To Pay or Not to Pay
Ransomware payment decisions are complex, involving legal, financial, ethical, and operational considerations.
Arguments Against Paying
Financial:
- Funds criminal enterprise
- Doesn't guarantee decryption
- Creates repeat targets
- Encourages future attacks
- Often exceeds insurance coverage
Legal:
- May violate sanctions laws (paying criminals, foreign entities)
- OFAC sanctions against specific countries/groups
- Regulatory penalties possible
- Facilitates money laundering (illegal)
- Some industries prohibited from payment
Operational:
- Decryption keys unreliable
- Time to decrypt is days/weeks
- Recovery from backups faster
- Doesn't resolve security breach
- Doesn't prevent data publication
Ethical:
- Funds ongoing criminal enterprise
- Enables attacks on other victims
- Perpetuates ransom business model
Arguments For Paying
Financial:
- Recovery cost might exceed ransom
- Insurance covers payment
- Faster operations resumption
- Negotiation may reduce demand
- Downtime costs exceed ransom
Operational:
- Backups might not work
- Recovery takes too long
- Business continuity critical
- Insurance negotiates payment
Data Protection:
- Prevents data publication
- But no guarantee - honor system
- Some attackers delete data if paid
Pre-Attack Decisions
Make these decisions BEFORE attack:
- Insurance: Does policy cover ransom?
- Finances: Max affordable amount?
- Legal: Which jurisdictions apply?
- Authority: Who decides to pay?
- Negotiators: Who handles ransom discussions?
- Law enforcement: Report? Cooperate?
Legal requirement: Report to law enforcement (FBI, local)
Payment Considerations Checklist
- Can you recover from backups?
- How long does recovery take vs. business impact?
- What's estimated ransom?
- Does insurance cover it?
- What are legal implications?
- Are there OFAC/sanctions concerns?
- Will data be deleted if not paid?
- Can ransom be negotiated lower?
- Who has authority to decide?
- What's law enforcement position?
Average Ransom Data
Statistics:
- Average ransom: $5-$15 million (2024)
- Median ransom: $250,000-$600,000
- Payment frequency: 30-50% of victims
- Decryption success: 60-80% (not guaranteed)
Trends:
- Ransoms increasing annually
- Double extortion (pay or data released)
- Targeting high-revenue organizations
- Sophisticated negotiation tactics
Negotiation Reality
Many attacks do involve negotiation:
- Initial demand: $10 million
- Negotiated settlement: $1-$2 million
- Negotiators: Specialized firms, law enforcement guidance
- Timeline: Days to weeks of negotiation
Government Guidance
US Government (FBI):
- Recommends against payment
- Violates sanctions if foreign attacker
- Encourages reporting
- Provides investigation assistance
- Guidance: Don't pay, negotiate with FBI
European Guidance:
- Varies by country
- Generally discourages payment
- Escalation to law enforcement required
- GDPR implications for data breaches
Insurance Industry:
- Often covers ransom
- Incident response support
- Negotiation assistance
- Recovery support
Conclusion
Ransom payment is complex decision involving:
- Financial cost-benefit analysis
- Legal compliance (OFAC, sanctions)
- Insurance policy terms
- Operational impact
- Ethical considerations
Best practice:
- Have strong backups so payment unnecessary
- Prepare decision framework in advance
- Report to law enforcement
- Consult legal and insurance
- Don't pay without careful analysis
Organizations with robust backups rarely face payment decisions - they simply restore.
