To Pay or Not to Pay – Factors to Consider when Faced with a Ransomware Attack

By Chris Recker and Charlyn Cruz

In this digital age, the data held by an organisation can be one of its most important commodities. Threat actors (also known as malicious actors) recognise this and as such, cyberattacks have been on the rise. In particular, ransomware attacks have increased in frequency – studies have found that more than three-quarters of UK businesses were affected by ransomware in 2021. This is to be expected, not least because an organisation can still experience significant disruption, even where it is not the target of a ransomware incident (for example, it could be that an organisation further up or down the supply chain may have been affected).

So what should a company do when their data is being held captive? Should they submit to the demands of the threat actor and simply pay? Or should they refuse to back down, on moral grounds (amongst other things)?

Whichever path a company chooses to take, it will be a purely commercial decision that will boil down to a number of variables, such as: (1) the size of the company, (2) its operational resilience, (3) its cyber security posture and hygiene, (4) the type and sensitivity of the data being ransomed (and in particular, whether that data has been or may be exfiltrated), and (5) intelligence available on the ransomware group involved (including whether or not payment would restore the data).

This article addresses some of the factors an organisation should consider when caught between a digital rock and a hard place.

Ransomware attacks: what are they?

Ransomware attacks are a form of extortion in which the data on an organisation’s computer systems is forcefully encrypted and/or exfiltrated. Payment (the ransom) is then extorted in return for the promise of decryption keys and/or data deletion (on the threat actor’s systems). Threat actors may also threaten to publish said data or sell it on the dark web as a further motivator for an organisation to make payment. In some circumstances, an organisation may be faced with a ‘fee’ for unencrypting its data, and then another fee for preventing the disclosure of information (usually personal data) – this is what has become known as a ‘double extortion’ ransomware.

Paying the ransom

Resolved to pay? You’re in good company – reports suggest that 82% of British firms who have been victims of ransomware attacks have paid the ransom to restore their data. However, whilst it is tempting (paying the ransom may appear more cost effective than data recovery, or the costs involved by the legal, cyber and PR response teams), there are some consequences that can affect your business long term. Ultimately any decision to pay must solely be on the side of the organisation.

