As the United States again reconsiders a partial ban on paying ransomware payments, it begs the question: Should ransomware victims pay the ransom, even when it is legal?
Early on (1989 – 2019), ransomware actors asked for payment to provide decryption keys so victims could unlock illicitly encrypted files. Since November 2019, ransomware groups have also been exfiltrating victims’ confidential data, intellectual property and credentials. Paying the ransom supposedly ensures that the victim’s stolen data and credentials will not be made public or used against them. Payment also implies or it may be explicitly promised that the same ransomware group will not target a paying victim again. For these reasons and more, many victim organizations decide to make payments to ransomware extorters.
How Many Victims Pay the Ransom?
The percentage of victims paying the ransom has ranged from a low of 40 percent to above 90 percent, depending on the time period and victims targeted. Over the past few years, the percentage of victims paying has decreased to around 40 percent. If current trends continue, that percentage is expected to continue to fall.
The reason the percentage of ransomware victims paying the ransom continues to fall is due to a variety of factors, including:
- Victim has better backups
- Increased vigilance around preventing ransomware attacks
- Increased law enforcement actions and international cooperation
- Increased legal pressure to not pay ransoms
- Ransomware gangs concentrating on smaller targets to avoid law enforcement and political repercussions
- Ransomware victims’ growing unwillingness to reward extorters
- Increasing cultural pressure against paying the ransom
The last point is poignant. If all ransomware victims did not pay the ransom, ransomware groups would significantly diminish or disappear altogether. But, at least right now, some portion of ransomware victims pay the ransom and this encourages ransomware groups to keep at their nefarious activities.
Should Paying the Ransom Be Illegal?
It is already illegal in some countries, states and industries to pay ransomware extortion payments. The United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) has put many ransomware groups and individuals on the “Do Not Pay” list. Check here for the latest list: https://ofac.treasury.gov/. Many other countries have either banned paying the ransom or are considering it (https://www.secalliance.com/blog/a-global-approach-the-impact-of-a-ransomware-payment-ban). Some U.S. states prevent ransomware payments by state agencies. Some cities, mayors and industries have also told their members not to pay the ransom. Although many law enforcement agencies around the world say victims should not pay the ransom, they do not agree on whether paying the ransom should be altogether legally banned. But, clearly, anyone considering paying a ransom should make sure it is legal within all their involved jurisdictions.
Beyond the legal issues, many ransomware experts state that paying the ransom does not help. Many ransomware recovery studies have supported the notion that paying the ransom did not result in more encrypted data being recovered, in significantly less expenses or faster downtime. Some studies have even shown that paying the ransom was overall a more expensive solution. A few studies have shown that when victims paid the ransom, the ransomware groups did not delete the stolen data (what was publicly accessible) as promised and a few studies have shown paying the ransom made it more likely for the victim to become extorted again (although they did not state whether the victim was extorted by the same or a new group). But for every study saying not to pay the ransom, there are contraindicated studies stating the exact opposite and touting the benefits of doing so.
So, today, ultimately, if you are legally allowed to pay a ransom, the data is mixed on whether paying it benefits the victim. Likely, each individual scenario is different and, in some cases, paying the ransom will benefit some victims – and vice-versa. Paying or not paying the ransom is a business decision, one to be made by senior management and their legal counsel.
If everyone did not pay the ransom, the whole world would benefit – but as long as some pay, ransomware will continue to haunt us until we have strong global cooperation to prevent ransomware attacks. Most serious observers think that most organizations should not pay the ransom to help reduce the ransomware industry, but believe it should not be outlawed. In most countries, paying kidnappers is not against the law (it may even be tax deductible for the payee). Outlawing ransomware payments may make otherwise law-abiding organizations participate in illicit activity. If the percentage of ransomware attacks continues to reduce over time and fewer victims are paying, as current trends indicate, the need to make ransomware payments illegal could become less necessary.
Either way, your organization needs to discuss ransomware attacks and whether or not your organization will or will not be paying the ransom (if legally allowed). You do not want to be making an emergency decision during a ransomware event where the attackers are able to pressure a forced decision. Be prepared.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email editor @ hstoday.us.
