In the evolving landscape of cyber threats, the dilemma of whether or not to pay ransomware actors remains a contentious issue. As cybercriminals continue to leverage ransomware attacks to extort money from organizations, the responses from victims, cyber insurance companies, and government cyber emergency response teams (CERTs) have progressively shifted away from acquiescence to a stance of resistance. This evolution in approach marks a significant pivot in the collective fight against cybercrime, with notable implications for cybersecurity practices and policies.
At the heart of the debate is a complex web of ethical, practical, and financial considerations. The immediate aftermath of a ransomware attack often leaves organizations in a vulnerable state, grappling with the loss of access to critical data and facing the pressure of operational downtime. The prospect of quickly restoring operations by paying the ransom can seem enticing. Initially, some believed that paying the ransom was a pragmatic solution to an urgent crisis. This perspective, however, has gradually waned in favor of a more principled stance against yielding to cybercriminal demands.
The shift away from paying ransoms has been significantly influenced by the insights of cyber insurance companies and government CERT teams. These entities have accumulated a wealth of experience and data from countless incidents, leading to a consensus that paying ransomware actors often exacerbates the problem rather than solving it.
Victims who pay are often left with false promises, receiving decryption keys that don’t work or being targeted for future attacks.
One of the fundamental issues with paying ransoms is that it perpetuates the ransomware economy. Every successful transaction not only funds the criminal activities of the attackers but also emboldens them and others within the cybercriminal ecosystem to continue and escalate their operations.
Moreover, paying the ransom offers no guarantees. Victims who pay are often left with false promises, receiving decryption keys that don’t work or being targeted for future attacks. The realization that payment does not ensure a resolution has been a crucial factor in shifting the narrative towards resistance. The inefficacy of capitulation, coupled with the ethical implications of funding criminal enterprises, has led to a broader consensus against ransom payments.
On top of this, there is an evolving shift to ‘ransomwareless’ style attacks where data is held hostage outside of the company infrastructure and threatens to be released to the general public if a ransom is not paid. Again, the same arguments apply – payment doesn’t necessarily guarantee that data will not be released in future nor does it confirm the data is in any way safe. Either way it’s compromised.
Cyber insurance companies, once seen as enablers of ransom payments through their coverage policies, have begun to adjust their strategies. Recognizing the long-term implications of ransom payments on the cyber threat landscape, these companies are increasingly promoting cybersecurity best practices and resilience planning as primary defense mechanisms. Insurance policies are being revised to encourage preventive measures, and in some cases, explicitly discourage or exclude ransom payments from coverage. This shift not only aligns with a broader ethical stance but also reflects a strategic approach to minimizing risk and exposure to cyber threats.
Government CERT teams across the globe have similarly adjusted their guidelines and recommendations. The evolution of official advice reflects a commitment to undermining the ransomware business model and strengthening collective cybersecurity defenses. An illustrative example of this stance is the British Library’s response to a ransomware attack in 2024. Adhering to the guidelines recommended by the UK’s National Cyber Security Centre, the British Library refrained from paying the ransom or engaging with the ransomware actors. This decision, grounded in a policy framework designed to resist extortion, underscores the broader shift in response strategies.
In the last few years, many other companies also refused to pay the ransom. In 2023 alone the following companies and organizations refused to pay the ransom after being presented with ransomware demands: The City of Dallas, ABB, Harvard Pilgrim Health Care, Reddit, the NHS , Dish network and Royal Mail. While the reason for the refusal is unknown it would be a mix of legal implications, having their own backups or simply taking a moral (or a financial) stance against paying ransoms.
Data gleaned from threat actors themselves also backs up this argument. The most notable and informative is the ‘Conti leaks’ from 2022. Conti at its peak was a ransomware gang responsible for 1 in 3 of all ransomware attacks. After the Russian invasion of Ukraine Conti leadership advocated for a public ‘pro-Kremlin’ position, unaware that so many of its members were actually Ukrainian. This caused the implosion of the organization alongside the largest series of internal chat leaks and documentation ever revealed about an organization like this. In regards to target selection and payment, as these organizations are run like businesses that need to fund themselves, the conti leaks point to two interesting themes. The first is they don’t target businesses that earn less than 100 million USD per year, because they wouldn’t be able to pay ransoms, even if they wanted to (arguably another reason is that the size of the ransom would be too small to generate a profit if the targeted business is too small). The 2nd was that as part of open source intelligence and target acquisition, they would scour the cyber insurance policies of companies to learn if they would pay out in case of ransomware attacks, and even prioritize companies that had cyber-insurance policies, even if they weren’t aware of the actually liability limits (Many cyber insurance policies now don’t cover the ransomware payouts).
To add to the advantages of not paying, it encourages organizations to invest in robust cybersecurity measures, including regular data backups, employee training, and incident response planning.
The refusal to pay ransoms, while challenging, has several positive benefits. It disrupts the economic incentives that fuel ransomware activities, gradually diminishing the attractiveness of targeting organizations that are known not to pay. By paying ransoms they inadvertently contribute to a cycle of criminal funding and innovation. This financial infusion allows cybercriminals to refine their tactics, develop more sophisticated malware, and target more organizations, thereby escalating the ransomware threat for everyone.
To add to the advantages of not paying, it encourages organizations to invest in robust cybersecurity measures, including regular data backups, employee training, and incident response planning. These proactive measures not only reduce the likelihood of successful attacks but also ensure that organizations are better prepared to recover without capitulating to criminal demands.
The collective move towards non-payment and increased cybersecurity resilience reflects a strategic shift in the battle against ransomware. By prioritizing prevention, preparedness, and principled resistance over short-term solutions, organizations, insurance companies, and governments are working to change the dynamics of cyber threats. This approach not only aims to protect individual entities but also contributes to the broader goal of creating a more secure and resilient digital ecosystem.
According to data from ‘Coveware’, the percentage of companies that paid up in ransomware attacks dropped from 70% in 2020 through to 50% in 2021 and 41% in 2022. Regardless of the source of the decrease, a combination of the trinity of legal repercussions for payment, improved resiliency and technical controls as well as a simple financial refusal to pay shows this trend is accelerating.
In conclusion, the evolving stance on ransomware payments symbolizes a pivotal moment in cybersecurity strategy. The journey from viewing ransom payments as a necessary evil to embracing a policy of non-engagement and resilience offers valuable lessons in addressing complex cyber threats. As the collective wisdom grows, so does the resolve to combat cybercriminals with a united front, emphasizing the power of prevention, preparation, and principled action in the face of adversity. The path forward is challenging, yet it represents a crucial step towards dismantling the economic foundations of ransomware and securing the digital world for future generations.
Alex Haynes
Leave a Comment