Should you pay a hacker's ransom demand?

by Azeem Aleem

29 October 2019

A person sitting in front of computer screens

Topics in this article

Ransomware turns 30 this year. The first-known ransomware was distributed in 1989 at an international AIDS conference, earning the title ‘AIDS Trojan’ and, in the last three decades, it has become one of the most pervasive cybersecurity threats across the globe.

Ransomware attacks target organisations from the very large to the very small. They also target every sector, with cities and government agencies particularly vulnerable.

The question is – would victims of an attack actually pay a ransom demand from a hacker? Faced with this situation, you would expect most organizations to decline. But given ransomware attacks can take down systems, cause major disruption and rack up serious costs, it’s perhaps no surprise that some would rather pay a ransom than suffer the consequences of not paying up.

In fact, if our latest Risk:Value Report is anything to go by, a third would rather pay a ransom to a hacker than invest in cybersecurity. This is the same the figure as 2018, showing a lack of progression with cybersecurity. Why? Because they still consider it the cheaper option.

What’s also concerning is that 36% would rather pay a ransom than get fined for non-compliance, suggesting a fear of the consequences of non-compliance. It also shows a lack of confidence in dealing with regulatory issues, and lack of development of an effective incident response plan.

The problem is that ransomware has no signs of slowing down. With Ransomware-as-a-Service (RaaS) picking up steam, the barrier to entry to becoming a ransomware attacker has never been lower so we can expect to see more companies come under attack.

A person typing on a laptop

One of the more high profile examples in recent months is Norsk Hydro which refused to negotiate with hackers and lost a reported GBP 45 million. Hit with a ransomware demand, the company not only declined to pay, but has also become an example of how to deal with cybercriminals. Ethically the firm made the right decision, but it has suffered huge financial damage as a result.

For others, the temptation to pay up is simply too strong. A Florida city council, for example, recently agreed to pay USD 600,000 to attackers using 65 bitcoins – often the preferred method of payment. However, it’s important to note that payment of a ransom does not always guarantee that a cybercriminal will co-operate, and it could even encourage further criminal behaviour.

Businesses would also need to question whether their insurance policy would cover the cost of recovery and remediation, and also whether it would be affected if it paid a ransomware demand. Conversely, ProPublica recently published an investigation into insurance companies that are reportedly ‘both fuelling and benefiting from’ ransomware attacks by opting to pay ransoms.

While paying a ransom might, at the surface, seem like the right thing to do, it is not a move that we would recommend. The bottom line is that no organisation should ever have to ask whether a ransom demand – or indeed investing in cybersecurity – is the cheaper option. Businesses should already be investing in cybersecurity – so patch management, incident response planning, backup solutions and training and testing end users – in order to be prepared for such an attack.

Azeem Aleem

Azeem Aleem

VP, Cybersecurity Consulting, NTT Ltd.