• United States




8 questions to answer before paying a ransomware demand

Oct 24, 20198 mins

Consider these factors before deciding to pay a ransom after a ransomware attack. Better yet, know where you stand before one hits you.

Ransomware  >  An encrypted system, held ransom with lock + chain, displays a dollar sign.
Credit: Tomas Knopp / Getty Images

Until the last few years, conventional wisdom said never to pay the ransom that ransomware criminals demanded, because it only encourages them. Despite those warnings it was rumored that somewhere around 40% of all ransomware victims paid the ransom.

Now it seems, many impacted companies have been paying the ransom and the very few who didn’t probably wish they did. There is evidence that ransomware recovery companies who claim to help recover environments without paying the ransom are often paying the ransom and getting the decryption key in secret.

Who’s paying ransoms?

I spoke with John Mullen, of Mullen Coughlin, who has been involved with thousands of cybersecurity incident responses in his career. His firm handled over 1,200 privacy matters last year and will handle over 1,500 in 2019.

I asked Mullen if he’s seen that 40% figure go up recently. “It was never 40% or 50%. I don’t know where that number came from. It was always higher. Most companies pay the ransom when faced with the decision to pay or close down. They typically make the payment because they don’t have another valid continuing business option. Pay or it or be out of business for days, weeks or longer.” Mullen adds that no one knows the actual percentage of companies that pay the ransoms, but he has “little doubt” it is rising.

I mentioned that law enforcement presentations frequently recommend not paying the ransom no matter what. “When you speak with individual experienced law enforcement off the record, that is rarely what they say,” says Mullen. Most will admit that its often better for the victim to pay the ransom. The reality is that people are paying because they don’t have another good option.”

One reason people pay, according to Mullen, is that attackers are getting better at maximizing the damage ransomware causes. “Today, the attackers are accessing systems, running reconnaissance, and identifying critical pain points in order to maximize the impact of their attacks,” he says. “These types of attacks make it harder than ever to repair or recover. The percentage of people who pay the ransom is higher now because the bad guys are better.”

Recent studies back up John’s claims. All are showing that most companies spend far more time, money, and resources (one report says that the average company spends 23 times more) recovering from ransomware without the key than if they just paid the ransom from the start.

You might think that the decision on whether to pay the ransom comes down to whether you have a good tested backup, but it’s more than that.

How to determine if you should pay a ransomware demand

Here’s what you should think about before deciding whether to begin ransomware recovery without paying the ransom:

1. Does your company have a ransomware policy?

What is your organization’s policy on paying ransom? If your company has a written, unshakable policy against paying the ransom, then you have your answer. If you know that despite a written policy that senior management is not going to tolerate 23 times more money and resources than paying the ransom and are likely to create an exception if put on the spot, then consider that, too. Many companies have stuck to their non-ransom-paying commitment and had to endure weeks of downtime. It’s one thing to say it and another to live it when operations are down.

2. How bad is the damage?

Did they just get a few critical machines or did they pull the heart out of your operation? Can you prevent further damage? Can you stop the bad guy from getting back in? Do you need to shut down your ingress points, change all passwords, and do a network scrub for malware and malicious network connections? How confident are you that you know the extent of the damage and the reach?

3. How good are your restore capabilities?

Even if you have an awesome backup, have you ever truly done a complete test restore of all the impacted critical assets? How long will it take to restore? How can you be assured the restores don’t contain backdoors that let the bad guys back in? How long will it take you to do the restores and the necessary unit testing? Are all your most recent backups online and also reachable by the criminal?

These days ransomware criminals are whacking all your online tape restores, from the most recent online copies to the supposedly “trusted” offline copies. I’ve heard of ransomware criminals changing the legitimate encryption key that the company is using to encrypt their data during the backup process.

Every company should be encrypting all data backups (again, it’s a compliance requirement of every regulation). The attackers are changing the encryption keys to those backups without the victim’s noticing. The victims go about their normal data backup routines not noticing that the encryption keys have been modified. All the data backups for days to months get encrypted with the wrong encryption key. Then right before the ransomware attack is kicked off, they change them again. This way, even the long ago, stored offline data backups are unrecoverable.

So, when I ask do you have a good data restore ready to go, I mean you have to check everything.

4. Do you have a business continuity plan in place?

Will your business continuity plan (BCP) handle the ransomware event in case you don’t pay the ransom? If not, that means more downtime and more alternative data processes. How much downtime can your BCP handle or cover? If the estimated downtime exceeds the BCP’s ability to handle it, do you pay the ransom right from the start?

5. Do you have senior management support?

If you do or don’t pay the ransom, do you have senior management and board support for the action? I’ve seen a lot of CISO heads roll because of ransomware attacks. They might love you while everything is running fine, but if you have to tell them that your supposed excellent data backup and restores aren’t that viable and they could be down for days to weeks, will they still have confidence in you? I’ve seen CISO’s fired during the recovery event.

6. Do you have the necessary staff?

Whether you pay the ransom or not, you will need all hands on board to help recover. If you don’t pay the ransom, you will need just that much more help. Companies like Mullen Coughlin can help provide the needed adjunct staff and expertise, but do you have the money and time?

7. Will paying the ransom do any good?

When you pay the ransom, the ransomware gangs usually give you the keys that unlock your systems and do so consistently. Otherwise, no one would pay the ransom. They are forced to be gentlemen criminals.

But there are edge cases where paying the ransom doesn’t work. I have heard of some cases where the payer got the decryption key, but the recovery process did not work or required far more additional recovery actions that it made paying the ransom almost worthless. 

If you can, speak to a ransomware expert to find out how the recoveries went of other people who paid the ransom to the same criminal groups. The most knowledgeable ransomware fighters are clued into when paying the ransom works and when it doesn’t. Get an expert opinion on the exact malware program you are dealing with first.

8. Do you have cybersecurity insurance that covers paying the ransom?

If your cybersecurity insurance carrier does cover paying the ransom, who decides? As I’ve covered previously, some cybersecurity insurance policies don’t cover acts caused by social engineering (the most popular type) or offer a very reduced damage payment.

Don’t publicly announce that you’ve got cybersecurity insurance and especially how much you have, like when Baltimore announced it is getting $20 million in cybersecurity insurance. Public disclosure is often required for such things — welcome to government life — but if you can hide that fact, do it. Criminals will only use that as a floor negotiation point. If your cybersecurity insurance policy is online, move it to safe, quickly accessible offline storage. No need to let the bad guys find it before they launch their attack.

Whether to pay a ransom demand is most often a simple business decision. Far too many companies aren’t prepared, and paying the ransom seems to be the easiest and quickest way out for most. Pick your best path.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author