What are the Pros and Cons?

Receiving a ransomware demand is something every business dreads. It is no longer a matter of if you will get attacked, but when. Ransomware struck one-third of all organizations in 2021 alone. It’s something that every security team will have to deal with.

What’s more, once-standard mitigations such as reverting to backups may no longer be enough to recover data if critical files have been encrypted. Many ransomware demands now threaten to release data publicly if the ransomware demand is not made in a timely manner. Many also release samples to prove they have the data as many victims naively think it’s a bluff or feel they have adequate protections in place.

Other threats may include exposing firms to the threat of regulatory action or initiating DDoS attacks to further disrupt operations. And with the clock ticking, firms have to make quick decisions about whether to pay the ransom to avoid further consequences, or brace themselves for the fallout.

The Benefits of Paying a Ransom

Many firms may decide that the easiest way to restore services and remain operational is to simply pay the ransom. As long as everything goes to plan, this can minimize disruption and downtime, as well as avoid significant financial losses beyond the ransom itself.

Some firms may also believe this will help them keep the incident quiet and avoid any adverse publicity – although regulatory reporting requirements may still apply depending on the sector they operate in and the information compromised.

For organizations in critical sectors such as healthcare, utilities or infrastructure, remaining operational may be such an important consideration that paying the ransom is the only viable option. This was the case in 2021 when US firm Colonial Pipeline paid out around $5 million to ransomware hackers who had successfully shut down a key pipeline, which led to fuel shortages up and down the US east coast. Around $3.3 million of this was later recovered by the FBI.

Explaining the decision to a Senate committee hearing later that year, chief executive of the firm Joseph Blount Jr said: “I made the decision that Colonial Pipeline would pay the ransom to have every tool available to us to swiftly get the pipeline back up and running. It was one of the toughest decisions I have had to make in my life.”

Disadvantages of Giving in to Ransomware Demands

One of the biggest issues with paying a ransom is that you’re gambling that hackers will keep to their word and restore systems. Unfortunately, when you’re dealing with criminals, there’s no guarantee. In fact, it’s estimated that as many as 92 percent of firms fail to recover all of their data, with nearly a third losing at least half.

If the hackers have successfully exfiltrated data as part of their attack, there’s also no way of knowing what they’ll do with this, even if a ransom is paid. Many cybergangs make additional revenue by selling the data on the dark web, especially if it contains valuable intellectual property or customer data. This can cause significant long term problems for the organization in terms of lost competitiveness and reputational damage.

Another issue is that it can expose an organization to further legal action. In the US, for example, many ransomware payments that go to overseas hacking groups could put businesses in violation of international sanctions. A 2021 advisory from the US Treasury warned such payments may breach rules set out by the Office of Foreign Assets Control.

Finally, perhaps the biggest issue with paying ransomware is that it encourages future attacks. If the attackers know you pay then they often come back two and even three times, making it impossible to get ahead of the attacks.

This isn’t just bad for the cybersecurity sector as a whole – it also paints a big target on individual businesses. Some estimates suggest 80 percent of firms that pay a ransom will fall victim again. Of these, only around half are thought to come from the original hackers, highlighting how quickly weak and profitable targets are disseminated in the cybercriminal network.

The Impact on Ransomware Insurance

Some firms may reason that if they pay the ransom, they will be able to claim this against their cybersecurity insurance policy. However, this often leads to more problems.

Over the last few years, ransomware payments for these incidents have skyrocketed, and ransomware insurance providers have created very strict policies. In order to mitigate their own losses, insurance carriers are tightening up limits on how much they’ll pay and under what circumstances.

Whether or not an insurance policy will pay can depend on a wide range of factors. Some, such as AXA, have stopped paying out for ransomware altogether, while others are making their coverage terms much tighter, for instance, by increasing their requirements for firms to have comprehensive protections in place.

In the Colonial Pipeline case, Mr Blount said he had discussed the ransom with the firm’s insurer prior to releasing the funds – indicating that the provider had agreed to cover the cost. However, there’s no guarantee, and it’s likely that premiums will continue to rise in order to meet the growing costs of ransomware.