As ransomware continues to grow exponentially, more and more users and corporations are being affected and finding themselves at a crossroad: To pay or not to pay?
Ransomware has exploded like gangbusters. The recent outbreak of WannaCry (and its variants) is the latest in a long line of malware that is targeting all types of systems worldwide for maximum impact.
Despite the rapid growth of this malware type and continued warnings from security professionals everywhere, ransomware has evolved into a billion dollar industry. With ransoms increasing and the technology becoming more sophisticated and more difficult to identify, this growth spurt shows no signs of slowing down any time soon. As Michael Kassner predicted back in 2010, “Ransom on the internet may not garner much money per incident but patient extortionists can cast a wide net and haul in many innocent victims who have no recourse other than to pay.”
His 2015 follow-up article showed, based on the evidence available at the time, that he was right. And now, ransomware has far exceeded its meager $24 million intake in 2015.
The biggest question that rings out from individuals facing ransomware infections is this: Should I pay the ransom? And what a powder keg of a question that one is, with no clear-cut right or wrong answer to the dilemma, since each situation could potentially be different from the next.
Playing devil’s advocate, let’s consider the pros and cons of of the pay/no-pay decision to better understand both sides of this growing issue.
Paying The Ransom
The upside to paying is immediate in most (but not all) cases. You will receive the decryption key, which will allow you to decrypt your data and recoup your files. Paying the ransom may reduce the impact of the attack on your company’s liability or other fiduciary responsibility. If productivity slows or stops altogether, you could incur greater losses in revenue than the cost of paying the ransom. And in some situations, not paying could put lives at risk, as hospitals and governments have been increasingly targeted in recent attacks. Finally, preserving public trust is another reason to pay the ransom and move forward, as a large enough loss of reputation can be the death knell for a company.
Not Paying The Ransom
Most individuals who lean toward not paying the ransom cite one belief as their main reason: Paying up encourages ransomware, which allows it to grow and thrive. Others feel that out of principle, ransom should not be paid because of the criminal nature behind trapping someone’s data. They believe that law enforcement and the security industry should have a better grasp on resolving this, since so many are being affected by this annually. And let’s not forget the tech pundits who repeat, as if they’re speaking a mantra, that proper backups are the only things that are necessary. They say you should focus on backing up your data correctly so that it can be restored—and do not pay the ransom.
It’s clear that both camps can cite a variety of reasons to support the decisions they make. I feel, personally, that it isn’t so black and white and that each scenario should be addressed based on the circumstances rather than choosing an answer based on a preset plan.
Every enterprise is different, so the issue might be resolved in days, weeks, or never, in the case of complete loss. I can sympathize with the “do not pay” crowd on the theory that paying encourages threat actors to continue to push the boundaries and expand their attacks further. But I have worked with companies that paid the ransom because it came down to their bottom line. For them, the decision may be less about politics and principles and more about keeping the company productive, making money, and staying in business.