6 Reasons Not to Pay Ransomware Attackers
Paying a ransom might appear to be the best option, but it comes with its own costs.
March 17, 2022
![Hand holding bitcoins in front of a laptop computer with open screen Hand holding bitcoins in front of a laptop computer with open screen](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt7d6d3768066969a0/64f1532a8762bf7a3a6b8d93/ransompay_Steve_Heap_shutterstock.jpg?width=700&auto=webp&quality=80&disable=upscale)
Steve Heap via Shutterstock
Victims of ransomware attacks face the excruciating choice of either paying off their attackers or risking considerable disruption in attempting to restore encrypted data on their own or — as is often the case — with the help of an incident response firm.
Numerous studies have shown that most victims prefer paying a ransom either because they don't have proper data backups or because they view it as a less expensive and less risky option compared to not paying. In a survey that ThycoticCentrify conducted last year, for instance, 83% of ransomware victims said they had no choice but to pay a ransom to get back access to their data, and more than 90% said they had allocated a special budget for fighting ransomware threats.
There are many who perceive making a ransom payment as a necessary evil because of the enormous financial damage that can result otherwise. Sixty-six percent of 1,263 respondents in a Cybereason survey reported substantial revenue losses as the direct result of a ransomware attack. Most of it stemmed from disruptions to business processes, system downtime and the resources require to restore systems. These costs can mushroom the longer an organization takes to recover from an attack, which is why many ransomware victims find it preferable to just pay off their attackers.
But is that a good idea — and does it really work? Here are six reasons, according to security experts, why paying a ransom may not be the best idea.
Most ransomware victims assume they can regain access to their data and systems if they pay the attacker the demanded ransom amount. This is how it works in many cases. But there are numerous instances where organizations pay a ransom only to discover the decryption key doesn't work or that the data is unusable anyway.
A study Cybereason conducted last year showed that just 51% of victims that paid a ransom were able to successfully get back access to their data without any loss of encrypted data. Some 46% regained access to their data after payment only to discover that some, or all, their data had been corrupted. Three percent did not regain any access to their encrypted data — even after making a payment.
Another study by Sophos unearthed even more troubling numbers. The security vendor found that just 8% of businesses that paid a ransom got all of their data back. Twenty-nine percent regained access to no more than half of their data. On average, business that paid a ransom regained access to just 65% of the data that had been encrypted.
"Paying the ransom doesn’t always result in restored operations," says Matthew Warner, CTO and co-founder at Blumira. "[This can] further increase the cost of a ransomware attack."
Ultimately, you should avoid paying ransoms as it provides more encouragement for these individuals to attack others, says John Bambenek, principal threat hunter at Netenrich. "Remember, the paying of ransoms doesn't guarantee results," he adds.
Many organizations accede to a ransom demand because they don't have data backups in place to recover from an attack. Many others do so simply to avoid operational disruptions and the effort involved in unlocking encrypted data and systems. Whatever the reason, paying an attacker to get off your back is not a good idea because it only attracts more attacks, security experts say.
Threat actors will perceive a company that has paid once as being likely to pay again if their data were to get encrypted in a subsequent attack. A Cybereason study last year showed that as many as 80% of organizations that paid a ransom experienced a second attack, often by the same group that attacked it the first time.
"Once you pay a ransom, there's no reason to think that [the attackers] won't keep coming back for more in the future," says Joseph Carson, chief security scientist and advisory CISO at Delinea. "Odds are that you won't be a victim only one time." In some instances, security vendors have reported observing attackers who have been paid off coming back at the victim a second time — under the guise of another threat actor.
The advice that has always been given is to never negotiate, says Corey O’Connor, director of products at DoControl.
"There's no guarantee that you'll even get your data back," O'Connor says. "The other thing is if you do pay up, you put an immediate target on your back for future attacks."
The ransomware tools that most threat actors use remain basic and relatively unchanged over the years. But some have begun using very complex and sophisticated malware in their extortion campaigns. One example is a group called the BlackCat gang, which surfaced earlier this year with an eponymously named ransomware tool that some have described as extremely sophisticated.
BlackCat is thought to be the first ransomware written in Rust, which allows the authors of the malware to quickly compile it for multiple operating system environments. The malware is highly configurable, can be customized on-the-fly for individual attacks, uses multiple encryption routines, and implements multiple features for obfuscation and evading detection mechanisms.
Ransomware payments can fuel innovation in the malware industry, says Blumira CTO Warner. "Ransomware groups pour that profit into initiatives such as research and development — in other words, honing techniques to make ransomware less detectable and more damaging."
There's also the danger of ransom payments funding other criminal endeavors, adds Delinea's Carson. "This could include drug or weapons traders, human trafficking, etc.," he says. "Your ransomware payment could [also] very easily be going to fund other crimes, even in sanctioned places, such as Russia."
