Disclaimer:
In the majority of cases, the determination of whether or not to pay a ransom is a business decision, and this blog is intended solely to help decision-makers navigate that decision-making process in a structured manner based on our experiences, engagements, and discussions with senior decision-makers in the wake of a ransomware incident.
In ransomware communications engagements and in this blog, GuidePoint’s Research and Intelligence Team (GRIT) does not actively direct or encourage the payment of ransoms to cybercriminals, which may incentivize or support continued ransomware operations. Instead, GRIT encourages a strong proactive defensive posture, a rapid reactive incident response, and general non-pecuniary communications to better understand the impacts or claims made by the threat actor.
Decisions of whether to pay a ransom should be based on a thorough consideration of viable alternatives, the business impact of degraded operations, an organization’s fiduciary responsibilities, and in considering all applicable legal, statutory, and regulatory considerations.
GuidePoint’s Research and Intelligence Team (GRIT) performs Threat Actor Communications (TA Comms) on behalf of our clients in response to ransomware and other threats.
In our engagements, one of the most frequent questions we face is the obvious: “How do we decide whether to pay or not?” Fear of legal consequences, unfamiliarity with the situation, and the pressure of an active incident all contribute to clouding what would normally be a standard answer: It comes down to a business decision.
In an ideal world, discussions on communications and payment (or the opposite course of action) are held well in advance, allowing decisions to be made objectively and execution to be carried out without delay mid-incident. However, we have found this to rarely be the case. To aid decision-makers in considering the question of whether to pay or not, we’ve put together this blog to give some insight into the typical thought process and considerations faced by those handling a ransomware incident. Whether consulted in advance or in the heat of the moment, we hope you find it helpful.
Based on information current as of October 2024, this blog is based on US laws at the time – changes in regulatory, statutory, and other obligatory requirements may alter some details in practice, and readers representing non-US organizations are advised to consult with legal counsel to understand applicable and different conditions, such as GDPR.
Costs and Scope of Disruption
As a ransomware attack unfurls and operational disruptions are realized, the factor first and foremost in many executives’ minds is the scope of impacts and the cost of continued disruption. Ideally, organizations will know the cost of disruption on an asset or capability basis in advance, which is learned through proactive processes such as a Business Impact Analysis (BIA). In practice, we have found this to rarely be the case, and some level of “back of the envelope” math typically plays out in the early days when calculating the scope of impact.
Even in instances where independent recovery (such as by restoring from backups) may prove viable, the amount of time required to recover may not be viable from a financial perspective. For example, if a victim is losing $2 million in revenue every day that operations are disrupted, and recovery by backup is expected to take 5 days, a $1 million ransom payment may prove the more attractive option to restore operations and, therefore, revenue.
GuidePoint’s Research and Intelligence Team has long assessed that the cost of disruption contributes to the attractiveness of Healthcare and Manufacturing organizations to ransomware groups. Organizations can better prepare for and reduce the costs of disruption by conducting a thorough Business Impact Analysis to understand costs and recovery timelines in advance; reviewing current backup and disaster recovery procedures for thoroughness and efficiency; and adjusting plans or procedures as needed to reduce the anticipated timeframe for recovery. Examples of changes could include a greater frequency of backups, additional copies of backups, testing, and validation of backups, as well as tabletop exercises or response drills to refine the restoration process.
Recovery Viability
Typically, concurrent with the consideration of costs is the consideration of independent recovery viability. While most (but not all) contemporary ransomware groups employ data encryption as a primary tactic, most organizations have also taken steps to ensure the availability of data backups from which operations can be restored. Unfortunately, in many cases, ransomware affiliates have adapted by hunting for and encrypting network-connected backups, seeking to remove recovery as an organic option.
Multiple redundant, tested, current, offline, and immutable backups are key in providing reliable recovery options in the event of ransomware and many other disasters. When we have encountered clients who are unable to recover organically, typically, at least one of these aspects is missing. Singular copies of backgrounds that are stored off-site, Extensive backup infrastructure that was improperly configured, network-connected backups that are not immutable and can be encrypted, or backups that are too far out of date to be acceptable are examples of the most common impediments to restoration, even in organizations that notionally have functioning backup capabilities.
