Ransomware and Beyond series

The Ultimate Ransomware Question: to Pay or Not to Pay the Ransom?

It may not be an age-old question, but it’s an important one nonetheless: if you’re targeted by a ransomware attack, should you pay up? There are proponents on either side of the argument. The FBI, for example, makes it clear that they do not support paying ransom in the event of an attack.

For the most part, it looks like the public is taking that advice. According to a survey carried out by Pulse, 71% of respondents have worked in an organization that has experienced a ransomware attack, and in 63% of those cases, no ransom was paid.

The big two: Locker and crypto-ransomware

But there are still victims who do choose to pay the ransom (13% of those surveyed by Pulse), and the fact that ransomware still exists at all means that attackers are at least seeing some benefit from continuing to demand money from their victims.

As Emsisoft notes on their blog, while no one wants to have to pay ransom, sometimes there’s no alternative. Some organizations don’t have a disaster recovery plan in place, and in others, the backups themselves get infected. In other scenarios, ransomware is so disruptive that the organization completely stalls out, and their only hope of getting back in action is to pay the fee.

These are just a few situations where the benefits of paying the ransom may outweigh any alternative. Again, the Pulse data aligns with this thinking: 51% of respondents said that organizations should only pay ransomware if all other options have been exhausted.

We spoke to Fabian Wosar, Emsisoft’s CTO, to learn more about the nuances of this issue. “The most obvious reason that any company has for paying the ransom is that their livelihood depends on it,” he says. “I’ve talked with private hospitals, for example, where the director told me, ‘If the alternative is even one single patient dying, I’m going to pay right away.’” When you put it that way, it becomes all the more clear that it’s not just a black and white situation.

Paying up doesn’t mean a full recovery

Things get more complicated when you consider that the vast majority of victims who do pay the ransom will not get all of their data restored. As Kaspersky reported this year, only 29% of those polled got all their data back, whether they paid the ransom or not.

Fabian adds that while it’s possible to get close to 100% restoration, the spectrum of how much data you’ll actually get back is pretty wide. “Anything can happen,” he says. “Maybe the ransomware destroyed your data during encryption, or maybe the threat actor lost your decryption key. These are things that can and have happened.”

Ultimately, while some organizations have no choice but to pay the ransom, doing so is still a gamble, and it still doesn’t guarantee that you’ll get back to normal in a timely manner—if at all.

Prevention is key, but not a guarantee

Let’s get one hard truth out of the way: You can do all the right things to prevent ransomware and still get hit by it. It even happens to MSPs, who are arguably more informed and prepared than anyone about things like this.

According to Fabian, the best you can do is be prepared in the event that you do get attacked, which means having backups that work. “You can back up your data locally, but you also need to mirror those backups to an outside location that you can’t easily access,” he says. Additionally, they should be set up in a way that even you can’t mess with. “You should only be able to upload—and not delete—any data,” he says. “Because if you can get around it, a threat actor will, too.”

Having these backups in place also requires regular testing to make sure you can restore them—but that’s not all that should be tested. “You need to come up with a playbook,” says Fabian. “Figure out the interdependencies of your services and servers so that you can rebuild everything.” This includes identifying any regulatory requirements, figuring out who needs to be informed in the event of an attack, and creating an action plan for restoring services. “The worst time to figure all this out is when everything is down,” he adds. “Going through these exercises ahead of time will save you a lot of stress in an already stressful time.”

Ultimately, the choice is yours

We can’t tell you definitively whether or not you should pay the ransom, should you be unlucky enough to get targeted by an attack. Only you can decide. Either way, it’s important to maintain healthy expectations. Paying the ransom won’t guarantee you’ll be up and running quickly (or at all). And ransom fees aside, the costs of enduring an attack can be catastrophically high.

While you can only do so much to protect your organization, making sure that you take the time to build a resiliency plan, back up your data, and implement the right preventative security measures can go a long way in saving you pain down the road.

Next article

Test your ransomware knowledge
Take the ransomware quiz and see if your knowledge is up to scratch
Sign up to the Ransomware and Beyond Series

We'll notify you when new articles are released

More from this series
6. Ransomware Prevention: What You Need to Know

Now we’re going to start talking about it from more of a tactical perspective— that is, what can you do to prevent a ransomware attack?

Read article
8. Ransomware Recovery: What to do if you’ve been targeted by a ransomware attack

The sad truth is that even the most stringent prevention measures sometimes aren’t enough to keep a ransomware attack from occurring. Once it happens, the best you can do is try to minimize damage and get to work restoring things as best you can.

Read article
9. How to run a ransomware security simulation

In the effort to protect your organization from ransomware, which is more important: prevention or preparedness?.

Read article