Should You Pay the Ransomware Demand
May 26, 2020 By Jeff Hendricks
While it's origins go back further, ransomware has become common only in the last few years. In this post we’ll cover scenarios where you might pay the ransom, situations where you wouldn’t even consider paying the ransom, and all of the details.
If you’re just catching up on our ransomware series, be sure to check out our previous posts:
- The Definitive Guide to Ransomware
- What is Ransomware?
- How Does Ransomware Spread?
- How to Report Ransomware
- Recent Ransomware Attacks and Examples
- How to Prevent Ransomware Attacks
Common Ransomware Demands
When ransomware has finished encrypting your data, the typical next step is to present you with a ransom note. You can see examples here and here. The note will demand a ransom payment and typically include an email address to begin communication. The payment will be requested in bitcoin, making it nearly impossible for authorities to trace. The ransom amount can vary based on what type of ransomware you are infected with and your specific business type and size. It’s beneficial for the crime actors to charge an amount you can afford to pay and are likely to pay, rather than pursuing other expensive remediation options.
Ransom amounts have increased dramatically in the last year. From Q4 2019 to Q1 2020, ransom demands increased by 33%--clocking in at an average of $111,605. A new Emsisoft report claims that in 2020, ransomware demand costs could exceed $1.4 billion. When you combine the costs of both ransomware and an average downtime of 16 days, the report expects to see $9.3 billion in total costs in the U.S. Emsisoft claims that one-third of victims pay the ransom.
Should You Pay the Ransomware Demand
It’s difficult to answer the “should you pay the ransomware” question because every case is different and there are so many nuances. It’s not a black and white situation. There are scenarios where you might pay the ransom and others where you would not pay the ransom.
From an economic standpoint, it’s simply a question of the losses you expect to experience by paying versus not paying. If you don’t have any backups and you need the data that has been stolen, there may be a case for paying. If the cost of rebuilding what’s been breached and infected is smaller than the cost of the ransom, which is possible, but unlikely, then you may consider not paying the ransom. Let’s look at a few scenarios.
If you pay the ransomware demand: If you decide that paying the ransom is the right approach or next step, there is a good chance you will get your data back, though the process could be painful and you have no real guarantee. Ransomware attackers are incentivized to help you get access to your stolen data if you pay so that other victims will also choose to pay--it’s viewed as a business transaction.
The crime actors will start by giving you a few sample decryptions to prove that they can help you unlock your data. You can see an example of this scenario in figure 30 in this Mcafee article. Coveware reports that payment resulted in successful data encryption in 96% of cases.
It’s important to note that different strains of ransomware have different decryption success rates. Coveware (again) reports some strains have success rates as low as 40%. In 2017, reports detailed that the ransomware strain NotPetya offered no chance of data recovery even if the victim paid the ransom demand.
If you decide to NOT pay the ransomware demand: If you choose not to pay the ransomware demand, it will be up to you to restore your systems. You may need to pay for expensive professional services to help you fully recover or rebuild your system. The difficulty in this case will depend on many factors, including the availability of backups for the lost data. If you have regular backups (preferably stored in a way that is disconnected from production so that they do not also become compromised), you have a better chance at a smooth restoration of your system.
There may also be a question of ethics and a level of discomfort in rewarding criminal behavior. The FBI publishes guidelines with their stance on ransomware response. Unfortunately, taking a moral high ground can prove to be extremely expensive. The city of Baltimore chose not to pay an $80,000 ransom demand. Dealing with the incident without paying was estimated to cost them $18 million.
Working with an experienced ransomware response professional is important in understanding these sorts of considerations for any individual case. Along with helping you navigate your options, likelihood of success if you pay, and dealing with cryptocurrency transactions, they can often help you negotiate the demand down to something significantly lower.
To fully understand your exposure and risk to ransomware, take our three-question quiz.