether the victim pays. Others may not have the talent to undo their damage; their decryption keys may not work as intended. Also, once they have access to your enterprises’ networks cybercriminals can set up into backdoors into it, so they could always hold you for ransom again.

Don’t Pay. Prepare.

Not paying the ransomware is still the best call any enterprise can make. Instead, enterprises should invest in selecting a strong endpoint security solution that can help block ransomware attacks as well as training their employees in digital hygiene best practices.

The good news is that the CyberEdge Group discovered that 86% of victims who refused to pay were able to recover their files. But that does come with the caveat that those enterprises regularly backed up their files. That may be worth a look as well.