Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Connect Directly
E-Mail vvv

Why You Should Be Prepared to Pay a Ransom

Companies that claim they'll never pay up in a ransomware attack are more likely to get caught flat-footed.

Mike Tyson used to say, "Everyone has a plan until they get punched in the face." It's much the same with ransomware attacks: No matter how much you insist that of course you'd never pay a ransom, your plans go out the window the first time you see all your organization's computers showing that "You've been hacked" screen. 

The truth is that organizations are increasingly paying ransoms to recover their data. In fact, 70% of businesses hit by ransomware attacks wind up forking over thousands of dollars to their attackers. Even local governments have paid ransoms to regain access to vital services. No matter how much we tell one another that we'd do things differently, the reality is that when your data disappears and you start losing clients or missing deadlines, you'll pay virtually any price to put things right. 

Related Content:

8 Ways Ransomware Operators Target Your Network

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Planning Our Passwordless Future

Rather than virtue-signaling with a blanket "We never pay" statement, organizations need to be realistic about the specific circumstances in which they'd pay a ransom. If you're a hospital and people will die if you don't get your computers back online STAT — yes, it's better to pay up. If you're in a less critical field, and it's just a question of waiting around while your backups come online, maybe you can ride it out without paying. 

But either way, it's important to be honest — with yourself, your C-suite, your directors, and other stakeholders — about how you'd respond to a successful ransomware attack. When you're clear and pragmatic about the circumstances in which you'd pay a ransom, you can make more meaningful plans. That starts with including the cost of ransom payments — and for the fines you'll have to pay if you give cash to cybercriminals — in your IT budget. Your CEO might not enjoy budgeting for Bitcoin transfers to hackers, but it's better to plan ahead than to be blindsided by unanticipated costs. 

A clear-eyed approach to the ransomware threat also makes it easier to handle the PR fallout from an attack. That's partly because you can plan ahead, and figure out how to create a crisis communications strategy that's aligned with the reality of the situation you find yourself in. Just as importantly, though, it's far easier to explain your ransom payments to customers and shareholders if you've been upfront about the risks you face, and haven't previously claimed that you'd never, ever pay to retrieve stolen data. 

Perhaps the most important reason to be honest about your ransomware response strategy, though, is that it gives you full visibility into the true cost of ransomware attacks, which in turn allows you to make more realistic cybersecurity ROI calculations. When you know how much a ransomware attack will cost you — including the ransom, the fines, and the potential damage to your brand — then you can make smarter and more informed decisions about how much you should be investing in cybersecurity designed to keep your data safe.

It's always better, after all, to make sensible investments in security upfront and avoid getting hacked in the first place. But unless you're correctly assessing the potential impact of an attack — including the inevitable cost of paying a ransom to recover your data — it's impossible to figure out how much you should really be paying to try to keep yourself safe. Without that kind of clarity, it's also impossible to weigh the value of each year in which you successfully fend off ransomware attacks on your organization — a key step toward justifying your investments in cybersecurity to shareholders, board members, or the rest of the C-suite. 

Accepting that there are circumstances in which you'd pay the ransom also makes it easier to differentiate your data and adopt a defensive posture that's tailored to the actual value of the data you're trying to protect. If there's some data you would pay a ransom to recover, and other data that you could easily do without or reconstruct, then it doesn't make sense to use the same defensive systems to protect both datasets. Instead, invest to protect your most valuable data and ensure that it's securely fenced off from your less valuable and less robust broader data ecosystem.

That's really the key insight I'm trying to communicate: not that you should always pay ransoms, nor that reflexively paying the ransom should be your default response if the worst happens, but rather that you should be clear-eyed about what your data is really worth to you. 

Pretending that you'd never pay a ransom is pointless posturing. Instead, aim to be realistic and upfront with your stakeholders and to implement security solutions (and, yes, post-ransomware payment strategies) that are proportional to the value of the data you're trying to protect. It's by thinking clearly about the costs involved that you'll ultimately be best able to take the necessary steps to keep your data safe.

Christopher Muffat is Dathena's Founder and CEO. He has over 14 years' experience in information security risk management, including leading the internal SwissLeaks digital forensics investigation for HSBC and thereafter acting as Head of Information Risk Management for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Simon Hunt
Simon Hunt,
User Rank: Apprentice
5/14/2021 | 10:58:32 AM
To pay or not to pay.
Paying a cyber ransom doesn't end there - that money is then used to fund attacks on other organizations, fund drug trafficking, human trafficking, guns, terrorism, and other similar criminal activity. You're not giving money to a teenager sitting in their mother's basement. 

Paying has huge societal and moral implications - it's not just a "business risk decision". 
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-25
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
PUBLISHED: 2021-09-24
Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.
PUBLISHED: 2021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in ver...
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This iss...