When a ransomware attack encrypts critical data, organizations face an immediate and difficult decision: whether to pay the ransom. This choice is at the center of a significant debate within the cybersecurity community, with official guidance often conflicting with the operational pressures businesses experience during a crisis.

Official bodies have taken a firm stance on the issue. In the United States, the Federal Bureau of Investigation (FBI) explicitly advises against paying ransoms. Their reasoning is that payments provide no guarantee of data recovery and directly fund criminal enterprises, encouraging a cycle of further attacks. Similarly, the United Kingdom’s National Cyber Security Centre (NCSC) aligns with this position, highlighting that paying a ransom validates the attacker’s business model.

The Case Against Paying Ransoms

Data supports the official guidance against payment. According to the Sophos “State of Ransomware 2022” report, of the organizations that paid a ransom, only 4% recovered all their data. This statistic underscores the unreliability of negotiating with criminals. Furthermore, paying can lead to greater long-term costs. The same report found that the average remediation cost for organizations that paid the ransom was $1.4 million, nearly double the $730,000 average cost for those that recovered using backups.

Beyond financial and operational risks, there are significant legal considerations. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued advisories warning that facilitating a ransom payment to a sanctioned entity or jurisdiction can lead to civil penalties. This places companies and their cyber insurance providers in a precarious legal position, as they must ensure a payment does not violate international sanctions.

The Reality of Ransomware Payments

Despite the official advice and inherent risks, a substantial number of organizations choose to pay. The Sophos report revealed that 46% of organizations whose data was encrypted in an attack paid the ransom to get their data back. The primary driver for this decision is the immense pressure to restore business operations and avoid catastrophic downtime. For many, the cost of the ransom is perceived as less than the cost of prolonged disruption, potential data leaks in double-extortion schemes, and reputational damage.

The decision is further complicated when organizations lack viable, tested backups. Without a reliable way to restore systems and data, paying the ransom can appear to be the only available path to recovery. This highlights the critical importance of proactive cybersecurity measures, including robust backup strategies and well-rehearsed incident response plans, as the most effective defense against being forced into this dilemma.

Source: https://www.techradar.com/pro/the-ransomware-payment-debate-what-it-means-for-organizations