Today’s columnist, Rob T. Lee of the SANS Institute, understands why companies like Colonial Pipeline paid the ransom, but says moving forward, organizations need to evaluate the risk of paying the ransom – and develop a plan. peripathetic CreativeCommons CC BY-NC-SA 2.0

As ransomware attacks continue to plague organizations at an increasing and alarming rate, business leaders are faced with an impossible challenge. Pay the ransom in hopes of recapturing stolen data and getting systems back online quickly or refuse to pay and deal with the consequences.

This debate might seem ethically simple on the surface, with arguments from cyber leaders like former director of CISA Chris Krebs noting that paying the ransom makes an organization an investor in a criminal organization. However, it’s a much more complicated reality, as shown by the Colonial Pipeline and JBS Foods attacks, cases in which the company paid the ransom to resume operations and maintain some semblance of business continuity. In the case of Colonial, this meant eating the cost to prevent further gas shortages and skyrocketing prices in the wake of the first major U.S. critical infrastructure cyberattack. This showcased the complex risk calculations business leaders must make when dealing with ransomware remediation.

Ransomware attacks put business leaders in a no-win situation. However, there are important steps decision-makers can take to evaluate whether paying the ransom makes sense for the organization, including the degree of organizational and societal impact, as well as the cost of rebuilding critical systems.

Should we pay the ransom?

Some companies may view paying the ransom as the best option for regaining control of key data and resuming business operations. When an organization gets hit by ransomware, lives and jobs are often on the line. Refusing to pay the ransom can cause catastrophic damage to communities and individual workers who are completely reliant on its services. Take a hospital, for example. If hit by a ransomware attack that renders life-saving technologies unusable, patients in critical condition are at dire risk. If an air traffic control center can’t guide planes safely to the ground, lives are at risk. There are times where despite the risk associated with paying cybercriminals and the reality of funding criminal organizations, business leaders may decide that not paying simply isn’t an option because the human costs are too great.

There’s also a practical reason to pay a ransom. Refusing to pay won’t bankrupt criminal groups or cease their operations. Cybercriminals will often keep data locked up to leverage it for the future or move on to the next target who will pay.

Organizations may not have a disaster recovery plan to retrieve stolen data, and the possibility of getting data returned by paying the ransom seems like the most feasible option.

Should we refuse to pay?

Paying the ransom does embolden criminal groups to continue the activity, as there are few consequences currently to doing so. Ransomware has become a profitable business for cybercriminals. By paying the ransom, organizations can motivate bad actors to conduct more attacks. There’s a danger of setting the precedent that an individual organization that decides to pay a ransom can become a future target, given the willingness to pay.

There’s also no guarantee that paying the ransom will let the organization re-enter systems and regain critical data. Ransomware attackers can provide decryption keys upon payment; however, it’s not guaranteed.

Additionally, once a company makes the payment, there’s no guarantee that organizations will recuperate those lost funds. In the end, a company makes a calculated risk to pay the ransom that doesn’t always pan out. Even when organizations are provided with decryption keys, there’s no switch to flip to reverse the damage done. When news broke last month that Colonial Pipeline paid the ransom and received the decryption keys, it still took several days to make fixes and get operations back online.

Ransomware attacks have far-reaching consequences for organizations, making the decision on how to respond difficult. While administering employee cybersecurity training and implementing proactive cybersecurity measures are some of the best ways to prevent ransomware attacks, C-Suite executives should create a calculus for ransomware preparedness. Making a thoughtful decision on whether to pay the ransom means calculating the risk:

  • How much does the attack impact business operations?
  • How many employees will be out of work?
  • What are the broad societal implications?
  • What’s the risk of data leakage or exposure?

When in crisis, organizations must quickly bring leaders together to discuss and answer these important questions. Ransomware can impact any organization, but it’s important to prepare in advance to help mitigate risk. Given the wave of ransomware attacks during the first half of this year, it’s more important than ever to develop such a plan.

Rob T. Lee, chief curriculum director and faculty lead, SANS Institute