Ransomware: To Pay or Not to Pay

A version of this article was originally published on Live Insurance News.

‍

When one threat actor group is taken down, another emerges to fill the void—often more sophisticated and destructive than the last. Today’s number one cyber threat? Ransomware.

By 2031, ransomware is projected to cost victims over $265 billion annually. One of the most staggering incidents to date involved Dark Angels, a known ransomware group, securing a record-breaking $75 million ransomware payment—nearly double the previous high of $40 million paid by CNA Financial.

With these attacks escalating in scale and frequency, organizations are left to grapple with a difficult decision: should you pay the ransomware demand, or resist?

Understanding the Ransomware Attack Scenario

Ransomware attacks often result in critical business systems being encrypted and held hostage. Victims are typically given an ultimatum—pay a ransom in cryptocurrency or risk data loss, operational disruption, and reputational harm.

Determining how to respond requires understanding the attacker’s demands, the potential for data recovery, and the broader implications of either choice.

The Case for Paying the Ransom

Prompt Data Recovery

For organizations where downtime poses significant safety or operational risk—such as hospitals or critical infrastructure—paying the ransom may offer the fastest path to recovery. While there's no guarantee the decryptor will work as promised, paying is sometimes seen as the lesser of two evils.

According to Veeam’s 2023 Ransomware Trends Report, even with payment, it takes an average of 24 days to regain access to production systems.

Cost-Benefit Analysis

In some cases, the cost of ransom may be lower than the financial impact of extended business interruption. After the 2023 MGM attack, which cost the company over $100 million, rival Caesars opted to pay $15 million in ransom—illustrating divergent ransomware payment decisions based on risk tolerance and recovery strategy.

The Case Against Paying the Ransom

No Guarantee of Recovery

Paying the ransom does not guarantee the attackers will hold up their end of the deal. It is entirely possible the threat actors will not provide the decryption key or that the decrypted data will be intact and usable. There is also the risk of being a future target because paying a ransom marks an organization as a willing payer, potentially encouraging further attacks from the same group or others. This cycle can lead to increased vulnerability and recurring financial losses. However, certain threat actor groups have certain ‘codes’ for right protection. One group states, “If the affiliate refuses to send you the decryptor after your payment, you can contact us and we will send the decryptor for free.”

Funding Criminal Activity

Ransom payments are often given to criminal and terrorist organizations to fund acts of war, human trafficking, and drug smuggling. This creates a moral and ethical dilemma for the victims. Do they pay the cybercriminals with the knowledge that their payment will fund something nefarious or do they refuse at the risk of their business and its employees? It's not an easy decision as every corporation has different circumstances. As long as these organizations are funded, more threat actor groups are developed and become more difficult to track, contributing to the perpetuation of ransomware attacks.

Compliance Risks

Paying a ransom may involve significant legal and compliance risks, including potential violations of sanctions laws and regulatory requirements. Moreover, failure to adhere to these legal constraints can result in severe penalties, reputational damage, and further scrutiny from regulatory bodies. Currently, a handful of states prohibit governmental entities from making ransomware payments. North Carolina was the first state to pass a law prohibiting state agencies and local government entities from paying ransoms or communicating with ransomware threat actors. Florida followed, becoming the second state to restrict how public entities can respond to ransomware events. Florida's law prohibits state agencies, counties, and municipalities from paying or complying with ransom demands.

Legal and Ethical Considerations

OFAC and Sanctions Compliance

Organizations must navigate a complex landscape of compliance requirements when dealing with ransomware attacks, particularly regarding sanctions laws and regulatory disclosures. This includes ensuring ransom payments do not violate international or domestic sanctions by inadvertently funding sanctioned entities or individuals. The Department of the Treasury previously released an advisory identifying the potential sanctions risks for facilitating ransomware payments. The advisory stated, “U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes.”

