Until the last few years, conventional wisdom said never to pay the ransom that ransomware criminals demanded, because it only encourages them. Despite those warnings it was rumored that somewhere around 40% of all ransomware victims paid the ransom.Now it seems, many impacted companies have been paying the ransom and the very few who didn\u2019t probably wish they did. There is evidence that ransomware recovery companies who claim to help recover environments without paying the ransom are often paying the ransom and getting the decryption key in secret.Who\u2019s paying ransoms?I spoke with John Mullen, of Mullen Coughlin, who has been involved with thousands of cybersecurity incident responses in his career. His firm handled over 1,200 privacy matters last year and will handle over 1,500 in 2019.I asked Mullen if he\u2019s seen that 40% figure go up recently. "It was never 40% or 50%. I don\u2019t know where that number came from. It was always higher. Most companies pay the ransom when faced with the decision to pay or close down. They typically make the payment because they don't have another valid continuing business option. Pay or it or be out of business for days, weeks or longer.\u201d Mullen adds that no one knows the actual percentage of companies that pay the ransoms, but he has \u201clittle doubt\u201d it is rising.I mentioned that law enforcement presentations frequently recommend not paying the ransom no matter what. \u201cWhen you speak with individual experienced law enforcement off the record, that is rarely what they say,\u201d says Mullen. Most will admit that its often better for the victim to pay the ransom. The reality is that people are paying because they don\u2019t have another good option.\u201dOne reason people pay, according to Mullen, is that attackers are getting better at maximizing the damage ransomware causes. \u201cToday, the attackers are accessing systems, running reconnaissance, and identifying critical pain points in order to maximize the impact of their attacks,\u201d he says. \u201cThese types of attacks make it harder than ever to repair or recover. The percentage of people who pay the ransom is higher now because the bad guys are better.\u201dRecent studies back up John\u2019s claims. All are showing that most companies spend far more time, money, and resources (one report says that the average company spends 23 times more) recovering from ransomware without the key than if they just paid the ransom from the start.You might think that the decision on whether to pay the ransom comes down to whether you have a good tested backup, but it\u2019s more than that.How to determine if you should pay a ransomware demandHere\u2019s what you should think about before deciding whether to begin ransomware recovery without paying the ransom:1. Does your company have a ransomware policy?What is your organization\u2019s policy on paying ransom? If your company has a written, unshakable policy against paying the ransom, then you have your answer. If you know that despite a written policy that senior management is not going to tolerate 23 times more money and resources than paying the ransom and are likely to create an exception if put on the spot, then consider that, too. Many companies have stuck to their non-ransom-paying commitment and had to endure weeks of downtime. It\u2019s one thing to say it and another to live it when operations are down.2. How bad is the damage?Did they just get a few critical machines or did they pull the heart out of your operation? Can you prevent further damage? Can you stop the bad guy from getting back in? Do you need to shut down your ingress points, change all passwords, and do a network scrub for malware and malicious network connections? How confident are you that you know the extent of the damage and the reach?3. How good are your restore capabilities?Even if you have an awesome backup, have you ever truly done a complete test restore of all the impacted critical assets? How long will it take to restore? How can you be assured the restores don\u2019t contain backdoors that let the bad guys back in? How long will it take you to do the restores and the necessary unit testing? Are all your most recent backups online and also reachable by the criminal?These days ransomware criminals are whacking all your online tape restores, from the most recent online copies to the supposedly \u201ctrusted\u201d offline copies. I\u2019ve heard of ransomware criminals changing the legitimate encryption key that the company is using to encrypt their data during the backup process.Every company should be encrypting all data backups (again, it\u2019s a compliance requirement of every regulation). The attackers are changing the encryption keys to those backups without the victim\u2019s noticing. The victims go about their normal data backup routines not noticing that the encryption keys have been modified. All the data backups for days to months get encrypted with the wrong encryption key. Then right before the ransomware attack is kicked off, they change them again. This way, even the long ago, stored offline data backups are unrecoverable.So, when I ask do you have a good data restore ready to go, I mean you have to check everything.4. Do you have a business continuity plan in place?Will your business continuity plan (BCP) handle the ransomware event in case you don\u2019t pay the ransom? If not, that means more downtime and more alternative data processes. How much downtime can your BCP handle or cover? If the estimated downtime exceeds the BCP\u2019s ability to handle it, do you pay the ransom right from the start?5. Do you have senior management support?If you do or don\u2019t pay the ransom, do you have senior management and board support for the action? I\u2019ve seen a lot of CISO heads roll because of ransomware attacks. They might love you while everything is running fine, but if you have to tell them that your supposed excellent data backup and restores aren\u2019t that viable and they could be down for days to weeks, will they still have confidence in you? I\u2019ve seen CISO\u2019s fired during the recovery event.6. Do you have the necessary staff?Whether you pay the ransom or not, you will need all hands on board to help recover. If you don\u2019t pay the ransom, you will need just that much more help. Companies like Mullen Coughlin can help provide the needed adjunct staff and expertise, but do you have the money and time?7. Will paying the ransom do any good?When you pay the ransom, the ransomware gangs usually give you the keys that unlock your systems and do so consistently. Otherwise, no one would pay the ransom. They are forced to be gentlemen criminals.But there are edge cases where paying the ransom doesn\u2019t work.\u00a0I have heard of some cases where the payer got the decryption key, but the recovery process did not work or required far more additional recovery actions that it made paying the ransom almost worthless.\u00a0If you can, speak to a ransomware expert to find out how the recoveries went of other people who paid the ransom to the same criminal groups. The most knowledgeable ransomware fighters are clued into when paying the ransom works and when it doesn\u2019t. Get an expert opinion on the exact malware program you are dealing with first.8. Do you have cybersecurity insurance that covers paying the ransom?If your cybersecurity insurance carrier does cover paying the ransom, who decides? As I\u2019ve covered previously, some cybersecurity insurance policies don\u2019t cover acts caused by social engineering (the most popular type) or offer a very reduced damage payment.Don\u2019t publicly announce that you\u2019ve got cybersecurity insurance and especially how much you have, like when Baltimore announced it is getting $20 million in cybersecurity insurance. Public disclosure is often required for such things \u2014 welcome to government life \u2014 but if you can hide that fact, do it. Criminals will only use that as a floor negotiation point. If your cybersecurity insurance policy is online, move it to safe, quickly accessible offline storage. No need to let the bad guys find it before they launch their attack.Whether to pay a ransom demand is most often a simple business decision. Far too many companies aren\u2019t prepared, and paying the ransom seems to be the easiest and quickest way out for most. Pick your best path.