The Ransomware Dilemma
The decision on whether to pay up when cybercriminals hold data hostage is shaped by choices leaders made long before an attack.
The ransomware business is booming: In the United States alone, this form of cyberattack increased in frequency by 200% between 2019 and 2021. It’s an urgent threat, but too many leaders are caught flat-footed when it happens to them. Ransomware is malicious software that uses encryption to prevent access to data on the infected machine, effectively paralyzing the computer system. The culprits behind the attack then demand payment in exchange for decrypting the files and restoring access to the infected systems. The tactic dates to the 1980s, but it became a prominent threat to businesses after 2010 with the rise of cryptocurrency, criminals’ preferred mode of payment.
It’s a threat riddled with uncertainties, which makes planning a response difficult. Many organizations just want to find the quickest way out, and that often means paying the ransom, even though the financial burden may be considerable and the outcome far from certain. In a recent study of 300 companies, 64% revealed that they had experienced a ransomware attack within the previous 12 months, and a staggering 83% of those paid the ransom. On average, only 8% of organizations that paid up recovered all of their data, while 63% got about half of it back.
Get Updates on Transformative Leadership
Evidence-based resources that can help you lead your team more effectively, delivered to your inbox monthly.
Please enter a valid email address
Thank you for signing up
Some organizations receive a demand for a second (and perhaps even higher) ransom, despite having paid the first one on time, but the worst-case scenario is when the victim pays but either never receives the decryption key or it doesn’t work as intended.1
Organizations that decide not to pay also bear costs in terms of business downtime and lost revenues. And organizations that are caught unprepared, without a reliable backup system or an incident response plan, end up suffering the most — not only financially but also reputationally.
If your organization is hit with a ransomware attack, your first step should be to notify law enforcement and, if applicable, relevant data protection authorities. But the options open to you after that depend on how well your organization is prepared to handle such attacks. This article aims to help top management teams decide what to do via six clarifying questions.
1. “What Happens When Victims Pay Ransomware Attackers?” Trend Micro, Dec. 10, 2018, https://news.trendmicro.com.
2. “Ransomware Guide,” PDF file (Washington, D.C.: Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center, September 2020), www.cisa.gov; and “Protecting Data From Ransomware and Other Data Loss Events: A Guide for Managed Service Providers to Conduct, Maintain, and Test Backup Files,” PDF file (Gaithersburg, Maryland: National Cybersecurity Center of Excellence at the National Institute of Standards and Technology, April 2020), www.nccoe.nist.gov.
3. P. Hack and Z. Wu, “‘We Wait, Because We Know You.’ Inside the Ransomware Negotiation Economics,” NCC Group, Nov. 12, 2021, https://research.nccgroup.com.
4. Ö. Işik, T. Jelassi, and V. Keller-Birrer, “Five Lessons of Cybersecurity the Public Sector Can Offer,” European Business Review, forthcoming.