The dilemma of whether or not to pay ransoms during a ransomware attack

Ransomware has had an interesting—if terrifying—journey. Between 2017 and 2018, ransomware attacks increased by 60%, with attackers increasingly targeting companies with cyber insurance. This was for two reasons. First, companies started taking out cyber insurance, and then many cyber insurance policies began paying ransoms, with insurers admitting that paying the ransom could often be cheaper than recovery efforts, driving this troubling trend.

Then something interesting started happening. By 2021, 37% of companies declined to pay ransoms. By 2022 this figure had reached 70% and topped 77% in 2023. While on the one hand this indicates a growing resilience and preparedness among organisations in the face of ransomware threats, it hasn’t stopped ransomware attacks from escalating.

In fact, according to the Midyear 2024 Cyber Risk Report by Resilience, ransomware accounted for a staggering 64% of all cyber-related financial losses since January 2023. High-profile attacks also serve as grim reminders that ransomware is not only growing in sophistication but also capitalising on new vulnerabilities emerging from business mergers, acquisitions, and the increasing reliance on third-party vendors.

The dilemma of paying ransoms

For most businesses, the decision to pay or not pay a ransom is complex. The stakes are high: pay the ransom and risk encouraging future attacks, or refuse and potentially face prolonged downtime, data leaks, steep regulatory fines and reputational damage.

Threat actors know this and are using increasingly aggressive pressure tactics to secure payments. The strategy is devastatingly simple. Threat actors know that companies have good backups, so they first exfiltrate data before executing the ransomware attack so they can extort payment in return for not publicly releasing private and personal information. Given regulations, releasing data has severe consequences. Some attackers will even tamper with backups to foil any recovery attempt and force the ransom payment.

One particularly antagonistic threat actor, Ransom Hub, is known for employing highly hostile tactics to coerce payment. During negotiations, they have threatened to reach out directly to the victim’s clients and to publish a defamatory blog post exposing the organisation’s security weaknesses. In cases where negotiations fail, the group has even impersonated the victim’s IT team to notify clients about the incident and claim their data was compromised. They have also continued to send ransom demands to staff via email for weeks after the incident, asserting they have regained access to the victim’s network.

The severity of the potential fallout may push businesses towards paying ransoms to avoid data leaks. For industries like manufacturing, where downtime directly impacts revenue, the decision to pay may also come down to minimising financial losses. Ransomware can halt production lines, disrupting supply chains and costing millions in lost productivity.

Finally, if the stolen data includes trade secrets, intellectual property, or personal information, the long-term consequences of exposure can be catastrophic. Some companies, particularly those in highly regulated industries, may feel they have no choice but to pay.

Insurance companies are also scrutinising ransom payments more closely, especially in cases where data encryption has not occurred. Many insurers now promote increased proactive cybersecurity measures and advocate for comprehensive incident response planning, placing the onus on businesses to be more resilient.

Building resilience against ransomware

Ransomware represents a pervasive threat to modern society. At Cyanre, we do not promote paying the ransom, given the money will be used to fund further criminal activities. As cybercriminals refine their tactics, we recommend that businesses enhance cybersecurity resilience by focussing on the interplay between-decision making and response strategies required to mitigate ransomware attacks.

An often-overlooked aspect is mental preparation. Deciding whether to pay a ransom is extremely stressful. Teams are dealing with cybercriminals, navigating cryptocurrencies, and uncertain outcomes. Tabletop simulations offer clients valuable insight into the anatomy of a ransomware attack, the complexity of responding to a ransom demand and the aspects to consider before taking action.

To help your organisation build resilience, speak to us about our Incident Response retainer options or our tabletop simulations to test your incident response plans and prepare your teams.