NetworkTigers argues for and against paying off ransomware demands.
Whether or not you should pay a ransomware demand is one of the highest-stakes decisions your business might ever make. Many considerations are at play, including what you might lose, whether or not paying can resolve the issue, or whether it simply invites further criminal activity. The FBI advises against paying ransomware demands in any situation. However, cybersecurity experts’ opinions are divided on whether to pay up when network operations and stolen data are at risk.
Ransomware demands on the rise
There has been a significant increase in ransomware attacks in the United States and worldwide. In 2023, 72.7% of businesses worldwide reported being targeted by a ransomware attack at least once. This represents a significant increase since 2018 when just 55.1% of businesses reported fending off a ransomware attack. Even more alarmingly, the percentage of successful ransomware efforts has risen from 2018 to 2023 by 17.6%. The top 5 countries facing the most successful ransomware hacks are India, Austria, the United States, Israel, and Turkey.
One of the largest known hacking groups, DarkSide, has reportedly made away with $90 million from 47 different individuals and companies that agreed to pay their demands. For instance, Colonial Pipeline paid the same hackers $4.5 million after a ransomware claim that blocked the transportation of fuel supplies. CWT Global matched that amount in one of the largest ever ransomware payments in July 2020 to the cybercriminal Ragnar Locker gang.
Tracking ransomware payments
Wouldn’t paying ransoms to cybercriminals help law enforcement track them down? Some criminologists argue that paying ransoms can help create a paper trail back to the source of the crime. However, ransomware payments are usually demanded in Bitcoin or other cryptocurrencies that are encrypted for anonymity. Because of this, ransomware payments are notoriously tricky to track and are stored in highly protected and anonymized digital wallets.
Arguments for paying ransomware demands
Cybersecurity experts are divided as to what should be done when a company receives a ransomware request. In 2016, the first-ever ransomware hack that jeopardized human life occurred at Hollywood Presbyterian Medical Centre. The threat actors warned that if the ransom was not paid, they would turn off life support machines at the hospital. Even though the hospital denied that its most sensitive systems had been breached, the board still chose to pay the ransom that the cybercriminals demanded. The payment, issued after a week, was just 40 Bitcoin, at the time $17,000, but today, it is valued at closer to $500,000.
Some reasons why you might pay a ransomware demand, other than immediate and present danger to life, include:
- Time-sensitive operations: Ransomware hold-ups take a long time to resolve and even longer to protect from future intrusion. Some CEOs and companies decide to pay to shorten the period that their company is taken offline in a ransomware hack.
- Preventing further privacy leaks: Some ransomware criminals steal private financial or proprietary information and threaten to sell it on the dark web if their demands are unmet. Some companies agree to pay ransomware claims in an attempt to prevent an additional leak, as well as to protect consumer information that has been accessed.
- Exchange of vulnerability information: Some negotiators may be able to include information about system vulnerabilities as part of the ransomware payment exchange. Some companies argue that learning about how, why, and where they were breached is critical to implementing more robust defenses for the future.
Arguments against paying ransomware demands
The Hollywood Presbyterian Medical Centre case was unique in that it may have put human life at risk, and for that reason, many believed that paying the ransom was justified. However, data security experts flagged that ransomware attacks rose by 6,000% in the immediate aftermath of that ransomware payment. In the years following, 70% of businesses that were breached elected to pay the ransom that the gang demanded.
Data security experts agree that paying ransomware demands only fuels the fire of cybercriminal activity. However, what individual businesses should do to face the problem remains a difficult question to answer. Some additional arguments against paying ransomware demands include:
- Presence of backups: If your company has separate and complete copies of the data infiltrated by ransomware, you may consider the cost of paying too high.
- Lack of verified data release: Ransomware claims can be like a poker game – don’t fold to a bluff, cybersecurity experts advise. Before you even consider paying a ransomware claim, ensure that data has genuinely been stolen and that you face a real and credible threat to operations.
- Protecting your reputation: Companies that give in to ransomware demands risk losing consumer trust. They may also find themselves victimized in the future by the same ransomware gang or their criminal counterparts, having shown themselves to be a fruitful target.
- Lack of support from law enforcement: It is important to reiterate that the FBI does not ever advise paying a ransom. Law enforcement will not back up your decision to pay a ransom demand nor guarantee that your data will be returned.
- Ongoing demands: Once you have given in to a ransom, there is no guarantee that the cybercriminal will follow through on their promises. They may continue to extort you for future payments.
International efforts to prevent paying ransomware demands
The United States is one of 40 countries that have allied against cybercriminals. The International Counter Ransomware Initiative is a pledge between different governments not to pay ransomware demands when they occur. Countries that are part of the agreement will share a blacklist through the US Department of the Treasury that will flag cryptocurrency payments and digital wallets used to pay ransomware demands.
The International Counter Ransomware Initiative attempts to unify the global response against ransomware and meet demands with a resounding “no.” By refusing to pay ransomware demands, world leaders hope to drain the pool of cybercriminal funds and disincentivize ransomware claims from continuing to grow in popularity and payment size. Companies that continue to pay ransomware claims may find themselves in the minority in the future.