Corporate Disclosure Obligations

Public companies should consider their disclosure obligations to shareholders and regulators when dealing with ransomware attacks. Material cybersecurity incidents, including significant ransomware attacks, must be disclosed in Securities & Exchange Commission (SEC) filings. This disclosure ensures transparency and informs investors about potential risks to the company’s financial performance. It's crucial to consider the attack's impact on operations, finances, and reputation, and to provide detailed information about the incident, response measures, and future cybersecurity implications. Failure to adequately disclose such incidents could result in regulatory scrutiny and damage shareholder trust.

The Role of Law Enforcement and Insurance

Cyber Insurance Ransomware Payment Coverage

Cyber insurance policies can cover various costs associated with ransomware attacks, including skilled negotiators, ransom payments, forensic investigations, and business interruption losses. However, organizations must thoroughly understand their policy terms and conditions, as some insurers may have specific requirements or limitations regarding ransomware payments. This can include conditions such as mandatory reporting to law enforcement, the necessity of prior approval before making any ransom payments, and adherence to specific cybersecurity protocols. Additionally, policy exclusions or sub-limits may apply, which could impact the extent of coverage available in the event of a ransomware attack.

Coverage depends on strict policy conditions, such as:

• Notification requirements
• Insurer approval before payment
• Law enforcement coordination
• Adherence to cybersecurity protocols

Understanding these nuances is essential to ensure adequate protection and compliance with insurance provisions.

Involving Law Enforcement

Authorities like the FBI and CISA encourage organizations to report ransomware incidents immediately. They may offer resources or threat intelligence support but will never advise victims to pay. Involving law enforcement can also demonstrate good faith in compliance with regulatory obligations.

Negotiating with Attackers (If Applicable)

Ransomware negotiation is often facilitated by expert intermediaries. While not always advisable, in certain cases, negotiators can reduce the demanded amount or extend payment timelines—buying critical time for investigation and recovery planning. It’s essential to work with qualified professionals to avoid legal missteps.

Prevention: The Best Defense

Ultimately, the best way to avoid having to make a ransomware payment decision is to prevent attacks in the first place. Key alternatives to paying ransom include:

• Implementing robust backup and recovery protocols
• Conducting regular penetration testing
• Training employees to spot phishing and social engineering attempts
• Utilizing endpoint detection and response (EDR) tools

A proactive cybersecurity strategy is the most cost-effective form of ransomware protection.

Navigating this challenging cyber landscape requires a thorough understanding of the implications of each choice. While paying the ransom might offer a quick fix, it can also encourage further attacks and pose serious ethical concerns. On the other hand, refusing to pay could lead to extended operational disruptions and financial losses.

Organizations must weigh the pros and cons carefully, considering factors like client trust, insurance coverage, compliance requirements, and corporate governance obligations. A well-informed decision, supported by well-developed cybersecurity measures and a comprehensive response strategy, can help mitigate the impact of ransomware attacks and safeguard businesses for whatever the future holds.

‍

Contact Flow Specialty today to understand how cyber insurance can support your ransomware response strategy. Our expert brokers offer fast, tailored solutions that protect your business before, during, and after a cyberattack.

‍

Frequently Asked Questions (FAQ)

What factors should be considered when deciding whether to pay a ransom?

Key considerations include the extent of operational disruption, data recovery feasibility, cost-benefit analysis, insurance coverage, legal implications, and potential reputational damage.

What are the risks of paying the ransom?

Risks include non-recovery of data, becoming a repeated target, violating sanctions laws, and contributing funds to criminal organizations.

What are the risks of not paying the ransom?

Refusing to pay may lead to prolonged downtime, financial losses, regulatory penalties, and data loss. However, it also avoids ethical and legal concerns tied to payment.

Does cyber insurance cover ransom payments?

Yes, some cyber insurance policies cover ransom payments, but only under specific conditions. It’s important to understand your policy’s limitations and reporting requirements.

Should we involve law enforcement if hit by ransomware?

Yes. Notifying law enforcement is recommended and, in some cases, required. It can also support compliance efforts and provide threat intelligence.

‍