What you should know about paying hackers after a ransomware attack

• Ransomware attacks can damage business operations and customer trust.
• The FBI advises against paying hackers, but negotiators can help companies weigh their options.
• This story is part of the Security Playbook, a series of detailed cybersecurity advice and strategies.

A company's worst nightmare can be having important data stolen by cybercriminals who then demand ransom.

Cases of ransomware, a type of malware that holds sensitive data hostage until the victim pays the attacker, are becoming increasingly common. Security firm Mandiant, a subsidiary of Google, said it noticed a 75% increase in posts on data leak websites from 2022 to 2023.

Some companies pay cybercriminals, others don't. MGM and Boeing reportedly refused to pay millions demanded by hackers after data breaches. Software company CDK Global is believed to have paid $25 million in the attack, and casino operator Caesars reportedly paid $15 million.

“Our fundamental position is that if you don't have to pay a ransom, don't pay a ransom,” said Mark Lance, vice president of digital forensics and incident response and threat intelligence at GuidePoint Security, which helps organizations deal with ransomware. “We don't recommend funding a criminal organization or making a payment if you don't have to.”

However, he said companies may choose to pay for a variety of reasons. “We educate our customers who are victims of ransomware about what to expect if they are affected by ransomware and what the benefits might be if they pay or not,” he said.

Although many ransomware attacks are preventable, they happen every day to businesses of all sizes. Here's what ransomware negotiators want you to know when they're deciding whether you should pay hackers money.

Why some companies choose to pay

Kurtis Minder, CEO of GroupSense, which provides ransom negotiation services, said companies need to consider the “blast radius associated with the attack.”

“There will be business disruption,” he said, “but beyond that they have to consider things like the impact on the brand, the PR impact and concerns about customer trust,” including the release of confidential data.

IBM has estimated that data breaches will cost an average of $4.9 million in 2024, up 10% from last year.

Minder said some companies have to go out of business if they don't pay the ransom. If their systems fail and they don't have backups, they often can't continue operating.

Lance cited the example of a hospital his company worked with that found that paying a ransom to return important files was only about one-seventh the cost of accessing backup copies of those files.

He said organizations may also have to pay if cybercriminals steal confidential or proprietary information, such as personal data, and threaten to publish it.

Both paying and not paying can be risky

Lance said the decision whether to pay ransom ultimately rests with individual companies.

The FBI warns against paying ransoms to attackers because there is no guarantee that you will get your data back. The agency also argues that paying ransoms encourages hackers to target more victims.

Minder and Lance say that many cybercriminal organizations are highly sophisticated and have their own reputations to protect, so they usually keep their promise and provide instructions on how to decrypt the stolen data once they receive payment.

“It's always a risk to pay a threat actor because you're dealing with someone who just stole information from your environment and is essentially holding your data hostage,” Lance said. “They have the motivation to make sure you can regain access to your systems and restore them.”

However, you can never know for sure, Minder said. But if you don't pay, your data will most likely remain encrypted, confidential information could be released, and you run the risk of being attacked again.

Minder added that while companies are encouraged to report ransomware attacks to law enforcement, not all do so.

There is no federal law prohibiting payments to cybercriminals. However, the government prohibits financial transactions, including ransom demands, with certain organizations designated as foreign terrorist organizations. Some states, including Florida and North Carolina, have laws prohibiting government entities from paying cybercriminals.

The US Securities and Exchange Commission (SEC) requires publicly traded companies to disclose details of cybersecurity incidents that are “material,” meaning they are likely to impact their business, reputation or finances.

Seeking help is crucial

Lance advises that when faced with a ransomware attack, “don’t try to go it alone without experience.”

He added that companies can avoid pitfalls by engaging a negotiator or speaking to others in the same industry who have already experienced an attack, including not having a response plan, waiting too long to respond and not communicating well with the cybercriminals.

The negotiators have experience dealing with dozens of cybercriminal groups, and Lance says knowing the background and history of these organizations will help in negotiations.

Minder said working with negotiators can help companies assess their risk and decide whether to pay. Negotiators can also help navigate the logistics of payment and getting a company's systems back up and running, and they can work with law enforcement and insurance companies.

Lance said the negotiation process is about setting expectations when a company decides to pay a ransom. This includes ensuring the company can decrypt stolen files and data, demanding proof of data deletion and getting details about how the cybercriminals accessed the company's system.

“We want to educate people that ransomware is a real and relevant threat” that is unlikely to go away, Lance said. But he added that there are “basic things you can do to protect yourself from becoming a victim.”