The ultimate price: The morality of paying your attacker their ransom

Blog | 01-12-2022 | 3 Minute read

The ultimate price: The morality of paying your attacker their ransom

Author: David Simon, ManageEngine Marketing Analyst

 “Have you backed up your files?”

If you had a Dirham for every time you heard this and followed up with immediate action, you’d be a Shiekh by now. But alas, we’re here because you didn’t do your due diligence and now you have to pay the ultimate price – your data has been compromised and you’ll have to decide what to do about it. But don’t feel too bad; data backup at a corporate level is a luxury not everyone gets to enjoy. Sometimes the best one can do is to secure their data with best-in-class cybersecurity solutions.

It’s a hard pill to swallow, but akin to the disclaimers on most shampoo bottles or toothpaste tubes, even the world’s best cybersecurity solutions are not 100% effective – information the solutions providers keep us privy to lest we decide to go down a highly misguided and mostly unfruitful legal route.

In most cases, paying the ransom demanded by your attacker will not be the best option. A 2021 HelpNetSecurity report reviewed the global state of ransomware attacks. It’s a bit of a relief to know that 37% of companies suffered from severe data encryption in 2021 – down from 51% in 2020, while the percentage of companies paying the ransom has increased from 26% in 2020 to 32% in 2021. Alarmingly, only eight percent of companies who paid a ransom were able to retrieve their files, with just over half their files recovered. In the ransomware attack disclaimer, where’s the fine print that guarantees all your files will be recovered once the ransom is paid? It’s imperative to note when dealing with a cybercriminal entity (or possibly even a terrorist organisation), any payment made could run the implication of aiding and abetting cybercrime or worse…terrorism! When you’re faced with such a moral conundrum, is it ethical to pay the piper?

There’s no honour among thieves

If a ransomware attack has encrypted files of highest value, there is sometimes no choice but to pay the ransom. Let’s say a hospital is attacked and the data that’s been encrypted is absolutely critical to the patients’ well-being and recovery. The morally correct thing to do is to pay the ransom, almost like in a hostage situation, but in this case it’s life-saving data that’s being held at gunpoint. No matter what exorbitant demand is made by the abductor, it’s almost always fulfilled, usually through the transfer of digital currency. Once the transfer is made, the attacker should provide a decryption key to unlock the files. But what’s the chance that the hospital will get its data back? Remember, they’re dealing with a criminal whose primary concern is making money, not the well-being of the stolen data.

There’s a high probability that the attacker could provide a dud key, an incompatible key, or worse – the files could be double encrypted and the key only works for one layer of encryption. In such cases, negotiating with the attacker or trying to get additional help from them might prove to be futile. The next best option would be to seek the help of a ransomware recovery service. Here, a compliance officer would walk an organisation through the logistics of assessing the situation, informing authorities if required, and also provide technical support to work through the decryption.

Negotiating with criminals is not a position anyone wants to be in. In a hostage situation, once the drop-off is made, it is never certain that the hostage will walk away unharmed. That’s why there’s a backup team to make sure that things go according to plan. In a ransomware recovery situation, seeking help from a recovery service and legal team is like having a sniper squad to watch your six.

The consequences of making the “right” decisions

Making tough decisions, the consequences of which can directly impact business, is an enormous responsibility to have. We’ve investigated a case where paying the attacker could mean life or death, but what if the impact of losing your data is not that severe? What if the impact is financial? You’ve taken a firm moral stance that mirrors your zero-tolerance policy towards cybercrime. You’ve dismissed any talks of negotiating with the attackers and paying a ransom. You’ve sought the assistance of ransomware recovery services far and wide, and despite their best efforts to convince you to pay up, you’ve held true to your beliefs and flat out refused. You’ve relinquished any hope of ever retrieving your data, but you feel your company will be able to get up, dust itself off, and keep pushing ahead. But it’s really not all black and white.

In 2019, the US city of Baltimore, Maryland, underwent a ransomware attack. Their mayor at the time refused to pay the ransom of $76,000, instead choosing to replace and reinstall their lost networks from scratch, which ended up costing the city a whopping $18.2 million. Morality and ethics played a huge role in the mayor’s decision-making. He might have cost the city millions, but according to his conscience he made the right decision.

The right decisions aren’t always the best decisions. Not paying a ransom means you’re not playing any part in promoting cybercrime or succumbing to strong-arming, but it could greatly detriment your bottom line. On the other hand, paying the ransom to your attacker might help retrieve your files, but you’ll still be prone to further attacks unless you strengthen your cybersecurity and eliminate the vulnerability altogether. Strong cybersecurity coupled with employee hygiene will help to ensure you’ll never have to make such difficult decisions in your career.

With the popularization of hybrid workspaces, a lot of importance is rightfully being given to endpoint security as users tend to not only use company devices but their own devices for work. This gives room for a variety of issues that some IT teams may not be equipped to handle. Having strong endpoint security helps pre-emptively stop cyber-attacks. Not only this, periodic training on cybersecurity best practices and hygiene will help bolster a security-first mindset among a workforce that is constantly evolving, thus alleviating the workload on IT departments.

Seasoned decision-makers play a crucial role in the progress of their companies. For them, making decisions that impact business has become a process so mundane and inconsequential; or in the words of the great BB King, “the thrill is gone.” The reality is this: the likelihood of a company coming under a ransomware attack, let alone a cyber-attack, is very high, and there will come a time when you will be put in the spot. The ultimate price will not be your lost or encrypted files, nor the amount you’ll have to pay as a ransom. The ultimate price is putting yourself in a position to have to choose between your integrity and your business responsibilities – all because you weren’t cautious. So what’s it going to be? Strong cybersecurity or paying the ultimate price?

The decision is yours.

Related Solutions

Subscribe for the latest resources

To receive our latest resources via email, please complete your details below.
  • By subscribing, I agree that my data may be used according to the terms and condition of this website.
  • *Please note that in each email you receive you can at any time revoke your consent by unsubscribing. Simply click on the unsubscribe button/link and you will no longer receive product information, updates, and upcoming events from and about ITR Technology. This also guarantees permanent removal of your email address from our mailing lists.
  • Hidden
  • