To pay, or not to pay, that is the question: How should businesses respond to a ransomware attack?

Ransomware has savaged large and small businesses alike in Australia this year.

For some, it’s ruined brand reputation, compromised services, and hit share price.

In some cases, organisations are choosing to pay the ransom. Industry estimates put the number of organisations as high as 29%, but for SMEs, this figure may even be as high as 70%, which makes sense given they would be more likely to look at it in purely financial terms.

So, if your organisation gets hit by ransomware, should you pay or not?

The question is a lot more nuanced than you may think. But let’s try to take away the fear and uncertainty of it with these five touchpoints.

1. Can you legally pay the ransom?
2. Does paying the ransom solve the immediate problem?
3. Does paying the ransom solve the longer-term problem (for you)?
4. Does paying the ransom solve the longer-term problem (for everyone)?
5. Is paying the ransom ‘cheaper’ than the alternative?

Now each of these in turn.

1. Can you legally pay the ransom?

It depends.

Ultimately, the answer to this hangs on the laws that apply in the jurisdiction in which an organisation operates.

In an Australian context, there are provisions in the Criminal Code Act 1995 (Cth) that could arguably apply to the payment of a ransom, where it can be shown there was a risk the payment of the ransom could become an instrument of crime and the person making the payment is reckless or negligent to that risk.

Given cyber criminals are highly likely to use the proceeds from ransom payments to fund their activities, there is an argument that in making such a payment a breach of the act has occurred.

However, this is yet to be tested in a court of law, and from a public policy perspective, it’s likely to be controversial and relatively unpalatable to hold ransomware victims liable for an offence when they are merely trying to get their data back or stop it from being released.

There are also duress provisions in the act that may apply to organisations that pay a ransom.

There’s also the question of whether such a payment may be in breach of sanctions.

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on October 1, 2020, covering exactly this topic.

OFAC suggests that you should make sure to report any attacks to law enforcement, and you should request a ‘license’ to pay the ransom if you intend to do so and have reason to believe the recipient may be subject to sanctions, but your request probably won’t be approved anyway.

2. Does paying the ransom solve the immediate problem?

Common ransomware attacks these days have two parallel extortion themes.

1. ‘We’ve encrypted your data, and if you want it back, you have to pay us.’
2. ‘We’ve taken your data, and if you don’t pay us, we’ll leak it on the dark web.’

In that context, the question about solving the immediate problem is also two-fold.

• ‘If we pay the ransom, do we get the encrypted data back?’
• ‘If we pay the ransom, do we prevent the data being leaked onto the dark web?’

As the attackers are in most cases attempting to extort a large number of people at the same time, ensuring they have a good ‘market image’ is important.

If word gets out that your data is leaked, either way, there’s no incentive to pay the ransom.

The only real incentive is the belief that the attacker’s promises will be kept.

So in that way, it is likely that your immediate problem will indeed be solved by paying the ransom.

But in no way is that guaranteed.

3. Does paying the ransom to solve the longer-term problem (for you)?

This is where it starts to get tricky. There are a couple of different angles here also.

• ‘If we pay the ransom, is there an increased risk that we get targeted and compromised again in future?’
• ‘Given there’s no way of knowing that the attacker deleted the data they stole the first time, what’s to stop them extorting us again in the future or exploiting a backdoor they’ve installed in your system?’

The first of those is at least something that you, as the victim, have some level of control over.

That is, while there may indeed be an increased risk that you are ‘targeted’, that does not necessarily mean there is an increased risk you will be compromised, as logically, following the original breach, you would have invested in uplifting security controls to make such a breach less likely.

The second, though, is definitely problematic.

The idea of having to ‘trust’ the very criminal that extorted you in the first place, at their word, for having deleted your data, isn’t really sensible.

There is no reason to believe that you won’t be extorted over, and over, and over again, until ultimately you stop paying and the data is released.

4. Does paying the ransom solve the longer-term problem (for everyone)?

Definitely not. This one is clear cut.

Everything from economics to psychology to sociology will tell you that paying ransoms has one clear outcome. In short, validating the effectiveness of the attack as one that generates a financial return, and increasing the likelihood of further similar attacks in future.

Paying ransoms has very bad societal outcomes.

Is paying the ransom ‘cheaper’ than the alternative?

Superficially, it probably is.

Where that comes undone, however, is the end-state that you get to.

With a full clean-up, rebuild and not paying the ransom, the end-state you get to is a ‘business-as-usual’ operating model with a few scars to show for the journey, probably some unhappy customers and a damaged brand, but you have a clean slate and a clear conscience.

With paying the ransom, the end-state you get to is a ‘sold-your-soul’ operating model with a permanent and possibly crippling level of paranoia that will infect future business decisions as you know, quite rightly, that you are operating on borrowed time before the person extorting you comes back for more.

What price for a good night’s sleep?

The problem of ransomware isn’t likely to go away anytime soon, so I can’t overstate the importance of avoiding that kind of business decision.

Embrace the boring stuff. Good security hygiene, such as patching and regular backups, and frequent threat hunting can help avert the dilemma in the first place.