To Pay or Not to Pay — That is the Ransomware Question

The words, “Ransomware Attack” have become a regular occurrence in headlines across many fields such as Health Care, Government, Police Agencies, big techs, and even the smaller folks. It has become one of the most active and profound threats that an organization can face today:

January 2021 recorded a total of 19 attacks. Amongst these attacks:

  • Apex Laboratory which had to disclose after stolen data was leaked online

February 2021 recorded 23 attacks, which included two major utility companies, the Ministry of Finance and Ecuador’s largest bank — KIA continues to dispute the attack.

March 2021 recorded 25 attacks; Acer received the largest ransom demand in history at $50 million; Sierra Wireless and Molson Coors also fell victim of a ransom attack.

April 2021 was active with a concerning 31 ransomware attacks; Home hardware fell victim to Darkside, NBA was targeted by Babuk, and REvil demanded $25 million from French pharma, Pierre Fabre.

Are Playbooks too basic?

Many of these companies have a ransomware playbook that they have either created, or adopted via some standard, and these playbooks will address the basic requirements:

  1. Prepare

Playbooks can be as detailed as the teams want them to be- they can even have different playbooks depending on the TYPE of ransomware/malware (i.e.: manual vs automated propagation, single-host vs domain controllers infections, etc.). But the above listed addresses the main headers.

These playbooks address the functionality of the Incident Response team, their accountability and responsibility, and can even tag other teams such as Legal, Policy, Governance, other technical and non-technical support bodies. But there are some things that some of these playbooks fail to address.

Risky Business

Let’s first take a look at the risks a company may face during a ransomware attack, prior to the threat actor sending their demands.

Risk of immediate containment before scope and identification

  • This could tip off the threat actors that you know they’re in your systems, and might know where;

Risk of scope and identification prior to the containment

  • Threat actors are still roaming your network;

Ransom is Demanded- What now?

You’re either aware of the attack, or not, but you’ve just received an email from a threat actor saying that they’ve successfully encrypted your data, and are demanding a payment to be made in exchange for a decryption key; there’s also the chance they have also exfiltrated the data and are asking for a second payment for the insurance of the data not being published, a term called “public shaming”.

A few action items come to mind as soon as this type of email comes in (in no particular order):

  • Notify the Team Lead and CIRT Manager

Negotiation is Expected

Yes — You are allowed to negotiate the terms and payments of the ransom demand, in fact, it is expected. It’s important to know who your ransomware expert is, who will be in contact with the threat actor, and who contacts your ransomware insurer.

The decision to pay or not pay each come with their own set of risks

Risk of paying the ransom

  • After paying, there is a chance the data may not be truly wiped and/or data will still be posted online (that makes for bad business, but its still a risk);

Another risk is that paying for the ransom sets a precedent that now this company will pay, and that notion will be passed on to consumers — these ransom demands can sit in the millions, which is money that could have been used to upgrade and harden the very systems that were responsible for the breach. Consumers and clients will ask the question, “Why wasn’t it invested into the infrastructure of their systems to being with?”

Risk of not paying the ransom

  • The data being held hostage will remain encrypted on the systems, and companies will be forced to recover and possibly rebuild (see Baltimore story);

It’s also important to understand your company’s threshold in this situation. There are certain situations where not paying, and just simply rebuilding/recovering the data is better than paying. However, the TYPE of data might have a company paying for the sole purpose of it not being released to the public.

Deeper Questions to Ask Your Teams

Now that you are aware of the risks of paying or not paying, and some additional action items that may not be laid out in your company’s ransomware playbook, here are some additional questions to ask:

  1. Who response to the threat actor end-to-end? Do you have a designated correspondent?

Ransomware Attack — What does that mean to you now?



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store