In a nutshell, ransomware is malicious software designed to encrypt data. Threat actors then demand a ransom in exchange for decryption keys and deletion of stolen data. In practice, paying a ransom to unencrypt data or to prevent the release of sensitive information to the public can be highly problematic:
- No guarantee – Paying the ransom does not guarantee that the attackers will provide the decryption key or that they will not release the data. Once you make the payment, you don’t have any control over the attacker’s actions. There is no enforceable contract in place. Someone has committed a serious crime, yet they expect you to trust them. Hope is not a viable strategy.
- Encourages future attacks – Paying the ransom encourages cybercriminals by giving them a highly lucrative incentive to continue their malicious activities. It also signals to other potential attackers that ransomware is a profitable business model. Attackers will add details of businesses willing to pay to a list and sell it to other cyber criminals.
- Deprived of vital resources to improve security posture – Paying the ransom does not address the underlying security vulnerabilities that enabled the breach. In addition, paying the ransom deprives businesses of funding to address such vulnerabilities, leaving businesses susceptible to further attacks.
- Funds illegal activities – The funds obtained through ransom payments can finance further criminal activities, including additional cyberattacks, organized crime, and terrorism.
- Legal and regulatory implications – Knowingly paying the ransom to cybercriminals in countries subject to government financial sanctions is illegal. Many countries have regulations prohibiting financial transactions with individuals and businesses in sanctioned countries, and sending money violates the sanctions. Paying a ransom is not an exception to this rule.
- Payment can lead to a subscription model – Ransoms can be very high, and no guarantee paying once will prevent future demands. Cybercriminals can easily make repeated financial demands to prevent sensitive data from being released and keep demanding more.
If an attack occurs, work with law enforcement, information security professionals, and insurance providers to respond to the incident. There may be a tendency to fear authorities or regulators and choose to deal with cyber criminals rather than face the consequences of allowing an attack. In practice, dealing openly and honestly with authorities and regulators is more appropriate and viable.
Information security, risk management, internal audit, and governance professional with over 25 years of post-graduate experience gained across a diverse range of private and public sector projects in banking, insurance, telecommunications, health services, charities and more, both in the UK and internationally – MORE