Establishing and benefiting from a viable backup recovery strategy, which removes the coercive power of encrypted data, does not altogether eliminate the threat of ransomware; contemporary ransomware often employs a “double extortion” approach which also attempts coercion by exfiltrating and leaking sensitive data; however, by removing at least this point of coercive leverage, organizations can find themselves in a more optimal negotiating and response position.
Exfiltrated Data
Early ransomware focused solely on data encryption, a threat that was quickly adapted to enterprise environments by the adoption of data backups from which victims could restore in the absence of an adversary-provided decryptor. Ransomware groups, in turn, adopted a “double extortion” model, in which sensitive data is exfiltrated prior to the execution of encryption. Doing so allows the threat actor to hold the sensitive data hostage, threatening to leak or sell the data, typically on a Data Leak Site or blog.
Data exfiltration is likely the most variable and complex consideration in determining whether to pay a threat actor; it remains a consideration in cases where data has or has not been encrypted and in cases where the volume of exfiltrated data is small or large. Compounding the issue is the core problem of communicating with any threat actor – to an extent, we are taking the word of a criminal. ”Data Suppression” – as the act of paying wholly or partly to prevent the disclosure of exfiltrated data is commonly referred to by privacy counsel – cannot and does not actually guarantee that any exfiltrated data is deleted and does no harm. In early 2024, law enforcement disruption efforts that seized infrastructure from LockBit resulted in the disclosure that the group had, in at least some cases, retained data even when the victim had paid a ransom.
In the “best case scenario,” ransom payments will very likely prevent the public-facing publication of sensitive exfiltrate data, but this does not prevent ransomware actors from selling, dividing, or using any compromised data to their advantage at any point in the future. It is very unlikely that the victim will detect such activity in the future, and even when they do, there is no available recourse.
When considering data exfiltration as a driver of ransom payments, decisions are often made based on the risk of the exfiltrated data becoming published. This risk calculus, in turn, is often based on the volume, sensitivity, and subject matter of any impacted data, which can be hard to determine during an incident. Professional incident responders who can determine what data has been impacted and professional negotiators who can validate the scope of data ransomed are options to reduce or eliminate these blind spots and inform follow-on decision-making.
Cases, where substantial Personally Identifiable Information (PII), Personal Health Information (PHI), or Intellectual Property (IP) are compromised, are more likely to spur discussions of payment, given the risks and potential impacts of such data becoming public. Organizations can better prepare themselves to identify and respond to the data types impacted through appropriate data classification procedures.
The increase in statutory and reporting requirements for certain organizations – such as public companies and critical infrastructure – may make public disclosure of the incident an inevitability rather than something that can be avoided. Public companies are now required to file an SEC 8-K disclosing “material” cyber incidents, and critical infrastructure organizations may be required to report cyber incidents under (the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) regardless of whether a ransom is paid, for example.
Ransom Demands
This consideration – what and how much the ransom actually is – may seem obvious, but less obvious is the wide range actually present “in the wild.” Headlines tend to capture outlier events impacting major organizations with allegedly astronomical ransom demands in the multiple millions. While these certainly do occur with regularity, they are often the result of a “big game hunting” approach taken by the most prolific and established ransomware groups.
Concurrent with the largest predators in the ransomware ecosystem are mid-sized and smaller groups, most of which are opportunistic in nature and may impact Small and Mid-Sized Businesses (SMBs), or have more limited impacts (e.g. encryption but no exfiltration, or vice versa). Anecdotally, such groups appear to demand smaller ransoms with a greater emphasis on obtaining some level of payment than nothing; in comparison, “big game hunting” may yield a very high rate of refusal but result in a single, large payment in the millions. Ransom demands from smaller groups may range from tens to hundreds of thousands of dollars, though we have observed ransoms as low as the thousands in outlier incidents.
For some victims, ransom amounts may be sufficiently low to outweigh the cost of outside vendor support, legal support, and/or operational disruption; in these cases, the organization still stands to benefit from the post-incident analysis of what went wrong and why, in order to prevent future intrusions via the same access vector or following the same path along the kill chain.
An additional consideration is the threat group at hand and its ability or likelihood of a reduced final ransom demand. From our experience, the initial ransom demand is almost never inflexible, though the degree of flexibility varies based on the affiliates involved and the circumstances of an incident. Ransomware incidents with more limited scope or success often result in reduced leverage on the part of the threat actor, providing an opportunity to offer reduced payment amounts, for example.
