top of page

Ransomware – To pay or not to pay?

Updated: Apr 22, 2023

In its simplistic form, ransomware is a type of malicious software designed to block access to a computer system or computer files until a sum of money is paid.

Most ransomware variants encrypt the files on the affected computer – usually by way of a malicious link or ad clicked, rendering the system and/or files inaccessible, and then demanding a ransom payment to restore access.

Ransomware is one of – if not, the leading cybersecurity threat of 2019.

Ransomware costs businesses more than $75 billion per year – a new organisation will fall victim to ransomware every 14 seconds in 2019. The number of ransomware attacks on businesses almost tripled between Q4 2018 and Q1 2019, while dozens of county, city and state governmental systems have already been hit in 2019. These stats and more had countless people asking the economic and moral cybersecurity question of the year… Do we pay or don’t we pay?

In March 2018, the city of Atlanta refused to pay a US $51,000 ransom, which resulted in an encrypted mess and city employees working off a “single clunky personal laptop”. The attack required Atlanta to restructure its 2019 budget. More than one-third, or 424, of the city’s software programs were fully or partially taken offline. Every day the city found more mission critical applications impacted by the cyberattack because they bled into other systems. The first month of recovery cost Atlanta $3 million. A few months later in June, the city’s then-interim CIO Daphne Rackley asked for another $9.5 million.

Ransomware hit another big American city this year. In May (2019), Baltimore refused to pay a $76,000 ransom and residents still can’t pay their water bills. What’s worse is that at the time of publication The Baltimore Sun reported that city officials had just voted to transfer USD $6 million from a fund for parks and public facilities to help pay for the devastating impact of the May ransomware attack on the city.

The value of a ransom is calculated with intention by hackers, making it high enough to make it interesting for them, but low enough so the victim can afford to pay.

Earlier this year Riviera Beach, Florida and Lake City, Florida agreed to pay $600,000 and $462,000 in ransom, respectively. Lake City’s hack went on for about two weeks, leaving the city’s phone and email systems inoperable, before it decided to pay. The Riviera Beach City Council unanimously voted to pay the ransom after the three-week-long attack encrypted its city records, disabled its email system and disrupted digital payroll and 911 systems.

Why it’s sometimes OK to pay up

The average ransomware incident lasts 7.3 days, according to Forrester, which includes recovery efforts. Paying a ransom is never a victim’s first choice, but Forrester argues the option should always be considered. Sometimes, it’s OK. No one wants to surrender to the enemy, but the alternative is losing business, money and time. Companies can underestimate their ability to restore their systems after an attack. In some situations, depending on the strain of ransomware, an entity would need twice as much disk space to run a backup in parallel. If that extra disk space is unavailable, restoration becomes that much harder.

“From an economic standpoint, it does actually make sense most of the time to pay the ransom as opposed to try to go through it and rebuild” – Casey Ellis, founder and CTO of Bugcrowd.

But math becomes more challenging when ethics are added to the equation. The decision to pay a ransom is unique to every victim’s circumstances. Hackers are smart; they calculate ransoms to make it low enough for their victim to pay, but high enough to make a profit.

What’s wrong with paying?

Critics say that paying a ransom funds an enemy’s business and could also set a precedent for others. But if there’s a concern for creating a market for paying bad actors, it can be argued the market already exists.

There’s a tendency for people to “jump to the moral high ground pretty quickly”, says Ellis. Entities either choose the economic or ethical route and “it’s either one or the other”. Appeasing both sides becomes a near-impossible task, especially when the “never negotiate with terrorists” is a defensive U.S. default. But no one has been prosecuted for paying a ransom.

It’s always a gamble to trust the enemy but after a compelling event like a ransomware attack, ‘you tend to learn fairly quickly”, says Ellis. Riviera Beach’s city council voted to spend almost $1 million for computer system upgrades following the attack.

Criminalise Ransomware Payments? A Bad Solution for a Bad Problem–

On June 24, the Washington Post proposed a simple solution for the ransomware problem that is plaguing the U.S. critical infrastructure in general, and municipalities in particular. The Post opined that the solution to malicious ransomware was for Congress to “pass a federal law barring ransomware payments”. Not banning ransomware, mind you; banning ransomware payments. The Post also suggested that DHS – Department of Homeland Security “set up a digital ghostbusters task force to help municipalities come back online after an attack. Those that had implemented adequate defenses could get aid from the feds in footing the bill. Those who surrender to hackers would face fines sufficiently larger than the ransom”.