Double-extortion attacks have become relatively common over the last two years. These are attacks where a ransomware actor steals data from an organization before encrypting it and then uses the threat of leaking the data via a data leak site as additional leverage for extracting money from the victim. The practice started in late 2109 with the Maze ransomware group, and has become a component of most ransomware attacks these days.
One indication of the scope of the problem is a study by Group IB that uncovered a startling 935% increase in the number of ransomware victims (from 229 to 2,371) whose data was published via a data leak between H2 2020 and H1 2021 compared to the same period the prior year.
Often, the doxing has involved companies that had already paid a ransom. Vendors like Coveware have reported seeing several ransomware groups, including the operators of Maze, Sodinokibi, Netwalker, and Conti, leaking victim data — either deliberately or inadvertently — even after they had received a ransom. "As double extortion becomes more common, it’s relatively easy for ransomware operators to not follow through on their initial promise," says Warner from Blumira.
Andrew Barratt, vice president of technology and enterprise at Coalfire, says the challenge here is that for some organizations, the cost of the extortion can be cheaper than the cost of full recovery.
"They are then in the absurd situation of having to trust the criminal group to stick to their promise and, at the same time, not come back for more," Barratt says. "These are all things that most traditional law enforcement groups would argue are the wrong things to do."
Companies that make ransom payments to threat actors based outside the country run the risk of transacting with groups and individuals that the US government has imposed sanctions against.
In October 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) warned organizations about being cognizant of the sanction risks involved in ransomware payments. OFAC's advisory pointed to sanctions it had imposed against individuals and groups behind ransomware operations such as Cryptolocker, SamSam, WannaCry, and Dridex from countries such as Iran, Russia, North Korea, and Syria. Making ransomware payments to such entities would violate OFAC sanctions and heighten the risk of the threat actors using those payments to fund other attacks against the US, OFAC warned.
Somewhat ominously, the OFAC memo — updated in Sept. 2021 — highlighted a US statute called the Trading with the Enemy Act (TWEA), which prohibits US citizens from conducting transactions with individuals on OFAC's so-called Specially Designated Nationals and Blocked Persons List (SDN List).
Financial institutions and other intermediaries that facilitate ransomware payments could violate US regulations on money transmission if they fail to comply with certain obligations specified by the Treasury Department's Financial Crimes Enforcement Network (FinCEN).
In an October 2020 advisory, FinCEN noted that in some circumstances, entities facilitating a ransomware payment could fall under the category of a Money Services Business (MSB). Such a designation would require the organization to register with FinCEN and are subject to specific requirements under the Bank Secrecy Act (BSA).
"The prevalence of ransomware attacks has led to the creation of companies that provide protection and mitigation services to victims of ransomware attacks," FinCEN said, pointing as examples to digital forensics and incident response (DFIR) companies and cyber insurance companies (CICs). Some DFIR companies and CICs, as well as some MSBs that offer CVCs, facilitate ransomware payments. Depending on particular facts and circumstances, the activity that these entities engage in when facilitating could constitute a money transmission they would need to report, the FinCEN said.
Financial institutions and other intermediaries that facilitate ransomware payments could violate US regulations on money transmission if they fail to comply with certain obligations specified by the Treasury Department's Financial Crimes Enforcement Network (FinCEN).
In an October 2020 advisory, FinCEN noted that in some circumstances, entities facilitating a ransomware payment could fall under the category of a Money Services Business (MSB). Such a designation would require the organization to register with FinCEN and are subject to specific requirements under the Bank Secrecy Act (BSA).
"The prevalence of ransomware attacks has led to the creation of companies that provide protection and mitigation services to victims of ransomware attacks," FinCEN said, pointing as examples to digital forensics and incident response (DFIR) companies and cyber insurance companies (CICs). Some DFIR companies and CICs, as well as some MSBs that offer CVCs, facilitate ransomware payments. Depending on particular facts and circumstances, the activity that these entities engage in when facilitating could constitute a money transmission they would need to report, the FinCEN said.
Victims of ransomware attacks face the excruciating choice of either paying off their attackers or risking considerable disruption in attempting to restore encrypted data on their own or — as is often the case — with the help of an incident response firm.
Numerous studies have shown that most victims prefer paying a ransom either because they don't have proper data backups or because they view it as a less expensive and less risky option compared to not paying. In a survey that ThycoticCentrify conducted last year, for instance, 83% of ransomware victims said they had no choice but to pay a ransom to get back access to their data, and more than 90% said they had allocated a special budget for fighting ransomware threats.
There are many who perceive making a ransom payment as a necessary evil because of the enormous financial damage that can result otherwise. Sixty-six percent of 1,263 respondents in a Cybereason survey reported substantial revenue losses as the direct result of a ransomware attack. Most of it stemmed from disruptions to business processes, system downtime and the resources require to restore systems. These costs can mushroom the longer an organization takes to recover from an attack, which is why many ransomware victims find it preferable to just pay off their attackers.
But is that a good idea — and does it really work? Here are six reasons, according to security experts, why paying a ransom may not be the best idea.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024