An additional consideration is the reputation and background of the attacking threat actor – in exchange for payment of the ransom, group A may be willing to ”delete” exfiltrated files, never post the identity of the victim, decrypt encrypted files, and even provide some modicum of troubleshooting support during decryption. Group B, by comparison, may use a leaked encryptor and prove unable or unwilling to provide all relevant decryptors or to troubleshoot decryption issues.
Threat intelligence professionals and researchers, or appropriately trained ransomware negotiators, should be able to anticipate and adjust an organization’s response strategy based on the specific group and known past behavior and advise an organization appropriately. Organizations can better prepare for this factor through threat modeling and rigorous incident response planning. Threat intelligence and communications professionals, such as those provided by GRIT, are available on a reactive basis or can be obtained through retainer arrangements.
Cyber Insurance Coverage
Cyber liability insurance, also referred to as cyber insurance, is increasingly common in large organizations as a bulwark against heavy costs associated with ransomware and other incidents. Cyber insurance policies often vary widely in the details, from whether payments are made by reimbursement or directly through the insurer to what costs are covered under the policy. Organizations should familiarize themselves with the outlines and conditions of their individual policy (as applicable) in advance of an incident and factor them into incident response planning.
For those cyber insurance policies that do cover ransom payments, the amounts may be capped, or the firm may insist on active negotiation efforts before making a payment in order to bring the cost of the insurer down. Insurance carriers should be able to provide insight into this process in advance to facilitate the planning process.
A 2023 study by the Royal United Services Institute found no “compelling evidence” that ransomware victims of ransomware attacks with cyber insurance were more likely to make a ransom payment than those without but did find that some ransomware groups sought out details of cyber insurance policies, likely to guide the setting of ransom demands.
Further still, some portion of victims may face a ransom demand that is in itself lower than the deductible of their cyber insurance policy, making a direct payment a more attractive option than going through the process of reimbursement through their carrier.
While there is no evidence that the mere presence or absence of cyber insurance correlates to a higher or lower likelihood of ransom payment, it remains a point of consideration and discussion in every communication engagement GRIT has participated in with an insured organization. Additional steps, paperwork, delays or lead times, and oversight or involvement in negotiations are additional factors that organizations should consider when determining whether to pay a ransom, as well as the likely timeline for doing so.
Regulatory, Reporting, and Legal Requirements
Penultimately, we reach a consideration that is directly or tangentially tied to many of the preceding aspects – the relevant regulatory, statutory, reporting, and legal requirements of the victim organization.
As has been touched on earlier, organizations should be cognizant of the regulatory, statutory, and reporting requirements within their organization and its corresponding industry. In addition to removing the possibility of “covering up” a breach, these requirements may also mandate additional disclosure of attack or ransom details or entail administrative burdens to be shouldered by the victim organization. For example, for public companies, the requirements and process of filing an SEC 8-K form necessitate determination of materiality, timely disclosure, public disclosure of material details, and legal and communications oversight associated with doing so in a responsible manner. Failure to adhere to these standards or the provisioning of misleading or inaccurate information may cause further reputational damage to a victim organization.
The points covered in this blog are primarily relevant to US-based organizations, with international organizations entailing additional or different regulatory and statutory considerations. For example, multinational organizations with operations in the European Union may need to evaluate the impacts of the General Data Protection Regulation (GDPR) depending on the circumstances of an incident (e.g., if EU citizen data was involved or if impacted data transited the EU.) We strongly advise consultation with outside privacy counsel in most ransomware incidents impacting large organizations, though the need to do so is increased in multinational organizations.
An example of a legal requirement that must be considered is international sanctions. While the anonymity of cryptocurrency wallets makes it difficult to attribute ransomware activity to specific sanctioned individuals by design, there remain exceptions where groups or individual actors subject to international sanctions substantially impact the ability or willingness of an organization to pay a ransom. An example is in the international sanctions applied to LockBit’s administrator persona, LockBitSupp, in early 2024. Because it is impossible to guarantee that a ransom payment made to a LockBit affiliate would not result in a payment to LockBit’s administrators, almost all cryptocurrency brokers will refuse to authorize or execute a ransom payment resulting from a LockBit attack. Sanction checks and verification of legality are a required part of most, if not all, ransomware communications engagements, whether performed directly by the team or through an outside due diligence firm.
