Should you pay ransomware actors?

No one wants to pay criminals, least of all criminals who are ransoming sensitive data for an enormous sum. That said, should organizations targeted by ransomware consider paying for their data back?

Every organization has a different appetite for obeying cyberattackers’ requests for payment. Paul Caiazzo, chief threat officer for Quorum Cyber, told IT Brew that while some companies may initially refuse to negotiate a ransom, sometimes they’re forced to pay after losing a significant amount of operational time.

“My opinion is, if your organization is completely encrypted and you don’t have backups, their choices are to go out of business or pay the ransom,” Caiazzo said. “Obviously, the better choice is to pay the ransom in those situations, and that would generally be what I would guide a client to do. But again, we’re not there to say you should or shouldn’t pay.”

If you must…Organizations pay a ransom for a multitude of reasons, Caiazzo said.

If a criminal has locked down a system through encryption, an organization can no longer function. The need to access vital data is one of the main motivators for ransom payments. An attacker’s threat to leak sensitive data can also compel a company to play ball.

“With data theft, I cannot prove that the threat actor is going to not continue to leak the data, and so that’s why I tend to not recommend people pay ransoms—if it’s purely just to suppress a data leak, because you simply can’t trust what the threat actor is telling you in those moments,” Caiazzo said.

There are a number of circumstances in which it makes sense to pay a ransom, said Mike Puglia, GM of cybersecurity labs at Kaseya. The potential danger from exfiltrated or encrypted data may override the risk and precedent-setting potential of the financial hit. Specifically, Puglia said, institutions like energy infrastructure and healthcare providers are at a disadvantage here.

“It is disgusting that hospitals and places like that, where they have a high degree of payouts, that they go after them, but there is no coming back from that if people are injured or dead” as a result of locked-down data, Puglia said.

But if you can…Paying or not paying is a “personal thing,” Alex Rose, the global head of government partnerships and the counter threat unit team at Sophos, told IT Brew.

“From a research perspective, and from people who don’t want these crimes to continue, we know that paying them helps them continue the work,” Rose said. “That’s why they’re in the business of what they’re in, they want to make money. Some people would say [it] incentivizes them to continue their work and so on.”

But Rose acknowledged that paying the ransom is cheaper for the organization than ceasing operations, and could allow them to remain in business. Whether or not a company offers critical services could also impact the decision to pay.

Some organizations have a “flat-out ‘no’ policy,” Rose added, where they will never pay the ransom.

“We’ve seen organizations where they’ve successfully handled the exposure side of this and the brand and the reputation from it, and they came out really [strong] in their reasoning for why they wouldn’t pay it,” Rose said. “But you don’t know. I think you’re also dealing with that…uncertainty, so I definitely feel for people in the seats to make those decisions.”

TL;DR: It’s hard to hand over a significant amount of cash in exchange for one’s own data. But when organizations need to return to normal operations, experts say doing so might be a necessary evil.