Why Companies Should Not Pay Ransom Fees

November 15, 2021

Increased reliance on technology brings increased potential for cybercrime, and ransomware is no exception. An investigation by Verizon in early 2021 reported that 10% of breaches from 2020–2021 involved ransomware, a type of malware that attacks a company's computer network, encrypting its data and demanding payment in exchange for release of the locked-down files. While cyber insurance can help to protect companies against loss due to ransomware attacks, the issue of how to handle this type of crime is still largely controversial.

Should Businesses Pay Ransomware?

The FBI estimates that nearly $1 billion is paid out in ransom to cyber criminals every year, despite their official position that advises victims not to pay. In some cases, the cost of attempting to recover from the attack exceeds the cost of paying the ransom. For example, the city of Baltimore was attacked with a ransomware demand of $75,000 in bitcoin, which the city refused to pay. Recovery took over two months with a total loss of at least $18.2 million, including lost revenue and the expense of restoring the hijacked systems.

While some businesses feel it's safer and cheaper to pay the ransom, the reality is that paying does not guarantee a quick or easy resolution to the issue.

What Are the Consequences of Paying the Ransom?

It's important to keep in mind that the individuals behind the ransomware are criminals, and they can't be trusted to keep their word. Even if they do honor the agreement, there are several reasons why paying the ransom is a bad idea.

1. Legal penalties. The Office of Foreign Assets Control (OFAC) has a sanctions program that penalizes anyone who provides support to cyber criminals residing in or operating from a sanctioned country.
2. Data loss. Decrypters provided by the attackers may not work. The data recovery can take weeks, and there is no guarantee that all of it will be recoverable. In fact, an average of 46% of data is recovered from ransomware attacks, with 51% of victims recovering all of their data and 3% recovering nothing after making their payments.
3. Wrong message. When hackers are paid for their crimes, they are receiving reinforcement for their ransomware actions. This shows that the tactics work and encourages a repeat of the extortion scheme on the same business or similar businesses in the future. Research shows that 80% of companies that pay the ransom demand become the victim of another attack, with 46% of those crimes committed by the same attacker.

Organizations should take precautions against ransomware by following prescribed cyber security measures and obtaining cyber insurance. If your client’s business becomes the victim of a ransomware attack, the decision on how to recover is a difficult one. Keep in mind the FBI advises against paying the criminals. ◼