Ransomware: To pay or not to pay?

Ransomware: To pay or not to pay?

The topic of ransomware is something we’d all like to avoid thinking about but is something we undoubtedly must consider. Tamer Odeh, Regional Director at SentinelOne Middle East, explores the ethics and implications behind paying a ransom.

Last year saw an escalation in the number of ransomware attacks striking organisations, with both private and public sector agencies like local government and education firmly in the firing line of threats such as Ryuk and Robinhood ransomware. Often understaffed and under resourced, those responsible for delivering critical public services are at the sharp end of the dilemma: to pay or not to pay? It’s a quandary that has technical, ethical, legal, safety and of course, financial dimensions. In this article, I explore the arguments both for and against. My aim is to describe the implications and rationale from both angles across several different considerations.

Is paying a ransom to stop a ransomware attack illegal?

It may seem odd to some, but it isn’t illegal to pay a ransomware demand, even though the forced encryption of someone else’s data and demand for payment is itself a federal crime under the UAE Cyber Crimes Law.

One might argue that the best way to solve the ransomware epidemic would be to make it illegal for organisations to pay. Criminals are naturally only interested in the pay off and if that route to the payday was simply prescribed by law, it would very quickly lead to companies exploring other options to deal with ransomware and, at least in theory, criminals moving towards some other endeavour with an easier payout.

The idea of outlawing the payment of ransomware demands might seem appealing at first, until you unpack the idea to think how it would work in practice. A law that threatened to fine organisations, or perhaps imprison staff, would be hugely controversial in principle and likely difficult to enforce in practice, quite aside from the ethics of criminalising the victim of a crime whose sole intent is to coerce that victim into making a payment.

Is it ethical to pay a ransomware demand?

If it’s not illegal to pay a ransomware demand, that still leaves the separate question unanswered in regard to whether it’s ethical. One might argue that paying a ransomware demand that restores some vital service or unlocks some irreplaceable data outweighs the ‘harm’ of rewarding and encouraging those engaged in criminal behaviour.

Is it prudent to pay a ransomware demand?

Even if we might have a clear idea of the legal situation and a particular take on our own ethical stance, the question of whether to pay or not to pay raises other issues. We are not entirely done with the pragmatics of the ransomware dilemma. We may still feel inclined to make an unethical choice considering other, seemingly more pressing concerns.

There is a real, tangible pressure on making a choice that could save your organisation or your city millions of dirhams, or which might spare weeks of downtime of a critical service.

However, the possibility that the criminals will not hold up their side of the bargain must be factored into any decision about paying a ransomware demand. In some cases, decryption keys are not even available and in others, the ransomware authors simply didn’t respond once they were paid.

A further point to consider when weighing up the prudence of acquiescing to the demand for payment is how this will affect your organisation beyond the present attack itself.

What happens if I don’t pay a ransom for ransomware attacks?

If you choose not to pay the ransom then of course you are in the very same position the ransomware attacker first put you in by encrypting all your files in order to ‘twist your arm’ into paying.

Depending on what kind of ransomware infection you have, there is some possibility that a decryptor already exists for that strain; less likely, but not unheard of, is the possibility that an expert analysis team may discover a way to decrypt your files. A lot of ransomware is poorly written and poorly implemented, and it may be that all is not lost as it might at first seem. Also consider whether you have inventoried all possible backup and recovery options.

Finally, there is the worst-case scenario, where you have no backups and no recovery software and you will have to dig yourself out by rebuilding data, services and perhaps your reputation, from the ground up. Transparency is undoubtedly your best bet in that kind of scenario. Admit to past mistakes, commit to learning those lessons and stand tall on your ethical decision not to reward criminal behaviour.

What happens if I pay a ransom for ransomware attacks?

There is perhaps more uncertainty in paying than there is in not paying. At least when you choose not to pay a ransomware demand, what happens next is in your hands. In handing over whatever sum the ransomware attacker demands, you remain in their clutches until or unless they provide a working decryption key.

Before going down the road of paying, look for experienced advisers and consultants to help negotiate with the extortionists. Tactics like asking for ‘proof of life’ to decrypt a portion of the environment up front prior to payment, or to negotiate payment terms like 50% up front, and 50% only after the environment has been decrypted, can work with some groups, albeit not with others.

Most of the ransom is still being paid in Bitcoin, which is not an anonymous or untraceable currency. If you do feel forced to pay, you can work with authorities and share wallet and payment details. Law enforcement agencies are keen to track where the money moves.

And where do you go beyond that? Any sensible organisation must realise the need for urgent investment in determining not only the vector of that attack but all other vulnerabilities, as well as rolling out a complete cybersecurity solution that can block and rollback ransomware attacks in future. While these are all costs that need to be borne regardless of whether you pay or do not pay, the temptation to take the quick, easy way out rather than working through the entire problem risks leaving holes that may be exploited in the future. Balance the need for speed of recovery against several risks:

  • Unknown back doors the attackers leave on systems
  • Partial data recovery (note some systems will not be recovered at all)
  • Zero recovery after payment (it is rare, but in some cases the decryption key provided is 100% useless, or worse, one is never sent)

Finally, note that some organisations that get hit successively by the same actors might have actually only been hit once, but encryption payloads may have been triggered in subsequent waves. Experience pays off tremendously in all of these scenarios and ‘knowing thy enemy’ can make all the difference.

Regardless of whether you or your organisation have decided to pay the ransom, it is important to report ransomware incidents to law enforcement. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable and prevent future attacks.

Browse our latest issue

Intelligent CIO Middle East

View Magazine Archive