Should you pay the ransom in a ransomware attack?


19 Nov 2019

Jerald Ray. Image: SecureAge

Jerald Ray, COO of Secure Age, debates the merits and drawbacks of paying up when ransomware comes calling.

File hijackers, data kidnappers, system terrorists – whatever term used to describe the perpetrators behind ransomware attacks, they all invoke imagery of human hostage-taking and the associated arguments either for or against paying ransoms.

Pundits draw parallels to individual needs versus collective action debates, where paying the ransom to hackers to benefit any single party would ruin it for everyone else, inspiring further ransomware attacks while enriching the criminals or rogue states behind them.

Once cyber insurance policies that cover ransoms join the narrative, moral hazard comes up, leading every opinion-giver to sound as if they were either defending the life of a hostage or sacrificing it for the greater good.

Data is not a human life

From the term ‘ransomware’ alone, it’s impossible not to see the attacks and the hackers who launch them as human hostage-taking scenarios. But these events and the doctrines behind the responses are necessarily different. If for no other reason, the data being held hostage should never be anthropomorphised – data is not a human life.

Despite all the similarities, the data encrypted by ransomware cannot appeal to its captors for aid or freedom. It does deteriorate as time passes, it cannot make escape attempts on its own, and it does not suffer emotionally or physically in captivity. Moreover, an unlimited number of perfect clones could have been made before the attack. A simple reminder that the data is not a human life should bend the conversation and decision-making just enough.

Ransomware attacks and the associated harm can be massive. But does paying the ransom exacerbate the problem? Do the benefits of paying the ransom accrue only to the individual victim and hackers, and do the damages of paying always harm the collective?

‘The data being held hostage should never be anthropomorphised – data is not a human life’

The amount of ransom paid to have data restored versus its replacement cost has become an actuarial exercise and less of a moral dilemma, despite a rising cry for unity among those who believe the ransoms should never be paid in order to dissuade the bad guys from launching further attacks.

The numbers lead those with hijacked data to decide whether paying the ransom in hopes of the attackers being good on their word costs less than replacing the data and, in some cases, even the systems and network infrastructure that allowed the ransomware attack to happen in the first place.

Associated risks can be estimated and premiums tabulated, leading to ransomware insurance policies that cover the attack costs, typically the lesser of ransom or recovery.

Insurance adds to the problem

To those opposed to paying ransoms because they believe that doing so will enrich bad actors and embolden them to launch even more variants of ransomware, insurance payouts make everything worse. Such coverage also allows insurers to sell more policies, policy holders to take more risks, and data recovery experts to find themselves earning more from insurance companies for services after attacks.

Again, the encrypted data is not a life. And ransomware attacks can currently be resolved with money, unlike a lost human. The paying party, whether an individual or an insurance company, doesn’t change the equation; the cost of the attack will be either the cost of restoration or the ransom. For insurers to pay those fees is not somehow worse than their payouts for stolen cars, artwork or other valuables.

More likely, insurance companies would rather not have to pay any ransomware attack claims. Their incentives align with better IT security practices and tools among their policy holders. They may offer significant discounts for the presence of tools that prevent ransomware, or offer steep premiums for companies that lack meaningful cyberdefences.

The cost of those policies and discounts can influence both awareness of and investment decisions for effective security, as opposed to cybersecurity as box-ticking exercises for regulatory compliance.

By Jerald Ray

Jerald Ray is the chief operations officer of SecureAge Technology.