Ransomware: The Pros and Cons of Paying Demands
To pay or not to pay? Critical factors to consider for businesses facing cyber threats.
Ransomware is today’s most prominent cyberattack, and many organizations will face the threat soon, leaving them assessing the critical question – do we pay? So, what do organizations need to know to make a decision? Jordan Schroeder, managing CISO at Barrier Networks.
It is estimated that in 2022, organizations worldwide detected 493.33 million ransomware attempts. This considerable number of incidents impacted all industries, placing the US and the UK as the top two targets, and it acts as a firm reminder that the chances of getting hit today are more significant than ever.
It also means organizations must put plans in place to prepare for attacks, focusing not only on building secure and resilient networks but also on the assumption that a successful breach will occur. Hence, organizations have a strategy to help them answer ransomware’s most complex question: Do we pay?
So, how can organizations navigate this difficult question and what issues must be considered to help them reach an answer?
Paying the Demand – Critical Factors:
For some businesses, the temptation to pay the demand and get back online quickly takes precedence. However, ransomware is rarely straightforward, and there are many factors to consider before taking this action. These include:
1. Con: Paying ransoms funds and rewards crime
Paying a ransom demand only benefits criminals as it financially rewards attackers. It’s the sole reason why ransomware is so prevalent and profitable today. The more organizations pay demands, the more cybercriminals earn. Furthermore, when organizations pay demands, this is often made public, which can shatter a brand’s reputation and tarnish customer trust. Therefore, paying is always inadvisable from an ethical and brand reputation perspective, but in some cases, unavoidable.
2. Con: Paying makes you a profitable target
When an organization pays a ransom demand, there is little hope in keeping this quiet among hacking communities, so when one gang secures a payment, other teams know they have a chance, too. This means when a business pays once, it should be prepared for more attacks from other ransomware criminals in the future.
3. Con: Paying requires trust in the criminal
Paying ransom demands requires doing business with criminals, so placing trust in them to restore data is a massive gamble. While they may unlock the data, have they also stolen it and sold it on to others? Will they string you along with more and more demands?
Paying should never be viewed as a quick resolution to recover from ransomware. Attacks are rarely straightforward, and even after paying a demand, it can still take months to recover fully.
4. Pro: Paying may be cheaper than the alternatives
In some instances, when a business is hit with ransomware, they have no chance of successfully recovering their data or getting back online quickly. Organizations, therefore, must know their chances of recovery before attacks happen. This must include the cost of downtime per hour, how much data is backed up daily, and what contractual obligations will be missed due to downtime. In some cases, the impacts of attacks place a heavier financial penalty on an organization than the actual ransom demand, so having this information available quickly is essential.
See More: Mastering Ransomware Resilience: Best Practices and Strategies
Not Paying the Demand – Critical Factors:
So, what are the considerations you must make when not paying demands?
1. Con: Not paying could result in data loss
The losses in the wake of ransomware can be catastrophic. It often takes months to recover, causes substantial financial losses, and can mean restoring critical data from scratch. While most organizations will run a backup schedule, backups are often a period behind in terms of operations, so depending on the business, a day’s worth of data loss can span from manageable to disastrous.
Furthermore, not paying ransomware can lengthen the time to recover from breaches, and this can cause burnout among IT teams, with many teams reporting significant stress following attacks.
2. Con: Not paying could end the business
In the harshest instances, ransomware can send an organization into insolvency. If the organization chooses not to pay the ransom, this can result in irreparable losses, which put the business entirely out of operation. These severe consequences of attacks must be considered before deciding on a payment.
3. Pro: It is ethically correct not to pay
Refusing to pay a demand is morally correct, and some governments have even made it illegal. But that doesn’t always mean it’s the safest response for businesses.
Preparing for the Decision
Ransomware presents difficult choices with reasonable arguments on both sides of paying or not paying demands. Ultimately, the right decision depends on your business’ unique situation. Rather than looking for a one-size-fits-all answer, have an open discussion now to determine the circumstances under which your business may consider paying ransoms.
Factors to consider include the criticality of impacted systems, estimated downtime losses, legal risks, and ethical considerations. By deciding on your ransom payment philosophy in advance, you can respond decisively and quickly during an attack.
Additionally, invest now in ransomware prevention, resilience, and incident response to improve systems’ defenses. This includes educating employees on ransomware and how it gets into systems, keeping up to date with patches released from vendors, and running proactive risk assessments to minimize ransomware losses. In addition to this, it is also essential to implement segmentation to prevent attackers from pivoting across the network and reaching other critical assets.
Build strong security defenses, document response plans, and develop the capacity to assess and respond to attacks rapidly. With proper precautions, you can minimize the business impact of attacks and empower your organization to make the right call when faced with ransom demands. While ransomware is inevitable, its damage to your business doesn’t have to be. Prepare for attacks before they strike.
How do you decide to pay or not pay a ransom? Share your thoughts on the factors that matter to your business on Facebook, X, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON RANSOMWARE
