Organizations know the hazard ransomware poses. If ransomware is not detected in time, assaults may encrypt, exfiltrate and publicly publish business-critical information. Ransomware can price an exorbitant sum of money — in each fallout and ransom calls for. As soon as an organization has obtained a ransom demand, it is too late to guard its techniques — the assault is full, and the corporate is a sufferer.
Now’s the time executives should resolve whether or not or not their firm ought to pay the ransom. Whereas legislation enforcement strongly recommends towards paying, some firms select to take action. Let us take a look at why firms may pay the ransom, in addition to causes they should not, plus the legality of constructing ransomware funds and how one can have interaction help from the authorities.
Ought to firms pay the ransom?
Ask legislation enforcement, and the reply is a powerful no. Even most cybersecurity consultants say no. But, there are occasions when the reply is: It relies upon.
The reply can typically come from contemplating enterprise outcomes. For instance, can the enterprise survive with out the stolen information? Then again, is it value taking the prospect that making a ransomware fee ends in returned information?
Let’s check out eventualities through which firms may pay the ransom and why they should not.
Why firms pay ransoms
Regardless of recommendation to not pay the ransom, 51% of organizations that suffered a ransomware assault paid the payment, based on a 2024 Ponemon Institute report.
Corporations may choose to pay for the next causes:
- Quicker restoration time. If information restoration takes too lengthy and the corporate faces an extended, expensive downtime, paying the ransom is perhaps the faster, cheaper different.
- Injury to enterprise. Ransomware could cause income loss and reputational hurt. Asserting that an organization bought hit with ransomware may cut back buyer confidence. For that cause, many organizations don’t disclose in the event that they pay a ransom.
- Extreme restoration prices. Paying a ransom is a enterprise determination. If the prices to recuperate from a ransomware assault exceed the ransom fee, firms may take a chance.
- To guard buyer or worker information. Some attackers threaten to launch delicate information they exfiltrated to stress firms to pay. Organizations that do not need buyer and worker information uncovered may pay to forestall it.
The next are examples of firms that paid the ransom:
- In 2024, Change Healthcare paid the BlackCat ransomware-as-a-service (RaaS) group $22 million to revive its companies.
- In 2024, a Fortune 50 firm paid $75 million of a purported $150 million ransom to Darkish Angels after the group stole 100 TB of knowledge. Bloomberg reported the sufferer was pharmaceutical big Cencora, however the firm has not confirmed or denied the allegation.
- In 2023, Caesars Leisure paid $15 million in an assault that used the ALPHV/BlackCat ransomware to steal information. The unique demand is believed to be $30 million.
Why firms should not pay ransoms
Paying the ransom typically does extra hurt than good to all the trade. There are additionally authorized and moral issues to think about. Whereas paying may seem like a viable possibility in sure conditions, organizations should not pay for the next causes:
- It encourages attackers. Paying the ransom supplies dangerous actors with extra funds to run future assaults. Sufferer firms may even endure repeat assaults if phrase will get out that they paid. Plus, so long as ransomware stays worthwhile, menace actors proceed to make use of it.
- It escalates funds. Ransomware teams typically ask for a number of funds in double-extortion ransomware assaults. For instance, the primary fee is for decryption keys, and the second is to forestall attackers from publicly releasing the info.
- Knowledge is not all the time returned. Even when an organization pays, there is no assure that the attackers present a decryption key or return the info. In line with the Ponemon Institute report, solely 13% of the 51% of organizations that paid the ransom recovered all their information.
- Potential for future authorized points. Making funds may get firms in authorized hassle. For instance, some governments see paying ransomware attackers as funding terrorism, relying on the nation-state the group operates out of.
The next are examples of firms that refused to pay a ransom:
- The Port of Seattle refused to pay the ransom after an August 2024 assault by the Rhysida ransomware gang however suffered outages for weeks.
- Cleveland’s metropolis authorities did not pay the ransom and remained closed for 11 days whereas it restored techniques after struggling an assault from an unknown ransomware gang in June 2024.
