Below is an advisory taken directly from the U.S. FBI
“The FBI does not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data. In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.
Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”1
Furthermore, paying of ransom by either the organization or insurer could trigger questions as to whether payment constitutes funding criminal groups, terrorism, rogue states, and/or violating Anti-Money Laundering (AML) laws.
Despite the risks, there are some who would argue that paying ransomware should be viewed as a viable option and evaluated like any other business decision (See: Unconventional Wisdom: Explore Paying The Ransom In Parallel With Other Recovery Options, Josh Zelonis, Principal Analyst, Forester Research, June 4, 2019).
With the average ransomware attack lasting 12.1 days2, there are real costs to having a company or city off-line for days. If one were to accept facts published in popular media, it would appear that ransom payment is often the least costly option. For instance:
- The City of Atlanta was hit with SamSam in March 2018 refused to pay the $51,000 demanded, end result being unable to work around the encryption and $17 million to rebuild its network.
- Baltimore in May 2019 refused to pay attackers the demanded $76,000, then had to spend an estimated $18 million to rebuild its networks.3
Experts – like those in Forrester Research – recommend that organizations weigh everything from their ability to recover to consultant costs to DR plans as well as cybersecurity insurance and whether it will cover ransom. Other factors weighed should include quantification of brand reputation loss, customer satisfaction anticipation, and potential legal liabilities.