    • Criminal Repercussions: Consider if you are committing any offences by paying the ransom. Some ransomware groups (and any cryptocurrency addresses used for payment) may be on a sanctions list or monies could be used to fund other criminal activity, such as human trafficking and terrorism. You should also consider other relevant jurisdictions where payment of a ransom can amount to a criminal offence. If your organisation is a financial institution, you may also have to file a Suspicious Activity Report.
    • Insurance: Cyber insurance may cover ransom claims and therefore act as a bit of a comfort blanket for your organisation, but check your policy just in case (including what may be required to trigger indemnity). As the number of ransomware incidents have been on the rise, insurance companies have become more averse to covering such claims. Further, if ransomware groups are aware your organisation has a robust insurance policy in place (or that an organisation has a preference to pay quickly), this may make you a more sought after target, as it signals a wiliness to pay out quickly.
    • Restoration of Data: Ransomware is sold ‘as a service’ and, for that reason, the reputation of the criminal group would be impacted if a ransom was paid and their side of the bargain was not upheld (i.e. data was still published, or a decryption key did not work). Some threat actors may keep their word, but some will inevitably renege (and indeed some victims who make those payments may never recover their data). This must be carefully balanced and considered against the intelligence available – for example, does the particular threat actor have ‘form’ for providing genuine decryption keys and/or returning/deleting exfiltrated data?
    • Is payment the only option: An organisation should discuss the various options and timescales available with its incident response team. This may be dictated by the motivation for paying (i.e. is it to safeguard personal data, or is because a business cannot function without that data).
    • Does the ransom payment have to be notified: This is a theme that is being considered and implemented in many jurisdictions – but it is worth bearing in mind that more questions could be asked of those decisions to pay and requests for disclosure made (to the extent the communications are not covered by privilege).
    • What will the regulator(s) think: Depending on the extent of notifications required, it may be that regulators in multiple jurisdictions will need to be informed of the steps taken. Those regulators may be focussed, for example, on the extent to which an organisation safeguarded personal data (and it may be possible to construct an argument that paying the ransom went some way towards that).
    • Other Notifications: Aside from the relevant regulators, you may have to notify other parties. For instance, you may consider reporting the payment to the NCA or other relevant authorities if the intelligence indicates suspicious activity from the threat actor. You may also wish to disclose and update shareholders, as a hefty ransom could warrant a profit warning. Of course, who you choose to notify will be contingent on the quality of the intelligence available, amongst other things.
    • Can the ransom be recovered: This is an important consideration particularly if an insurer is not making the payment or contributing. For example, do you want to try and recover the payment once the transfer has been made? Is that viable, and what might need to be done to set that up?
    • Do you know how to make the ransom payment: Do you have access to a cryptocurrency wallet, or are you familiar with, comfortable or able to make a significant purchase and transfer of a cryptocurrency (which will become irreversible once triggered)?
    • Repeat Target: Showing a willingness to pay may set you up to be a target again in the future. This is especially true if systems remain vulnerable to attack or threat actors have retained the data (rather than deleting it as promised). An organisation’s cyber security hygiene will need to be carefully considered as part of this assessment.
    • Negative Press: Generally speaking, the public is not supportive of companies paying ransom as it encourages threat actors to carry our further attacks. Consider how making ransom payments may affect your business’s public image and how your client base perceives you.
    • Double Extortion: Even in scenarios where you have chosen to pay the ransom, be aware of the possibility that the threat actor would then demand a subsequent payment to stop the publication of the data.

Recovery can be costly, and so it can often be perceived to be a lower ‘cost’ to pay a ransom than to attempt to recover, but the long term consequences must be considered. This may vary from organisation to organisation, as the cost of not paying could be bigger e.g. threat of insolvency, reputational damage stemming from service interruptions, or the potential for loss of life or wide-scale economic disruption.

Not paying the ransom

Decided to not to give in the threat actor’s demands? Welcome to the path less trodden. Some organisations have made it a policy not to pay the ransom should such a situation arise (or may be able to make a recovery without payment). Even if you do decide to stand your ground, there are some further considerations you should take into account before refusing to pay out.

    • Long term costs: Outside of the costs to pay the ransom and recover the data, consider what else your organisation has to lose from not paying (for example, on-going recovery costs may change). This is a bigger question for smaller companies and public services and bodies who have more to risk, such as the threat of insolvency, loss of life, or even extensive economic disruption (the extent of this risk will depend on the type of organisation impacted and the sector they are in).
    • Data Recovery: Is your organisation able to reconstruct or recover the data without the paying the ransom? Or is data restoration truly outside your organisation’s grasp?
    • Prepare for the worst: If the threat actors make good on their threats, is your organisation prepared to deal with the fallout (whether it is financial, political or social) and potentially follow on litigation in the event personal data has been unlawfully processed, or contracts breached?
    • Know thy enemy: Before you flat out refuse, fully consider any intelligence you are able to obtain about the ransomware group. This may colour your decision making.
    • Fill in the cracks: Your refusal to pay up may cause the threat actor to double down and deploy further attacks to show they mean business. Ensure you are protected for any subsequent attempts and locate any vulnerabilities as soon as possible.

When hit by a ransomware attack, each situation will be different and a company will have compelling reasons to pay (or not pay) the ransom. Nevertheless, what is true in every scenario is that it will never be a simple yes or no answer. To determine the best decision for your organisation, be sure you have your response team ready at the drop of a hat. This may include your business’s legal, cyber, data protection, compliance, and PR teams who will be able to weigh in and give you as clear a picture as possible in what is already a very challenging situation!

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress