Considerations

Decisions should be tightly linked with the organization’s risk management, business continuity goals and downtime costs, regulatory considerations, legal implications, and the possibility that the criminals will not provide the means to decrypt all files or attempt to extort more money even if they are paid. Generally, any decision to pay a ransom must involve the relevant stakeholders from inside the company. At the same time, it is wise to seek counsel from incident response subject matter experts and understand the terms and services offered by the company’s cyber insurance provider. If a ransom negotiator is going to be part of the process, they may be able to offer insights from previous cases with the same cybercriminal group. This section lists the main topics companies should consider if the decision to pay a ransom is being discussed.

Depending on the results of your root cause analysis, if the attack was made possible by vulnerable systems, those will have to be patched to prevent them from being re-exploited in the future. If those systems cannot be patched, segregate, place compensating controls, and ensure the exposure to risk has been minimized.

Paying criminals is precisely what it sounds like — paying an untrusted party. Criminals may or may not fulfill their part of the deal after they have been paid, especially since they can vanish as soon as the (irreversible) payment is made. While most cybercriminals will provide a means to decrypt files once payment is made, it is quite possible for them to not do so.

If a ransom is paid and a decryption key is provided, keep in mind that recovering with a decryption key is seldom instantaneous. Decrypting files is a manual task and they must be decrypted individually, which can be a painstaking and time-consuming undertaking. In most cases, even if the criminals are paid and provide the decryption key, the recovery effort can be just as complex and strenuous as reimaging machines. That means recovery efforts could be just as costly as if the adversaries had not been paid.

The increasing demand to pay ransomware attackers has given rise to a new kind of business: Ransomware negotiators. Private firms in this new domain offer to help companies negotiate and pay ransoms for a fee, but there are considerations beyond negotiating skills to examine when deciding whether or not to pay a ransom.

Some countries are under sanctions by the U.S. Government, and as a result, paying ransom to cybercriminals from those countries can be a federal offense. On October 1, 2020, an advisory from Treasury’s Office of Foreign Assets Control (OFAC) served notice about potential fines for all those involved in aiding payments to attackers from sanctioned countries, which include Russia, North Korea or Iran. Firms that offer ransomware negotiation services and the clients they represent are not exempt from this advisory

Paying cybercriminals reinforces their business model, encourages more criminals to take part in the same activity, and continually funds both cybercrime and other crimes that are supported by that ecosystem. Keep in mind that paying a ransom ultimately serves as motivation for adversaries to increase both frequency of attacks and the price of the ransom itself