Should your company pay cybercriminals after a ransomware attack? It depends.
- Ransomware attacks can harm companies' operations and customer confidence.
- The FBI advises against paying hackers, but negotiators can help businesses assess their options.
Cybercriminals stealing important data and holding it for ransom can be a company's worst nightmare.
Instances of ransomware, a type of malicious software that holds sensitive data hostage until a victim pays the attacker, are becoming more common. The security firm Mandiant, a Google subsidiary, said it found a 75% increase in posts on data-leak sites from 2022 to 2023.
Some companies choose to pay cybercriminals, and others don't. MGM and Boeing reportedly declined to pay millions of dollars that hackers sought after data breaches. The software firm CDK Global likely paid $25 million when it was attacked, and the casino operator Caesars reportedly paid $15 million.
"The position we generally take is that if you don't need to pay ransom, you should not pay ransom," said Mark Lance, the vice president of digital forensics and incident response and threat intelligence at GuidePoint Security, which helps organizations negotiate ransomware. "We do not recommend funding a criminal organization or making a payment if it's unnecessary."
But he said companies may decide to pay up for a variety of reasons. "We educate clients who are the victims on what to expect if they're impacted by ransomware and what some of the benefits might be if they did pay versus didn't pay," he said.
While many ransomware attacks are preventable, they happen every day to companies of all sizes. Here's what ransomware negotiators want you to know about whether to pay hackers.
Why some companies decide to pay
Kurtis Minder, the CEO of GroupSense, which offers ransom-negotiation services, said companies must consider the "blast radius associated with the attack."
"There's operational interruption," he said, "but in addition to that, they need to consider things like brand impact, the PR impact, and the customer-confidence concerns," including the release of sensitive data.
IBM has estimated that data breaches will cost an average of $4.9 million in 2024, 10% more than last year.
Minder said some companies face going out of business if they don't pay the ransom. When their systems are down and they don't have backups, they're often unable to continue business operations.
Lance gave an example of a hospital his company worked with that found that paying a ransom to get important files back would cost it about one-seventh of what it would spend to access backups of the files.
He said organizations might also pay when cybercriminals take sensitive or proprietary information, such as personally identifiable information, and threaten to release it.
Both paying and not paying can be risky
Lance said that whether to pay ransom is ultimately up to individual companies.
The FBI warns against paying ransom to attackers, as there's no guarantee you'll get your data back. The agency also argues that paying incentivizes hackers to target more victims.
Minder and Lance say many cybercriminal organizations are sophisticated and have their own reputations to uphold — so they usually do what they say and provide instructions for decrypting the stolen information once they receive payment.
"It's always a risk paying a threat actor because you're dealing with somebody who just stole information from your environment and is basically holding your data hostage," Lance said. "There are motivations for them to make sure that you do get access back to your systems and are able to recover."
Still, Minder said, you can't know for sure. But if you don't pay, your data will most likely stay encrypted, sensitive information may be released, and you may be at risk of getting attacked again.
Minder added that while companies are encouraged to report ransomware attacks to law enforcement, not all of them do.
There's no federal law that prohibits paying cybercriminals. But the government prohibits financial transactions, including ransom, with certain entities designated as foreign terrorist organizations. Some states, including Florida and North Carolina, have laws banning government entities from paying cyberattackers.
The US Securities and Exchange Commission requires public companies to disclose details about cybersecurity incidents that are "material," meaning likely to affect their operations, reputation, or finances.
Seeking help is crucial
Lance said that if you encounter ransomware, "don't try to go at it alone without any experience."
He added that hiring a negotiator or talking with others in the same industry who've experienced an attack can help companies avoid pitfalls, which can include not having a response plan, waiting too long to respond, and not communicating effectively with cybercriminals.
Negotiators have experience interacting with dozens of cybercriminal groups; Lance said that knowledge of these organizations' backgrounds and histories is useful during negotiations.
Minder said that working with negotiators could help companies assess their risk and decide whether to pay. Negotiators can also help navigate the logistics of paying and getting a company's systems back up and running and can work with law enforcement and insurance companies.
Lance said the negotiation process involves setting expectations when a company decides to pay ransom — this includes ensuring the company can decrypt stolen files and data, demanding proof that data was deleted, and obtaining details about how the cybercriminals accessed the company's system.
"We want to educate people that ransomware is a real and relevant threat" that most likely isn't going away, Lance said. But he added that there are "basic things that you can do to protect yourself from being a victim."