To pay or not to pay ransomware: A cost-benefit analysis of paying the ransom

As ransomware continues to rattle the world, organizations are slowly tightening up their security practices in an effort to stop ransomware at the point of infection.

But here’s the thing: there’s no system on the planet that is 100 percent secure.

If you’ve been infected with ransomware, you’re left with one very difficult decision: should you pay the ransom?

Conventional wisdom says that you should never pay up.

However, in the real world, things are not always so black and white. Some organizations don’t have the resources or expertise to design, implement and maintain a reliable disaster recovery plan. In other cases, the backups themselves get infected, or the ransomware is so disruptive that the organization grinds to a halt. In these situations, the benefits of paying the ransom may outweigh the costs of trying to manually repair the system.

In this article, we’ll take a look at the true cost of ransomware and explore the pros and cons of paying the ransom.

Do you know how much ransomware will cost your organization?

One of the most important factors to consider when deciding whether to pay the ransom is how much the attack will — directly and indirectly — cost your company.

At first glance, a four- or five-figure ransom might sound expensive, but that amount often pales in comparison to how much ransomware can indirectly cost you in downtime, lost productivity and recovery.

Take, for example, the 2018 ransomware attack on Atlanta, Georgia, which knocked many of the city’s public services offline for weeks. Initially, the cyber criminals demanded about $51,000 worth of bitcoin to restore access to the encrypted files. The city refused – a noble move, perhaps, but one that resulted in about $17 million in damage. That’s more than 300 times the original ransom amount.

If your organization is hit by ransomware, you’ll need to think very carefully about how much the attack is going to cost during the event and the financial repercussions in the weeks and months that follow.

During the attack

Downtime

The disruption caused by ransomware often leads to missed business opportunities, which can have a significant impact on revenue. On average, ransomware costs businesses $46,800 in downtime, according to a survey of more than 2,400 MSPs by Datto. During an attack, how much business would you lose per hour? Per day? Per week?

Personnel cost

Staff productivity can drop dramatically if the attack affects your employees’ ability to work. In addition, your in-house IT and security personnel will probably be sidetracked from their regular duties while they try to restore the system, which can impact other deliverables and may have financial consequences further down the line.

Outside contractors

To restore your system, you may need to hire data recovery consultants. Their fees depend largely on the size of your company and the scale and complexity of the attack, but can easily end up in the six-figure range.

After the attack

Actual ransom

This is the sum of money (usually in the form of a cryptocurrency) you pay the hackers to decrypt your files. The ransom can vary depending on the attack. According to figures from Coveware, the average ransom organizations paid per ransomware incident in the first quarter of 2019 was $12,762.

Legal fees and fines

In some situations, a ransomware attack can be construed as a data breach (although it’s still a bit of a legal gray area). If your organization is found to be negligent in regard to its cybersecurity system, or the way it stores or secures data, your organization could potentially be looking at some hefty legal fees. About 41 percent of C-suite executives say that customers have taken legal action against their companies after a data breach, according to a report by Radware. You may also be liable to pay violation and breach fines from regulations such as HIPAA and GDPR.

Loss of reputation

Unsurprisingly, a ransomware incident can severely damage an organization’s reputation if the attack is publicized, which can have a dramatic effect on sales. As many as 70 percent of consumers say they would stop doing business with a company if it experienced a data breach, according to a survey of 10,000 consumers conducted on behalf of Gemalto.

Increased insurance premiums

Cyber insurance has become increasingly popular in recent years as companies look for ways to protect themselves against ransomware and other digital threats (although there’s still a lot of controversy over whether insurance companies are actually liable for ransomware attacks). If you’re involved in an attack and make an insurance claim, you’ll need to consider how much your premiums will increase.

New IT budget

For many businesses, a ransomware attack serves as a catalyst to upgrade IT infrastructure. If you’ve been running your business on outdated hardware, you’ll need to look at your IT budget and calculate how much it will cost to bring your systems in line with current best practices.

To pay, or not to pay, that is the question

For most business owners, priority is given to recovering data, minimizing costs and resuming normal operations as quickly as possible. After running some rough calculations of how much the ransomware attack will cost, you may be tempted to give in to the demands and pay the ransom immediately.

But don’t hand over the money just yet. Choosing to pay the ransom is a difficult decision to make and one that should not be taken lightly.

