Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly
E-Mail vvv

Why You Should Be Prepared to Pay a Ransom

Companies that claim they'll never pay up in a ransomware attack are more likely to get caught flat-footed.

Mike Tyson used to say, "Everyone has a plan until they get punched in the face." It's much the same with ransomware attacks: No matter how much you insist that of course you'd never pay a ransom, your plans go out the window the first time you see all your organization's computers showing that "You've been hacked" screen. 

The truth is that organizations are increasingly paying ransoms to recover their data. In fact, 70% of businesses hit by ransomware attacks wind up forking over thousands of dollars to their attackers. Even local governments have paid ransoms to regain access to vital services. No matter how much we tell one another that we'd do things differently, the reality is that when your data disappears and you start losing clients or missing deadlines, you'll pay virtually any price to put things right. 

Related Content:

8 Ways Ransomware Operators Target Your Network

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Planning Our Passwordless Future

Rather than virtue-signaling with a blanket "We never pay" statement, organizations need to be realistic about the specific circumstances in which they'd pay a ransom. If you're a hospital and people will die if you don't get your computers back online STAT — yes, it's better to pay up. If you're in a less critical field, and it's just a question of waiting around while your backups come online, maybe you can ride it out without paying. 

But either way, it's important to be honest — with yourself, your C-suite, your directors, and other stakeholders — about how you'd respond to a successful ransomware attack. When you're clear and pragmatic about the circumstances in which you'd pay a ransom, you can make more meaningful plans. That starts with including the cost of ransom payments — and for the fines you'll have to pay if you give cash to cybercriminals — in your IT budget. Your CEO might not enjoy budgeting for Bitcoin transfers to hackers, but it's better to plan ahead than to be blindsided by unanticipated costs. 

A clear-eyed approach to the ransomware threat also makes it easier to handle the PR fallout from an attack. That's partly because you can plan ahead, and figure out how to create a crisis communications strategy that's aligned with the reality of the situation you find yourself in. Just as importantly, though, it's far easier to explain your ransom payments to customers and shareholders if you've been upfront about the risks you face, and haven't previously claimed that you'd never, ever pay to retrieve stolen data. 

Perhaps the most important reason to be honest about your ransomware response strategy, though, is that it gives you full visibility into the true cost of ransomware attacks, which in turn allows you to make more realistic cybersecurity ROI calculations. When you know how much a ransomware attack will cost you — including the ransom, the fines, and the potential damage to your brand — then you can make smarter and more informed decisions about how much you should be investing in cybersecurity designed to keep your data safe.

It's always better, after all, to make sensible investments in security upfront and avoid getting hacked in the first place. But unless you're correctly assessing the potential impact of an attack — including the inevitable cost of paying a ransom to recover your data — it's impossible to figure out how much you should really be paying to try to keep yourself safe. Without that kind of clarity, it's also impossible to weigh the value of each year in which you successfully fend off ransomware attacks on your organization — a key step toward justifying your investments in cybersecurity to shareholders, board members, or the rest of the C-suite. 

Accepting that there are circumstances in which you'd pay the ransom also makes it easier to differentiate your data and adopt a defensive posture that's tailored to the actual value of the data you're trying to protect. If there's some data you would pay a ransom to recover, and other data that you could easily do without or reconstruct, then it doesn't make sense to use the same defensive systems to protect both datasets. Instead, invest to protect your most valuable data and ensure that it's securely fenced off from your less valuable and less robust broader data ecosystem.

That's really the key insight I'm trying to communicate: not that you should always pay ransoms, nor that reflexively paying the ransom should be your default response if the worst happens, but rather that you should be clear-eyed about what your data is really worth to you. 

Pretending that you'd never pay a ransom is pointless posturing. Instead, aim to be realistic and upfront with your stakeholders and to implement security solutions (and, yes, post-ransomware payment strategies) that are proportional to the value of the data you're trying to protect. It's by thinking clearly about the costs involved that you'll ultimately be best able to take the necessary steps to keep your data safe.

Christopher Muffat is Dathena's Founder and CEO. He has over 14 years' experience in information security risk management, including leading the internal SwissLeaks digital forensics investigation for HSBC and thereafter acting as Head of Information Risk Management for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Simon Hunt
Simon Hunt,
User Rank: Apprentice
5/14/2021 | 10:58:32 AM
To pay or not to pay.
Paying a cyber ransom doesn't end there - that money is then used to fund attacks on other organizations, fund drug trafficking, human trafficking, guns, terrorism, and other similar criminal activity. You're not giving money to a teenager sitting in their mother's basement. 

Paying has huge societal and moral implications - it's not just a "business risk decision". 
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-01-27
An SQL Injection vulnerability exists in Sourcecodester Simple Chatbot Application 1.0 via the message parameter in Master.php.
PUBLISHED: 2022-01-27
A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Simple Chatbot Application 1.0 ( and previous versions via the bot_avatar parameter in SystemSettings.php.
PUBLISHED: 2022-01-27
Dolphinphp v1.5.0 contains a remote code execution vulnerability in /application/common.php#action_log
PUBLISHED: 2022-01-27
From version 0.2.14 to 0.2.16 for Solana rBPF, function "relocate" in the file src/elf.rs has an integer overflow bug because the sym.st_value is read directly from ELF file without checking. If the sym.st_value is rather large, an integer overflow is triggered while calculating the variab...
PUBLISHED: 2022-01-27
There is a front-end sql injection vulnerability in cszcms 1.2.9 via cszcms/controllers/Member.php#viewUser