Despite pledges not to pay, ransoms are here to stay


It’s easy for world governments to promise that not a single penny will fall into the hands of cybercriminals in the form of ransoms. But for those whose livelihoods hinge on their digital presence, a crippling cyber-attack may leave no other option.

Now, nearly 50 countries have united in an alliance to sign a policy stating that their governments will not pay ransom demands. The International Counter Ransomware Initiative aims to disrupt the funding sources for cybercriminals.

However, conversations with businesses paint a different reality. The sentiment is firmly in favor of not paying, but there are situations where it may be unavoidable.

ADVERTISEMENT

“As a small business owner, I don't believe I have a choice but to pay the ransom. I have a team of more than 50 people working for me whose livelihood would be affected if I hold out. Companies like mine don't have the luxury of refusing to engage with cybercriminals because otherwise, we risk severe financial losses and operational disruption that could bring down our entire businesses,” said Farhan Siraj, CEO of e-learning platform OSHA Outreach Courses.

And he’s not alone. Cybernews asked more than 30 experts from various fields if they’d be willing to pay a ransom in the event of a cybersecurity breach. Most said “no,” and many added “but.”

There are some astounding estimates of how large the cybercrime market is. According to Cybersecurity Ventures, total cybercrime damages cost the world a staggering $8 trillion in 2023. This number was quoted by the World Economic Forum (WEF). That means that every single person on Earth loses $1000 yearly to hackers. And cybercrime would be the third-largest global economy.

The FBI’s estimate is much more conservative. Over 800,000 cybercrime-related complaints were filed with the FBI in 2022, with losses totaling over $10 billion, the Internet Crime Complaint Center revealed. While that makes $30 for each American, the total number is comparable to the revenues from companies like eBay, Airbnb, Carlsberg, Hilton Worldwide, and Alaska Airlines.

Ransomware attacks, a big part of cybercrime, are often fueled by state-sponsored groups from Russia, North Korea, Iran, or China. The number of ransomware attack attempts per year was 493.33 million last year, according to a survey by SonicWall. And sometimes hackers just get leverage.

Business owners see paying ransoms as a last-ditch effort

Would you or your organization consider paying a ransom?

“This is such a tough question – and one that most people don’t even consider their answer for because most have the mindset of “it will never happen to me,” said Ben Michael, a lawyer and VP of Operations at Michael & Associates.

ADVERTISEMENT

If he had to give a yes or no answer: “I would probably say no – but you never know what the exact situation would be. All I know is that in most cases where a ransom is demanded, you’re advised not to pay it because it doesn’t end up being the solution that makes everyone happy after all.”

And what about the fact that attackers still have all the access to your data whether you pay them or not?

Danny Ray, the Founder of InsuranceForBurial.com, a Division of PinnacleQuote, said that his stance is generally to refuse to pay in order to discourage future attacks.

“But, if critical data is at stake and the company's survival is on the line, paying might be considered as a last resort,” he admitted.

And even then, he would weigh any potential ransom against the expected losses.

“A cautious approach – perhaps up to 15% if it meant a secure recovery, but that's not a fixed rule.”

System hacked (in article, small)

Mike Millerson, a former USA Army sergeant and an author at the survival guidance website Survive Nature, compares cyberattacks to any classic survival situation where you have to analyze the available options and potential consequences.

“Paying a ransom is similar to entering a negotiation with an unpredictable wild animal,” Millerson said. “The decision would heavily rely on the assessment of the threat's severity, potential damage, and the cyber survival tools at my disposal.”

He would not submit to ransom demands if decrypting or restoring the system from a backup was plausible with minimal disruption to the operation. His focus would always be on prevention, education, and resilience. Like in a jungle, in response to a cyberattack, the most sensible steps would mirror any survival strategy.

ADVERTISEMENT

“First, assess the situation, understand the threat, devise a plan quickly but logically, and then proceed with the action – whether it's remedying the vulnerability, system restoration, coordination with legal and PR teams, or engaging with law enforcement agencies,” Miller said.

Eric Lam, founder of a website generating ideas for startups called Exploding Ideas, would start by quantifying the potential losses before considering a ransom payment.

“Direct costs include expenses related to data recovery, system restoration, legal fees, and regulatory fines. Indirect costs may involve reputational damage, customer churn, and operational disruptions,” he said.

The same considerations of the ethical, legal, and regulatory implications apply to ransoms.

It encourages attackers

Allison Mahmood, entrepreneur, founder in residence at Entrepreneur First, and founder of Automated Market Securities Operations, is one of the hardliners that believes organizations should not pay ransoms. He shared that he was targeted by cyberattacks when he previously ran a stock brokerage with about 36 employees.

“There is a track record of organizations which are known for paying ransoms becoming more frequent targets. Only at the suggestions of lawyers and law enforcement would we have even considered it,” he warned.

Mahmood wouldn’t trust attackers. Given they don't want to be caught, attackers can't really offer any guarantees that the ransom being paid means the data is safe.

“In the event of a cyberattack, my organization would not consider paying a ransom. Our primary reason for this stance is that paying such a ransom in no way guarantees the return of your data. Even the FBI advises against making ransom payments for this reason, especially because it may encourage the attackers to target other companies in a similar way,” said Jake Hill, CEO of personal finance publication DebtHammer.

How much is too much? Estimates vary from 5% to 50% of potential losses

ADVERTISEMENT

Cybersecurity experts usually do not recommend dealing with cybercriminals. However, if it is the only option to stay afloat, ransoms should only be a fraction of anticipated losses.

Ken Holmes, qualified security and data protection specialist and Managing Director at CertiKit, explains that he would be very reluctant to pay any ransom.

“Partly due to the fact that we would be contributing to and encouraging cybercrime in general, and partly due to the potential cost and likelihood that the same people will come back and try again because they know we will pay,” he said.

How much would he be willing to pay to save a business?

“Our data is our business, so the amount we would pay would likely be related to our perception of the value of the business. It would probably make sense to pay up to 25-50% of that value if the alternative is simply to shut up shop and go home,” he argued.

This was one of the most generous estimations, as most experts put it in the 5-50% range.

“I would recommend that organizations budget no more than 10% of their anticipated losses or damages for ransom payments,” said Adhiran Thirmal, senior solutions engineer at Security Compass.

Hackers usually threaten to expose or dispose of sensitive data if the ransom is not paid. According to George Prichici, VP of Products at a global critical infrastructure protection cybersecurity provider OPSWAT, double extortion has now emerged as an improved monetization model.

“If an organization decides to pay the ransom, it becomes a pay-and-pray scenario, as there is no guarantee that they will receive their data back even after paying. The outcome is uncertain,” Prichici said.

ADVERTISEMENT