Here are some factors to keep in mind:

Advantages of paying the ransom

Reduce disruption

Regardless of the industry you operate in, ransomware can have a profound impact on your usual daily operations and may result in significant financial losses. Many organizations are willing to pay a relatively small amount of money in order to quickly resolve the issue and get their business back on track.

Can be cheaper

The main cost of ransomware is the associated downtime. In fact, according to Datto, the average cost of downtime is more than 10 times higher than the average requested ransom amount. As such, paying the ransom and quickly decrypting your files can work out to be much cheaper than spending time trying to restore your system from backups.

Insurance may help cover the costs

As mentioned above, there have been some high profile cases of insurance companies not paying out for ransomware incidents. Nevertheless, if you have invested in good cyber liability insurance, there’s a good chance that your insurance will help cover at least a portion of the ransom cost.

Disadvantages of paying the ransom

No guarantee that you’ll receive a decryptor

While it’s generally in cybercriminals’ best interests to hold up their end of the bargain (victims are more inclined to acquiesce if they know they’ll be able to retrieve their files after paying), you have to remember that you’re dealing with unethical people who operate outside of the law. As such, there’s no guarantee that you’ll receive the promised decryption tool after paying the ransom.

The decryptor may not work

Even if the cybercriminals stick to their word and send you the ransomware recovery tool, there’s a high risk that the decryptor may not work. Less than half of the 38.7 percent of ransomware victims who choose to pay the ransom are able to recover their files using the tools provided by the ransomware authors, according to a study by the CyberEdge Group.

May be targeted again

If you choose to pay the ransom, your organization may be repeatedly targeted in the future as the criminals already know that you’re susceptible to exploitation.

Ethical implications

There are also significant ethical implications involved with paying the ransom. Many law enforcement agencies believe that paying the ransom encourages more ransomware attacks as it proves that ransomware is lucrative. By paying, you may be incentivizing more attacks and perpetuating the ransomware cycle.

In addition, some cybercrime groups are involved in other criminal enterprises. There’s a chance that the ransom money you pay may be indirectly funding serious criminal activities such as drug manufacturing or human trafficking.

Should you pay?

There’s no definitive answer to this question – it all depends on your specific situation.

Most law enforcement agencies discourage cooperating with cybercriminals and suggest only paying the ransom when you have exhausted all other options. As the FBI says:

“There are serious risks to consider before paying the ransom. [The United States Government] does not encourage paying a ransom to criminal actors. However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers.”

That doesn’t necessarily mean that you should never pay the ransom, but it does highlight the importance of conducting a cost-benefit analysis before making your decision.

It might make sense to pay the ransom if:

• You are unable to restore your system from backups.
• You cannot retrieve your files using a free ransomware decryption tool.
• The encrypted data is absolutely vital.
• The downtime will severely impact your business, clients and other stakeholders.

As a general rule of thumb, you should only pay the ransom as an absolute last resort and you truly cannot afford to lose the data.

Ransomware recovery companies

Whether or not you decide to make the payment, you may wish to consider contacting a ransomware recovery service. There are a number of companies in this space that promise to remediate ransomware and help organizations recover after their files have been encrypted.

It’s important to note that these companies typically don’t employ any magical decryption techniques. Instead, they usually just pay the ransom to the attackers in order to obtain the recovery tool. There’s nothing inherently wrong with this – recovery services have the expertise to ensure the transaction goes smoothly and can negotiate on your behalf to reduce the ransom – but not all ransomware recovery companies are transparent about their practices, which can breed mistrust and suspicion.

If you do wish to use a recovery service, we recommend using a trustworthy company like Coveware. Coveware is transparent about its services and has an excellent track record of helping victims recover their files. The Emsisoft lab team works closely with Coveware to create custom solutions for certain strains of ransomware.

Every situation is different

Every ransomware incident is different, so it’s impossible to definitively say whether your organization should or shouldn’t pay the ransom. While it may be tempting to try and quickly resolve the issue by paying the ransom, it’s important to remember that there’s no guarantee that the criminals will hold up their end of the deal or that the decryptor will work.

Calculating the true cost of ransomware and carrying out a thorough cost-benefit analysis will enable you to make a more informed decision as to whether or not you choose to pay the ransom.