Should you pay a cyber criminal's ransom?

In brief

With ransomware attacks affecting six out of 10 Australian organisations,¹ businesses are being forced to decide whether to concede to the ransom demands of cyber criminals in order to regain access to critical data. However, with no guarantee that payment of a ransom will release their data, businesses must also weigh the cost of data loss or sustained business interruption against the cost of the ransom and the knowledge that their payment will contribute to an ongoing problem.

We've compiled a list of considerations for businesses struggling with these practical and ethical dilemmas. Given the short deadlines often imposed for compliance with ransomware demands, we recommend running through this list (to the extent that you can) before any ransomware attack.

1. What is the subject of the ransomware attack? Specific data files or devices? Whole IT systems?
2. Is your data backed up? How long will it take, and what will it cost, to restore your data?
3. Is a technical solution (eg decryption) available to you? If so, how long is it likely to take?
4. How much are the cyber criminals demanding to release your data? What are the other likely financial costs of not paying the ransom? Don't forget to include the cost of destruction or loss of data, lost productivity, business interruption, investigation, public relations, attempted restoration and recovery of computer systems.
5. What about the non-financial costs? Will lack of access prevent you from providing key services? Are lives at stake?
6. Does your insurance policy cover cyber extortion? If so, what conditions are imposed on your ability to claim under the policy?
7. What is your company's tolerance for payment of ransoms? Will it refuse to pay them on principle?
8. What are your contractual obligations in relation to the data being held hostage? Are you required to take all steps necessary to recover data?
9. Is payment of the cyber ransom legal? Have the ransomware operators identified themselves to you as a known terrorist organisation or a money launderer? What is the risk of enforcement in the event that you do pay the ransom? If payment is not legal and you have paid, is a criminal defence available to you?²

Keep in mind:

• If you choose to pay the ransom, there is no guarantee that your data will be released or that the attackers will not strike again. A 2017 Telstra cyber security report that surveyed Australian businesses found that roughly one in three of those who gave into ransom demands did not recover their files following payment.³
• Paying the ransom identifies you as a compliant victim, increasing the risk that you may be further targeted by ransomware operators in the future.
• Every successful ransomware attack incentivises the next. By giving into ransom demands, you reward the activity, encourage further ransomware operations and help the industry grow. In recent years, agencies such as the FBI suggested that impacted companies and organisations simply pay ransomware operators to regain access to their data. These days, as outbreaks of ransomware are becoming more common, law enforcement agencies and advisory services recommend that you don't pay the ransom.