The cost of ransomware: Should you pay the ransom?

By Jamie Wilson, Founder & Managing Director, Cryptoloc

It might be the most difficult decision you ever have to make. With the future of your business and the private details of your customers, clients and employees on the line, whether or not to pay the ransom demanded by a cybercriminal can seem like an impossible choice – but here are the things you need to consider.

Ransomware has grown rapidly in both profile and impact over the last couple of years. Traditionally, ransomware attacks have consisted of criminals gaining access to your files and encrypting them, or restricting operations, and demanding a ransom for their return.

But the craft of ransomware has evolved recently, with the emergence of double extortion, in which the criminal threatens to leak your stolen files, and even triple extortion, in which your clients or suppliers are also hit with ransom demands.

There is seemingly no sector that ransomware won’t touch. Private companies of all sizes have been targeted, but so have schools, scientific and technical organizations, social services, and even hospitals. Earlier this year, Eastern Health – the operator of four hospitals in Australia – was hit by a cyber-attack that forced it to postpone certain surgeries, with ransomware the likely cause of the disruption. In the United States, ransomware has recently been alleged as the cause of death for a baby born at a hospital where hackers had shut down crucial systems in an extortion attempt.

Ransomware is serious business – and for those on the receiving end, it can put them in a seemingly impossible situation.

Is paying the ransom illegal?

In most countries, at the time of writing, there are no laws that explicitly prohibit the payment of a ransomware demand.

However, there are laws that a person considering paying a ransom should consider such as those pertaining to money laundering – it’s an offence to deal with money or property where there’s a risk that it will become an instrument of crime, and terrorist organizations – so if the cyber cartel that’s demanding the ransom payment is classified as a terrorist organization, this would be illegal.

Going forward, I expect all of the countries in the Five Eyes alliance – Australia, the US, the UK, Canada and New Zealand – to eventually pass legislation that does explicitly prohibit the payment of ransomware demands, even though this will put companies that are unable to recover without access to their data in an extremely challenging position.

For instance, if a company feels they truly have no choice but to pay the ransom, they could then find themselves at risk of further extortion if the attacker threatens to reveal the illegal payment – creating a virtual Möbius strip of ransom payments.

Should you pay the ransom?

Most governments recommend that victims of ransomware do not pay the ransom. Their reasoning is that paying the ransom effectively funds criminal groups and demonstrates a willingness to give in to criminal demands, which can incentivize these groups to continue deploying ransomware attacks.

There is also no guarantee you’ll actually regain access to your systems and your data after paying the ransom. (The files may not be recoverable at all, if the attackers used ‘wiper’ malware, which sometimes masquerades as ransomware.) There’s also no guarantee the group won’t just turn right around and hit you with another ransomware attack – they could even provide you with a payment link that installs more malware onto your system.

Despite this, roughly one third of Australian businesses that are hit with a ransomware attack choose to pay the ransom – for an average amount of roughly $1.25 million, according to a survey conducted by Crowdstrike in 2020. (Exact figures are hard to come by, since most victims of ransomware don’t willingly disclose that fact.)

It’s not hard to see why they decide to give in. I’ve seen businesses brought to their knees by ransomware – especially small and medium-sized enterprises that don’t have backups in place, and simply don’t have the resources to get back on their feet and rebuild if they aren’t able to recover their data.

It’s not just smaller companies that feel the heat, either. JBS Foods, the world’s largest meat supplier, recently paid a $US11 million ransom.

In May 2021, the United States experienced fuel shortages after Colonial Pipeline, an oil pipeline system that carries gasoline and jet fuel, was hit with a ransomware attack that forced it to shut down its pipelines for days. With the assistance of the FBI, Colonial paid a $US4.4 million ransom to restore their network.

Colonial Pipeline CEO Joseph Blount said that Colonial could have restored from backups but opted to pay the ransom because of the critical nature of the pipelines and the uncertainty over how badly their systems had been breached and how long it would take to recover them.

A majority of respondents (62 per cent) to CNBC’s Global CFO Council survey for Q2 2021 said that Colonial had “no choice but to pay the ransom”, although only five per cent said it was the “right” choice.

(The Department of Justice was eventually able to recover the Bitcoins from the ransom payment by acquiring the private key of the ransom account, but these were worth only $US2.3 million because of a drop in Bitcoin value since the payment.)

No matter the size of your organization, it’s clear that the ideal solution is to prevent an attack in the first place. Ensure your operating systems, software and applications are up to date; set your anti-virus and anti-malware solutions to automatically update and scan; turn on multi-factor authentication; and most importantly, train each of your employees not to visit unsafe or suspicious websites, open emails or files from unknown sources, or click on suspicious links in emails or on social media.

Even if you do all of that, you could still fall victim to an attack – but you should be able to recover with minimal downtime, and without paying the ransom, as long as you’ve got a solid backup infrastructure in place. Back up your data regularly, and ensure your backups are stored securely, and aren’t connected to the computers and networks they’re backing up.

In today’s landscape, a ransomware attack is increasingly inevitable – but if you put effective cybersecurity practices in place and back up your data, you may never have to make that impossible choice.

About the Author

Jamie Wilson is the founder and chairman of Cryptoloc, recognized by Forbes as one of the 20 Best Cybersecurity Startups to watch in 2020. Headquartered in Brisbane, Australia, with offices in Japan, US, South Africa and the UK, Cryptoloc have developed one of the world’s strongest encryption technologies and cybersecurity platforms, ensuring clients have complete control over their data. Jamie can be reached online at www.linkedin.com/in/jamie-wilson-07424a68 and at www.cryptoloc.com