Ransom Demands – To Pay or Not to Pay

Guest article written by CyberClan

Key Considerations

Much of the recent discussion around the forensic, legal and communications response to a ransomware attack is about strategy, how to manage the communications, and how to manage the forensic response (or the pre-breach cyber security posture of the affected organisation) so as to minimise the chances that an organisation will need to pay a ransom amount to the hacker or threat actor group.

However, while the rate at which ransoms are being paid has significantly decreased over the last few years, ransoms are still being paid, and so organisations need to know how to determine if they can, or should, pay, and what the factors are that should go into that decision.

This short article will attempt to lay out some of the factors that should be considered, as a basis from which to make better organisational decisions.

1. Can you pay?

The first thing any organisation that is considering paying a ransom needs to understand, is the legal regime within which it operates, and any legal requirements or restrictions that are in place with regard to any ransomware payment.

In most jurisdictions, this will require some sort of sanctions check, in order to determine if the threat actor, variant, cryptocurrency wallet, or identified host country have been sanctioned or are “sanction adjacent”. Most Western countries have laws preventing payments to sanctioned groups, entities, or countries, and so specific legal advice should be obtained in this regard, and a sanctions check should be performed prior to any decision to pay a ransom.

This also requires an understanding of who the threat actor may be, or what threat actor group is behind the attack. This should be confirmed (on a best available evidence basis) by the forensics response company, or the ransom negotiation team (which may, or may not, be the same organisation – at CyberClan we certainly do both, but not all of the players in the industry do).

2. What are you paying for?

In general, organisations are either paying for the return and/or deletion of stolen data or information, or for decryption keys so that the organisation can decrypt encrypted servers and information and get back up and running.

Organisations that are paying for the deletion or return of stolen data need to carefully consider whether or not there is value in doing so. In most jurisdictions, paying for the deletion or return of stolen data or information does not alleviate the organization’s obligation to notify affected individuals, and so legal advice on this issue should be obtained.

Organisations should carefully consider whether or not it is worthwhile to erode the available insurance limits (assuming the organization is insured) or spend company assets, if the information or data can be recovered in another way, or if it is “mission critical” to recover or ensure deletion.

If the affected organization needs the decryption keys in order to get back up and running, then you really are at the mercy of the threat actor, and should engage with negotiators so as to minimise the amount to be paid, if at all possible.

3. What is the actual value of any payment?

When engaging in negotiations, the affected organization should consider the true value of what it is paying for. If it is decryption keys, then what is the daily business interruption loss that is being experienced by the business? If the threat actor has stolen or exfiltrated company secrets, what is the value of those to the organization, or to competitors? That determination should inform the amount that the organization is willing to pay, and should be part of the rationale in any discussion with an insurer and/or board of directors about making a payment.

4. What risks are avoided by making a payment?

This is another factor to be considered in making a ransom payment. Are there risks that are avoided or reduced by making the payment?

In most jurisdictions, as noted above, organisations can no longer reduce or eliminate notification risk by making a ransom payment. However, organisations may be able to reduce the risk that their client’s information will be used for online fraud by doing so. There may also be public relations risk that can be avoided or mitigated by making a payment, although in the writers’ opinion, this is less and less valuable over time, especially given the disclosure requirements in many jurisdictions.

In order to assess the value of these risks, the affected organization must have a realistic picture of what information was exfiltrated or accessed, such that it might be weaponised, monetised, or used for financial fraud.

In addition, some analysis should be done of the likelihood of those risks, and the likely actual cost to the organization, should those risks materialise, in order to understand the current monetary value of the risks that the organization is seeking to avoid.

In conclusion, the above list is not meant to be exhaustive, but merely a guide to some of the factors that should be considered when choosing whether or not to make a ransom payment. Affected organisations should consult with experienced counsel and with experienced forensics teams and negotiators when responding to any ransomware attack.

	Mikel Pearce General Counsel and Breach Coach Relationship Manager, CyberClan [email protected]
	Patrick Griffith Global Head of Sales, CyberClan [email protected]
	Nicolette Reyhani Director of Sales, CyberClan [email protected]
	Sarah Neild Head of Cyber Retail, Howden [email protected]

General Enquiries
 

US/CAD: 1 855 685 5785
UK: 0800 048 7360
Email: [email protected]

24/7 Incident Hotline

US/CAD: 1 800 762 3290
UK: 0800 368 8731
Email: [email protected]

This article has been written by CyberClan and the opinions and views stated in this article are those of CyberClan and not Howden Insurance Brokers Limited (“Howden”). Howden shall not (i) owe or accept any duty, responsibility or liability to you or any other person; and (ii) be liable in respect of any loss, damage or expense caused by your or any other party’s reliance on this article.