• United States




Why you shouldn’t pay the ransomware fee

Jul 11, 20167 mins
Backup and RecoveryCybercrimeData and Information Security

What enterprises need to consider in deciding whether to pay a ransomware fee

stack of money hundred dollar bills
Credit: Thinkstock

While most of the decision makers would likely prefer to hear a simple yes or no when asking if they should pay, nothing in security is simple. By and large, the position of many leaders in the industry is that the ideal situation is not to pay.

Security experts across the industry would like to see all enterprises, large and small, be prepared for a hit so that they can recover their data without paying a ransomware fee. The question of whether to pay the ransomware fee is tricky, though, as sometimes organizations are left with no other options.

When asked whether companies should ever pay a ransomware fee, Ryan Manship, security practice director at RedTeam Security said, “The first thing about ransomware is that it’s in many ways like terrorism. The US has a policy not to negotiate with terrorists. Where does that come from? Why does it exist? The reality is, you can’t trust the bad guys. You can’t trust them to do what they say they are going to do, which is to give back access to your data.”

Ryan Manship, security practice director at RedTeam Security

True, there is the issue of being able to trust that this is a single payment that will result in the return of data as promised, but enterprises that are hit with ransomware also experience the hard fact that a hit can make your most critical information inaccessible and in some cases not recoverable at all.

“Some people might argue that paying is a viable option at that point,” Manship said. In paying though, they also have to consider whether they can trust the bad guy is going to keep their word. Certainly, this act of holding their data hostage could become a continuous cycle.

Manship said, “There is no evidence that decrypting data means they are out of your system. Are they going to give you the key? How many times are they going to try to extort money out of you until they laugh and walk away and you are out of luck?”

Determining whether or not to pay is a call much easier made in the hypothetical. Hospitals have been frequent targets of ransomware attacks of late, which presents a precarious situation for those who have to weigh out the risks and rewards of recovery. One extreme consequence of being hit by ransomware for the healthcare industry is that downtime could directly impact patient health.

Though it’s likely little help to say that every situation is different, Manship said, “I don’t presume to be able to predict the right action when people’s lives are on the line. I can’t presume to suggest the right course of action. Still though, I have to suggest that we don’t recommend that course of action because it sets a precedent and that’s a dangerous precedent to set.”

No industry wants to set the precedent that they are the most lucrative target, which is why having a conversation in strict black and white terms of paying or not paying isn’t feasible. “Every organization is different,” said Sean Mason, director, threat management and incident response, Cisco Security Services.

Government agencies and private enterprises have two very different ways of looking at the world. Mason said, “For government agencies ransomware is terrorism versus the private enterprise that has an obligation to their shareholders and customers.”

Whether to pay a ransomware fee really depends on what type of organization they are because if an attacker can come in and essentially shut them down, that is a significant impact with costly repercussions. Understanding the impact of what has happened to the organization is important and ought not to be clouded by fear.

Many do share the concerns of Mike Hanley, director of Duo Labs at Duo Security who spoke about the continued attacks on hospitals. Hanley said that these attacks can directly impact patient health, but Mason isn’t as convinced that there is a correlation.

“It’s easy to say that a hospital got hit and patient lives are at risk, but that is not necessarily the case. It can be down the road, but I have not read about or seen one where patient lives were at risk,” said Mason.

“I think there are a number of cases where they should pay, and I say that unfortunately. If there is an impact to human life, that’s a no brainer. You pay the ransom,” Mason said. 

Criminals prey on the fear of their victims whether the ransomware impacts patient health or shareholder profit. They know that every minute without access translates to some sort of loss, and they rely on the hope that their victims will pay, which is why paying should be a last resort.

Taking a firm stand that nobody will ever pay is not realistic or even feasible as proven by the fact that ransomware is a viable business model for criminals. “It works,” said Mason, “and to unilaterally say we won’t pay again is not in the realm of possibility.”

Instead, enterprises should prepare themselves for an imminent attack so that they are well placed to recover and move on. Lance James, chief scientist at Flashpoint, noted that ransomware is a symptom of a bigger problem.

[ ALSO ON CSO: 11 ways to fight off ransomware ]

“There is malware that comes in before the ransomware drops in, like Pony, Dridex, or other information stealing malware, so those systems are already infected and they are stealing other data as well,” James said.

Many enterprises should be able to quickly recover without having to pay. “Paying is ill advised. There is already a security flaw if they are getting in the door. Hopefully those who have already been attacked will focus on thinking about the ransomware hit as a problem in their environment,” James said.

For those who have yet to be victims, treat a potential ransomware attack as they would prepare for a server crashing. James said, “They need to be thinking about which files matter, and if those are captured, do they have another way to get them.” Have redundant copies of every file, shadow copies, and take that data and keep it off the network and safely away from the ransomware. 

Criminals are making a lot of money with ransomware attacks because they are playing a game of psychological warfare with their victims. Rather than pay the fee to them, pay in advance to defend at the endpoint, or pay a trusted forensics team to help with recovery. The bad guys know that no one wants to look like a fool, which is why, James said, many people have actually lied about being hit and paid the fee quietly.

Rather than succumb to the psychological coercion, James said, “There needs to be more situational awareness. It’s OK to get hit. It’s OK to talk about it, and it’s OK to have a plan and to not hide it. The alternative is that they are creating a hot spot for ransomware getting worse when criminals realize what else they can make people do whether that means blackmail or causing the company harm.”

Organizations need to remember that just because they pay the ransom, doesn’t guarantee they will get their data unlocked or unlocked with not further impact. They are, after all, dealing with criminals.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author