H.L. Menken, the Bard of Baltimore, once opined: “For every complex human problem, there is a solution that is neat, simple and wrong”. This is one of them. The Post suggested that only entities that have “adequate [cyber] defenses” would be compensated for their costs of data recovery after a ransomware attack, suggesting that ransomware vulnerability is somehow evidence of moral corruption or lack of will. Entities “good” and “bad” are hit by all manner of cyberattacks including ransomware—for all manner of motives, including, as we now see, response to U.S. cyberattacks. Entities with comprehensive cybersecurity programs may reduce the likelihood or impact of a ransomware attack, but we should not condition government response and coordination on “moral blame”. Punishing the victim of a cyberattack through increased response costs is probably not an effective deterrent.

Certainly ransomware, extortion-ware and threatened denial-of-service attacks that are motivated by financial gain could be discouraged if everyone around the world refused to pay a ransom. This would mean, as the cities of Atlanta and Baltimore learned, paying tens or hundreds of millions of dollars in ransomware “cleanup” costs to avoid paying thousands of dollars in ransom.

There are reasons not to pay ransom wholly apart from economics. Hackers, governments, terrorists and others may use ransomware payments to finance other attacks, terrorism or other criminal activity, or to blunt the impact of economic sanctions. Companies that pay ransom risk inadvertently supporting these activities and the decision of whether to pay should be based on a broad-ranging risk/reward program that is not simply “it’s cheaper to pay”. Entities of all types should be encouraged to cooperate with (and rewarded for doing so) law enforcement agencies, government cyber security centres and cybersecurity and forensic companies that can share information about threat actors, their motives, tools and tactics. The problem includes extortion-ware—threatening to release stolen files or emails, threatening to turn over secrets to governments, selling trade secrets, threatening distributed denial of service attacks, doxing, revenge porn attacks, reputation-based attacks and even “pump and dump” SEC trading scams that rely on manipulating the reputation of a company with either accurate or inaccurate information. Any of these attacks—or threatened attacks—can be weaponized through the demand for extortionate payments.

Current U.S. policy appears to be that, while law enforcement does not encourage the ransomware payment, and it presents legal issues with respect to things such as U.S./U.N. sanctions, money laundering and cryptocurrency regulation and providing “material support” to bad guys, law enforcement will turn a blind eye to such payments—neither encouraging them nor outright prohibiting them. This is similar to the U.S. position about physical kidnapping and ransom. It may violate some laws, and the official position is to discourage it, “but if it was MY family …”. Indeed, insurance companies provide KRE (Kidnap, Ransom and Extortion) policies and cybercrime policies that are part of an effective program to respond to physical or electronic hostage-taking.

The Post concluded that “An anti-ransom law would be a dramatic step, but it’s the route to a dramatically positive result”. If you were on the operating table when the robot performing your surgery was shut down because the hospital refused to pay $500 to get it up and running, I’m not sure you would agree with the “dramatically positive result”.

US mayors: No more ransomware payments

More than 225 U.S. mayors agreed to not pay a ransom in the event of a cyberattack, according to the 2019 list of resolutions from the U.S. Conference of Mayors. Paying a ransom “encourages continued attacks” on government entities and financially supports malicious actors, the mayors said. The group has a “vested interest in de-incentivising” future attacks. There have been at least 170 cyberattacks on country, city or state government systems since 2013 and 22 happened in 2019, according to the mayors’ resolution. High profile attacks, like Baltimore’s, have gained national attention.

To pay or not to pay? What is more important to you? Economics or morality?

Paying a ransom is always a gamble: There’s no guarantee victims will have their records or full operations restored, there’s also no promise the attackers didn’t keep a digital copy and it almost certainly fuel another attack of some kind.

Cyber Stealth empowers cyber heroes with world-class security awareness training and simulated phishing.

It's Cyber Made Simple.


bottom of page