When it Comes to Ransomware, Should Your Company Pay?

October 10, 2021

Contributor: Susan Moore

It's a difficult call, but being prepared goes a long way.

Earlier this year, Colonial Pipeline paid hackers $4.4 million in ransom for a decryption tool that restored oil operations, despite FBI and Department of Homeland Security recommendations that companies avoid paying ransoms. The CEO later testified before the U.S. Congress that the debilitating impact to the country’s fuel supply drove the decision, but it remains a controversial solution.

It begs the question: What would your organization do if it was hit by a ransomware attack? Would — and should — you pay to get back data or restore systems?

“Deciding whether to pay the ransom is a difficult decision and one that must be made carefully at the board level, not by security and risk leaders,” says Mark Harris, Senior Director Analyst, Gartner. “Understanding what happens if you pay is key to making that decision.”

Download now: How to Prepare for Ransomware Attacks

What happens if you pay?

Theoretically, if organizations pay the ransom, the attackers will provide a decryption tool and withdraw the threat to publish stolen data. However, payment doesn’t guarantee all data will be restored. Executives need to carefully consider the realities of ransomware, including:

  • On average, only 65% of the data is recovered, and only 8% of organizations manage to recover all data.
  • Encrypted files are often unrecoverable. Attacker-provided decrypters may crash or fail. You may need to build a new decryption tool by extracting keys from the tool the attacker provides.
  • Recovering data can take several weeks, particularly if a large amount of it has been encrypted.
  • There is no guarantee that the hackers will delete the stolen data. The could sell or disclose the information later if it has value.

The realities of ransomware

Ransomware is a sustainable and lucrative business model for cybercriminals, and it puts every organization that uses technology at risk. In many cases, it is easier and cheaper to pay the ransom than to recover from backup. But supporting the attackers’ business model will only lead to more ransomware.

Law enforcement agencies recommend not paying, because doing so encourages continued criminal activity. In some cases, paying the ransom could even be illegal, because it provides funding for criminal activity.

We recommend engaging with a professional incident response team, law enforcement and regulatory bodies before negotiating with attackers.

Listen now: How to Prepare for Ransomware Attacks

Prepare now

Organizations cannot 100% prevent ransomware attacks. The best thing you can do is assume you will be hit, and have plans in place that enable a quick response.

This includes running through exercises about what happens when an attack occurs. Doing so may reveal unexpected problem areas. For example, one organization found that it took much longer than anticipated to write a press release about an attack, highlighting the need for a pre-written statement.

It’s also important to strengthen backups and test restores on all critical business. Assuming the backups work, assuming the cost of recovery will always be less than paying the ransom for an uncertain outcome.

“Unfortunately, the first time most organizations test restore is after they’ve been hit by ransomware,” says Harris.

Furthermore, make sure executives are fully briefed on the topic and involved in decisions. The more they understand the risks, the better prepared they will be to make a decision and justify it in the face of scrutiny.

Treat ransomware as a business decision. If the problem is visible across the organization, there will be fewer surprises if you do get hit. This will smooth all actions in the response, including deciding whether or not you should pay.

Experience IT Security and Risk Management conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.