Communications and Reputational Risk
Finally, impacted organizations must consider their decision to pay or not pay a ransom within the context of their external perception and communications. Depending upon the scope of a ransomware attack, the impacts, and the players involved, the organization may be helped or hindered based on their payment decision.
A recurring motif in high-profile case studies is the efforts by organizations to obfuscate the extent and impact of an incident, with public or legal backlash when a fulsome understanding of the incident comes to light. The details obfuscated vary, from the full impacts of the incident to whether a payment was made.
Ransom payments, unfortunately, rarely result in a definitive “win” for victim organizations. Payments can be “spun” as negative for supporting continued cybercrime or as a positive for ostensibly preventing the sharing of sensitive, exfiltrated data. The same can be seen in the reverse for non-payment, with non-paying organizations risking becoming framed as unconcerned with the data privacy and security of their employees or customers. Both of these possibilities are best addressed by crisis communicators, public relations, and communications professionals, whether internal or external to an organization. As an incident progresses and additional information is uncovered, proactive communications, both internally and externally, will be key to controlling the narrative. Communications strategies will change in response to executive decisions – including whether or not to make a payment – and as such, leadership may want to consult with communications professionals to understand the possible impacts of making or not making a ransom payment.
TL;DR
The decision to make or not make a ransom payment as an organizational victim of ransomware is principally a business decision based on a litany of factors, including the scope of the incident, the ability of the victim to recover independently, the data impacted, the ransom demand itself, the legal and regulatory landscape, the involvement of cyber liability insurance, and the communications consequences of paying or not paying.
The thread that runs through each of these considerations is the extent to which many of them can be reduced in severity or consequences by thorough advanced planning:
- Scope and impacts can be planned for through business impact analysis and an understanding of the costs of disruption.
- Recovery viability can be planned for through the application of best practices in making backups off-line, redundant, immutable, available, and current, and by testing to verify the same.
- Impacted data can be planned for through the use of appropriate data classification procedures, supporting the identification and triage of impacted data more rapidly.
- The legal and regulatory landscape can be planned for through consultation with general counsel and/or outside privacy counsel in advance of an incident and the inclusion of requisite reporting or notification details as part of a thorough incident response plan.
- Cyber liability insurance considerations can be accounted for by understanding the scope and details of a given insurance policy and including consideration of these aspects in incident response planning.
Incident response planning for ransomware should entail a whole-of-organization approach that anticipates and accounts for the variables associated with ransom payments – or the absence thereof. This differs from the traditional incident response process, which many of us have become accustomed to, which is focused primarily on Security Operations’ response efforts.
In addition to the ransomware negotiation services that GuidePoint’s Research and Intelligence Team offers – what we call “Threat Actor Communications” – GuidePoint maintains collaborative teams of incident response professionals, threat intelligence practitioners, and incident response advisors that can consult on the incident response planning process or respond to active incidents. Guided by years of experience across multiple industries and organizations of varying sizes, our consultants can aid your organization in proactively or reactively responding to ransomware in an optimal and nuanced manner.
Jason Baker
Threat Intelligence Consultant,
GuidePoint Security
Jason Baker is a Threat Intelligence Consultant on GuidePoint Security’s consulting team, where he engages in threat intelligence program development, as well as incident response investigations and reporting on behalf of the firm’s clients. His career background includes strategic cyber threat intelligence analysis and intelligence program management in the private and public sector.
Jason joined the GuidePoint team from UnitedHealth Group, where he worked as a senior Cyber Threat Intelligence Analyst responsible for enterprise analysis and support to incident response. Prior to that, Jason served 10 years in the United States Marine Corps and Department of Defense as a counterintelligence agent and analyst, in both military and civilian roles.
Jason’s intelligence experience includes 5 years supporting global counterterrorism efforts, as well as 4 years as a subject matter expert in cyber threats, analytic tradecraft, and intelligence-operations integration. Jason holds a Master of Business Administration degree from the University of Maryland, a Bachelor of Arts degree from Hamline University, and several CompTIA and GIAC certifications.