To Pay Ransomware or Not to Pay—That is the Question
The threat of ransomware is one of the most daunting dangers hanging over organizations. Ransomware is a type of malware that encrypts or restricts access to the target’s data, enabling the attackers to demand large sums of money in exchange for the return of their systems.
While experts have long stated that businesses should not pay ransoms to bad actors, many choose to pay anyway. It seems like a simple enough solution, but it doesn’t always work. Nevertheless, organizations continue to pay ransoms against expert advice, prompting a push from cybersecurity professionals and regulatory entities to make it illegal to pay ransomware ransoms, cutting off that particular revenue stream to cybercriminals.
The Current State of Ransomware
Although many companies still pay the ransoms demanded by their attackers, the numbers are somewhat promising. The percentage of organizations that pay has reached an all time low of 34%, meaning nearly two-thirds of ransomware targets choose not to pay the ransom. Fewer organizations paying ransoms is a good thing, but experts hope to see this number decrease even further.
This is contrasted with a marked increase in payment amounts of ransomware attacks. The average (mean) ransom payment went up 126% between Q1 and Q2 2023, while the median payment increased 20%. From the cybercriminal perspective, this means that fewer attacks are successful in attaining a payout, but those that do are paying more than ever before. This may be due to cybercriminals trying to make up lost revenue from their unsuccessful ransomware attacks.
Ransomware can infiltrate target devices through a variety of means, but the most common by far is email. Up to 66% of ransomware infections result from scam or phishing emails, entering an organization via an unsuspecting insider. Cybercriminals have been evolving and innovating their attacks in order to increase their effectiveness and combat known measures against ransomware. Users need to be on the lookout for sophisticated attacks leveraging malicious links, attachments, and even QR codes that may lead them to inadvertently download ransomware.
Why Organizations Pay Ransomware Demands—And Why Many Believe They Shouldn’t
Paying the ransom may seem like the most logical course of action in the face of bad actors demanding large sums of money in exchange for the safe return of your data. Many organizations choose to pay ransomware demands for a variety of reasons. Attacks often include not just the encryption of files but the threat of sensitive data being released to the public, known as double extortion. Even companies with backup copies of their data available are vulnerable to this type of attack.
Businesses have been discouraged by cybersecurity experts from paying ransoms to cybercriminals and advised to invest in a layered cybersecurity strategy to prevent ransomware attacks. While many organizations are heeding expert opinion and refusing to pay ransoms, many still pay out regardless, encouraging bad actors to continue these attacks.
Some experts and institutions have proposed that it should be made illegal to pay ransomware demands. The reasoning for this idea is fairly straightforward: as long as 34% of targets are paying the ransom, all organizations are at risk. In spite of the majority of ransomware attacks not paying out, the large amounts of money that bad actors are sometimes able to extort from their targets provides incentive to continue these attacks.
Repercussions of Proposed Action
Addressing the issue at a governmental level would remove the choice for companies and ensure that no ransomware attack proves successful for the attacker. This would make ransomware attacks unprofitable across the board and remove the financial motivation for cybercriminals to use ransomware. If organizations or governments made it known that ransomware demands would not be paid, cybercriminals would get the message before long.
Some organizations would pay ransoms in spite of the law, but the intention is to reduce the number of ransoms paid enough to make any ransomware attack more effort than it’s worth for the attacker. There is an opportunity cost for any kind of attack, and bad actors almost invariably gravitate toward attacks that are less costly to launch and more profitable.
Unfortunately, at least in the short term, it would also prove rather difficult for many organizations to prevent or fight ransomware in lieu of paying ransomware demands. Proponents of banning ransomware payments are aware of the challenge the ban would present. One measure to fight ransomware is outlined in a joint statement from the International Counter Ransomware Initiative (ICRI): governments and other institutions with laws against paying ransoms can assist each other vis-à-vis financial aid and other resources in the event of a ransomware attack.
Cyber Insurance: When Sublimits Wont Let You Pay Ransomware
Cyber insurance is a critical safeguard for businesses engaged in digital operations, helping them manage risks associated with data breaches, cyber-attacks, and other security incidents. As cyber threats become more sophisticated, the specifics of insurance policy language have grown increasingly vital, particularly regarding ransom payments during ransomware attacks.
While a typical cyber insurance policy may cover ransomware payments, strict conditions are usually attached. For instance, the insured must obtain approval from the insurer before making any ransom payment. This protocol ensures that all potential mitigation strategies are explored and such payments are a last resort. Additionally, law enforcement involvement is often required, with insurers setting clear guidelines for collaboration during a ransomware crisis.
A fundamental component of these policies is the incorporation of cybersecurity sublimits, which act as a cap on the amount insurers will reimburse for ransomware-related losses. Sublimits are critical as they directly influence the financial coverage available in the event of a ransomware attack. For instance, if a policy has a sub-limit of $100,000 for ransom payments, but the demand exceeds this, the excess amount will not be covered by the insurer, leaving the company to shoulder the additional cost.
Moreover, the policy language also addresses the legality of ransom payments. Since ransom payments often involve cryptocurrency transactions, navigating the legal frameworks in various jurisdictions is complex. Insurers must ensure that their policies comply with national and international laws to maintain eligibility for coverage under these challenging circumstances. This legal alignment is crucial to avoid complicating the already delicate situation of responding to a ransomware attack.
How VIPRE Helps Against Ransomware
Rather than paying ransoms demanded by cybercriminals, organizations are recommended to implement a robust and layered cybersecurity strategy to mitigate the risk of ransomware. The stakes are high with ransomware, so it is vital for businesses to choose solutions that can thoroughly protect their systems and sensitive data.
Learn about our malware protection to see how VIPRE security solutions can help to combat ransomware and other forms of malware by protecting endpoints, fighting email threats, and changing employee behavior.