Ransomware: To pay or not to pay

Reading time: 5 minuten

Category: Trends and Reports

You watch in horror as your screen flickers and then changes – the presentation you were working on is replaced by a ticking clock and a menacing skull logo. Text appears onto the screen and your heart drops: “Your files are encrypted. Pay the ransom within 72 hours, or your files will be lost forever.”

Panic takes over as you think of all your hard work, all the files lost, everything now locked behind a paywall. You consider clicking the link, seeing what they’re asking for, but then you grow defiant. You’re not going to give into these criminals. You’re going to fight back! You pick up the phone, and you and your team of cybersecurity experts get to work.

Let’s assume for a moment that, one day, perhaps sooner, perhaps later, you will face the reality of a ransomware attack. Chances are that, in the moment, your cybersecurity team will turn to you as the decision maker.

In the heat of the moment, you likely won’t have the time to properly think this decision through. Whilst those around you can offer advice and maybe even statistics to help you make the decision, at the end of the day, it’s your call.

You have to answer the million-dollar (or maybe even more) question: to pay or not to pay.

No one can make the decision for you

In one of the biggest ransomware cases of recent years, Colonial Pipeline was targeted. This American oil pipeline system initially didn’t want to negotiate or pay, but eventually, after a six-day shut down, they had to relent. They paid a total of 4.4 million dollars. And they’re not alone –  surveys show that 94% of companies would pay if they were faced with ransomware.

That being said, what’s right or necessary for others may not apply to your situation. We can’t tell you whether or not you should meet ransomware demands – no one can.

What we can tell you is that you don’t want to be making that decision in the heat of the moment. There’s likely a lot on the line and a lot of information coming your way – not exactly the perfect moment to be making such an important decision.

Are you prepared to make that call, right there and then? Or would you rather have thought about it ahead of time?

We will never pay!

Some companies decide to make a blanket statement decision about ransomware – we will not pay. We will never pay. We won’t give in to those criminals!

Whilst principally most of us wish that was the decision we can make; reality requires a little more nuance. The moral high ground becomes less and less appealing if you’re a hospital manager, five days into a ransomware attack, with all your machinery down and your patient data potentially out on the streets.

In short, there are situations in which your decision about pointedly not paying may change.

This isn’t just about ransomware

The hospital scenario is just an example, and honestly, so is ransomware. Today’s threat landscape is vast and varied and it’s important to prepare for what’s out there to the best of your abilities.

As much as this means setting up preventative cybersecurity methods, it also means thinking about potential scenarios like the one mentioned above, beforehand.

Every situation is different and, in some cases, yes, you will have to make a high stakes decision in the heat of the moment. But using ransomware as an example: thinking about the pros and cons of whether or not you will pay ahead of time, already means you’re more prepared than most other companies out there.

This doesn’t just give you peace of mind, but it also helps your Cyber Security Incident Response Team. If they have clear, pre-existing guidance on how to act in the face of a ransomware attack, they too will be better prepared to deal with such situations.

Our cSirt superheroes!

Putting together an in-house team of CSIRT superheroes is not always an option. We have our own team of superheroes, ready to jump into action whenever you need them.

Find out more about our incident response services here:

Cybersecurity Incident response brochure

Decisive like the CSIRT

CSIRTs are known to be effective and decisive in the heat of the moment. They’re able to make those heat of the moment decisions because they’re experts in their field, who are aware of the threat landscape.

Decision makers can and should be aware that threats like ransomware attacks can and very well may be around any corner. Knowing something could be coming, allows you the luxury of thinking about the best approach and best decision ahead of time.

So no, no one can decide for you whether or not you should or shouldn’t pay.

But you can consider and discuss such a decision ahead of time. At the very least, this saves you the stress and headache that comes with making such a decision in the heat of the moment.

At most, this means you’re not just a victim. You’re ready for the fight and to face whatever challenges the future might hold.