Don’t Pay for Ransomware! But What Should I Do?

One of the greatest cyber threats facing businesses today is ransomware, and many are uncertain about the right response. An astonishing 66% of companies have reported that their organization was impacted by ransomware, with two-thirds of these noting that their data was encrypted [1]. Recently, MGM Resorts revealed that a ransomware incident cost the company a staggering USD 100 million [2], reigniting the debate: Should you pay the ransom?

Should You Pay the Ransom?

I believe giving in to a criminal’s demands is never wise. As highlighted in the United States Government’s “How to Protect Your Networks from Ransomware” guide, the US government (USG) discourages paying ransoms.

“USG does not encourage paying a ransom to criminal actors. However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers. [3]”

Here are some reasons for resisting the urge to pay:

Reason #1: No Guarantee of Data Recovery

Relying on the word of a hacker—an anonymous criminal bent on exploiting you—is risky. Data recovery isn’t guaranteed. Only 46% of those who conceded to ransom demands successfully retrieved their data [1]. Furthermore, even if data was encrypted, just 65% of organizations restored the data post-payment [4].

Reason #2: Paying Might Make You a Recurring Target

An astounding 83% of organizations have been breached more than once [5]. Paying a ransom is akin to painting a target on your back. If you’ve paid once, hackers might presume you’ll pay again, potentially demanding even more next time.

Reason #3: The Initial Payment Might Not Be the Last

Proofpoint’s 2023 State of Phish Report highlights the uncertainty surrounding ransom payments. After paying, only about 52% of victims regained data access [6]. Others had to make additional payments, and some never regained access. This serves as a reminder that these criminals primarily aim to extort.

Reason #4: Paying Propagates the Ransomware Business Model

Every ransom paid finances the future endeavors of cyber criminals. Your payment might fuel the development of even more sophisticated malware and embolden hackers to become more aggressive. Ransomware is big business; the average ransom payment has doubled to USD 1.5 million this year. Additionally, 40% of ransom payments are above USD 1 million. [7]

Business Size Doesn’t Matter.

A common misconception is that only large businesses are at risk. This couldn’t be further from the truth. Ransomware doesn’t discriminate by size [1]:

< 250 employees: 62%
251 – 500 employees: 62%
501 – 1000 employees: 62%
1001 – 3000 employees: 73%
3001 – 5000 employees: 63%

Furthermore, industry sectors show varying susceptibilities, given the kind of data they manage. For example [1]:

Retail businesses usually store payment card data, including names and credit card numbers; 69% of these businesses have been affected by ransomware attacks.
Data often includes payment card details and personally identifiable financial information in the financial sector, with 64% of firms in this industry being impacted.
Healthcare organizations store protected health information, and 60% of these entities have faced ransomware threats.
The energy sector, which manages critical infrastructure data, sees 67% of its organizations affected by such attacks.
Business and Professional Services may handle personally identifiable data, customer records, or function as part of a supply chain; 60% of these businesses have been affected.
Lower and higher educational institutions maintain sensitive data and may often lack robust security measures; this is reflected in the 79% to 80% who have been victims of ransomware attacks.
While integral to the digital world, IT, technology, and telecom sectors are on the lower end of the scale, with 50% of companies in these industries having experienced ransomware attacks, although this industry has higher levels of other types of attacks.

Although ransoms might vary based on a company’s revenue—with one-third of SMBs paying under $50,000 [9]—the repercussions of business disruption, reputational damage, and customer attrition can be monumental. In Datto’s SMB Cybersecurity for MSP Report, 60% of respondents felt their organization might be hit by a successful ransomware attack in the next 12 months, and around 70% admitted that the impact of a ransomware attack would be extreme or significant. [8] Ransomware is a significant problem for businesses of all sizes. It isn’t just a big business problem.

The Ransomware – Business Epidemic

The exorbitant payout by MGM Resorts brings up several questions: Why are so many companies opting to pay? Is there a tangible benefit? Why is there a lax attitude towards cybersecurity? My research paints a worrying picture: 79% of companies have paid a ransom in recent years [9]. It can seem tempting to pay the ransom because it is easy. Paying the ransom allows organizations immediate access to the encrypted data if nothing goes wrong in the transaction process. Business leaders know their cyber insurance will pay up to their cap and are willing to take the risk. But, with the high reoccurrence rate, the company may lose their insurance, not to mention their insurance premiums may radically increase.

This apathetic attitude towards the issue is concerning and only perpetuates the problem. Research shows a marginal difference in breach-related costs between paying (USD 5.06 million) and not paying (USD 5.17 million) a ransom. The financial incentive to pay is minimal, merely saving 2.2% or USD 110,000 [7].

There appears to be a misconception and a gap in priorities.

60% of business leaders believe that media makes it a bigger problem. [9]
33% of employees say cybersecurity is not a top priority of theirs at work. [6]
51% of business leaders believe cybersecurity is a key business enabler. [10]
37% believe cybersecurity is necessary for doing business. [10]
49% of companies indicated they won’t increase security investment after a breach. [7]

These stats show an alarming problem where security is unimportant in a world where cyber threats are as typical as 83% of businesses having at least one breach. If security is not a business enabler, and technology is not a business enabler, you must rethink your business strategy.

What Should I Do?

Businesses should only pay the ransom if they have no other viable options for survival. Paying is a business decision that must weigh all risks and options to protect customers, shareholders, and employees.

One thing to note is paying a ransom may be illegal. In September 2021, the US Treasury’s Office of Foreign Asset Control (OFAC) warned that companies face legal action when making ransom payments if the individual or nation has been sanctioned or has ties to terrorism. [11]

Given potential legal repercussions and the marginal cost savings, companies should resist paying ransoms. Instead, they should be proactive, viewing security and compliance as business enhancers and investing in their security programs.

Investing in robust security measures reduces risks and fosters a culture emphasizing the importance of cybersecurity, preparing businesses for potential threats, and enabling them to be proactive rather than merely reactive. The importance of investment cannot be stressed enough. Beyond the immediate protective benefits, a robust security program also instills customer trust, showcasing the organization’s commitment to safeguarding data. Over time, this trust can lead to competitive advantages in the marketplace and bolster the company’s reputation as a secure and reliable entity.

About the Author

Brent Neal

Brent Neal, the lead vCISO and principal advisor at Vanguard Technology Group, brings over 25 years of extensive experience in Security, IT, and GRC departments. With expertise in strategy, governance, program development, and compliance, Mr. Neal has paved the way for VTG’s comprehensive services. We specialize in providing holistic consulting, strategic planning, and tailored solutions to meet the unique security needs of various industries. Our expert guidance helps organizations establish a strong security posture, align initiatives with business objectives, and confidently navigate the evolving cybersecurity landscape.