- MGM Resorts Worldwide refused to pay the BlackCat RaaS following a September 2023 assault but confronted an estimated $100 million in cleanup prices.
Is it authorized to pay the ransom?
Regardless of suggestions to not pay, it’s authorized to pay ransoms within the U.S. — with some caveats.
The U.S. Division of the Treasury launched a 2020 advisory that mentioned firms may face future authorized hassle in the event that they have interaction with ransomware actors. For instance, being concerned in ransomware funds — whether or not because the sufferer, cyber insurance coverage agency or monetary establishment — may probably violate Workplace of Overseas Property Management (OFAC) rules.
OFAC mentioned that not solely does paying a ransom encourage additional ransomware assaults, however organizations is perhaps topic to civil penalties as a result of paying a ransom may violate the Worldwide Emergency Financial Powers Act or the Buying and selling with the Enemy Act if a corporation engages in transactions with individuals or teams on OFAC’s Specifically Designated Nationals and Blocked Individuals Record.
Sure states, together with Florida, North Carolina and Tennessee, additionally prohibit public sector organizations from paying a ransom.
Utilizing cyber insurance coverage and ransomware negotiation companies
Many organizations buy cyber insurance coverage that covers ransomware to cowl them within the occasion of an assault. Relying on the insurer and coverage, cyber insurance coverage can assist with ransom payouts — for instance, MGM Resorts mentioned it anticipated its $100 million loss to be lined by its cyber insurance coverage coverage. Insurance policies may additionally assist with enterprise downtime reimbursement and cyber forensics prices, in addition to charges incurred for information restoration efforts, breach investigation, PR and extra. Many insurers additionally provide prebreach companies, corresponding to vulnerability scanning, worker coaching and tabletop workout routines.
It is very important observe that cyber insurance coverage is complicated. Corporations and not using a coverage may discover it troublesome to acquire one. Standalone cyber insurance coverage premiums proceed to extend as insurance coverage companies have began to regulate the price of premiums and protection insurance policies to beat the excessive price of ransomware payouts. Many insurers are additionally limiting protection below sure eventualities and implementing numerous exclusions.
Cyber insurers additionally require purchasers meet sure standards. For instance, most cyber insurance coverage insurance policies do not present protection to firms that do not observe ransomware prevention finest practices. To satisfy coverage necessities and even decrease coverage prices, organizations ought to guarantee they implement MFA, information backups, patch administration and different ransomware safety measures.
If organizations have already been hit by ransomware, they could choose to make use of ransomware negotiation companies. These third-party brokers function intermediaries between the corporate and ransomware group to assist with the next:
- Decide whether or not the cybercriminals claiming accountability for a profitable assault are certainly the adversaries.
- Pause the assault. Coming into negotiations typically includes attackers pausing assaults in progress, giving organizations time to analyze the impression of the assault and decide the feasibility of restoration.
- Cut back ransom requests. For instance, Caesars Leisure paid solely $15 million of the requested $30 million after its ransomware assault.
Notice, ransomware negotiation companies will not be with out challenges and don’t all the time finish efficiently for the sufferer.
Can legislation enforcement assist with ransomware?
Many legislation enforcement businesses help organizations which were the sufferer of a ransomware assault. For instance, organizations can request data from CISA and use its ransomware response guidelines to start out the restoration course of.
In line with Sophos’ “The State of Ransomware 2024” report, 97% of organizations that suffered a ransomware assault contacted and labored with legislation enforcement businesses. Of these organizations, 61% obtained recommendation on how one can cope with ransomware, and 60% bought assist investigating the assault. Moreover, legislation enforcement businesses helped 58% of organizations that had their information encrypted recuperate that information.
Whether or not or not a corporation decides to pay the ransom, the FBI and CISA request ransomware victims notify legislation enforcement to allow them to observe incidents and help in future prosecution.
Kyle Johnson is know-how editor for Informa TechTarget’s SearchSecurity website.
