Ransomware payments: Considerations before paying

Should companies pay the ransom?

Ask law enforcement, and the answer is a resounding no. Even most cybersecurity experts say no. Yet, there are times when the answer is: It depends.

The answer can often come from considering business outcomes. For example, can the business survive without the stolen data? On the other hand, is it worth taking the chance that making a ransomware payment results in returned data?

Let's take a look at scenarios in which companies might pay the ransom and why they shouldn't.

Why companies pay ransoms

Despite advice to not pay the ransom, 51% of organizations that suffered a ransomware attack paid the fee, according to a 2024 Ponemon Institute report.

Companies might opt to pay for the following reasons:

• Faster recovery time. If data restoration takes too long and the company faces a long, costly downtime, paying the ransom might be the quicker, cheaper alternative.
• Damage to business. Ransomware can cause revenue loss and reputational harm. Announcing that a company got hit with ransomware can also reduce customer confidence. For that reason, many organizations do not disclose if they pay a ransom.
• Excessive recovery costs. Paying a ransom is a business decision. If the costs to recover from a ransomware attack exceed the ransom payment, companies might take a gamble.
• To protect customer or employee data. Some attackers threaten to release sensitive data they exfiltrated to pressure companies to pay. Organizations that don't want customer and employee data exposed might pay to prevent it.

The following are examples of companies that paid the ransom:

• In 2024, Change Healthcare paid the BlackCat ransomware-as-a-service (RaaS) group $22 million to restore its services.
• In 2024, a Fortune 50 company paid $75 million of a purported $150 million ransom to Dark Angels after the group stole 100 TB of data. Bloomberg reported the victim was pharmaceutical giant Cencora, but the company has not confirmed or denied the allegation.
• In 2023, Caesars Entertainment paid $15 million in an attack that used the ALPHV/BlackCat ransomware to steal data. The original demand is believed to be $30 million.

Why companies shouldn't pay ransoms

Paying the ransom often does more harm than good to the entire industry. There are also legal and ethical concerns to consider. While paying might appear to be a viable option in certain situations, organizations shouldn't pay for the following reasons:

• It encourages attackers. Paying the ransom provides bad actors with additional funds to run future attacks. Victim companies might even suffer repeat attacks if word gets out that they paid. Plus, as long as ransomware remains profitable, threat actors continue to use it.
• It escalates payments. Ransomware groups often ask for multiple payments in double-extortion ransomware attacks. For example, the first payment is for decryption keys, and the second is to prevent attackers from publicly releasing the data.
• Data isn't always returned. Even if a company pays, there's no guarantee that the attackers provide a decryption key or return the data. According to the Ponemon Institute report, only 13% of the 51% of organizations that paid the ransom recovered all their data.
• Potential for future legal issues. Making payments could get companies in legal trouble. For example, some governments see paying ransomware attackers as funding terrorism, depending on the nation-state the group operates out of.

The following are examples of companies that refused to pay a ransom:

• The Port of Seattle refused to pay the ransom after an August 2024 attack by the Rhysida ransomware gang but suffered outages for weeks.
• Cleveland's city government didn't pay the ransom and remained closed for 11 days while it restored systems after suffering an attack from an unknown ransomware gang in June 2024.
• MGM Resorts International refused to pay the BlackCat RaaS following a September 2023 attack yet faced an estimated $100 million in cleanup costs.

Is it legal to pay the ransom?

Despite recommendations to not pay, it is legal to pay ransoms in the U.S. -- with some caveats.

The U.S. Department of the Treasury released a 2020 advisory that said companies could face future legal trouble if they engage with ransomware actors. For example, being involved in ransomware payments -- whether as the victim, cyber insurance firm or financial institution -- could potentially violate Office of Foreign Assets Control (OFAC) regulations.

OFAC said that not only does paying a ransom encourage further ransomware attacks, but organizations might be subject to civil penalties because paying a ransom could violate the International Emergency Economic Powers Act or the Trading with the Enemy Act if an organization engages in transactions with persons or groups on OFAC's Specially Designated Nationals and Blocked Persons List.

Certain states, including Florida, North Carolina and Tennessee, also prohibit public sector organizations from paying a ransom.

Using cyber insurance and ransomware negotiation services

Many organizations purchase cyber insurance that covers ransomware to cover them in the event of an attack. Depending on the insurer and policy, cyber insurance can help with ransom payouts -- for example, MGM Resorts said it expected its $100 million loss to be covered by its cyber insurance policy. Policies might also help with business downtime reimbursement and cyber forensics costs, as well as fees incurred for data recovery efforts, breach investigation, PR and more. Many insurers also offer prebreach services, such as vulnerability scanning, employee training and tabletop exercises.

It is important to note that cyber insurance is complex. Companies without a policy might find it difficult to obtain one. Standalone cyber insurance premiums continue to increase as insurance firms have started to adjust the cost of premiums and coverage policies to overcome the high cost of ransomware payouts. Many insurers are also limiting coverage under certain scenarios and implementing various exclusions.

Cyber insurers also require clients meet certain criteria. For example, most cyber insurance policies don't provide coverage to companies that don't follow ransomware prevention best practices. To meet policy requirements and even lower policy costs, organizations should ensure they implement MFA, data backups, patch management and other ransomware protection measures.

If organizations have already been hit by ransomware, they might opt to use ransomware negotiation services. These third-party brokers serve as intermediaries between the company and ransomware group to help with the following:

• Determine whether the cybercriminals claiming responsibility for a successful attack are indeed the adversaries.
• Pause the attack. Entering negotiations often involves attackers pausing attacks in progress, giving organizations time to investigate the impact of the attack and determine the feasibility of recovery.
• Reduce ransom requests. For example, Caesars Entertainment paid only $15 million of the requested $30 million after its ransomware attack.

Note, ransomware negotiation services are not without challenges and do not always end successfully for the victim.

Can law enforcement help with ransomware?

Many law enforcement agencies assist organizations that have been the victim of a ransomware attack. For example, organizations can request information from CISA and use its ransomware response checklist to start the recovery process.

According to Sophos' "The State of Ransomware 2024" report, 97% of organizations that suffered a ransomware attack contacted and worked with law enforcement agencies. Of those organizations, 61% received advice on how to deal with ransomware, and 60% got help investigating the attack. Additionally, law enforcement agencies helped 58% of organizations that had their data encrypted recover that data.

Whether or not an organization decides to pay the ransom, the FBI and CISA request ransomware victims notify law enforcement so they can track incidents and assist in future prosecution.

Kyle Johnson is technology editor for Informa TechTarget's SearchSecurity site.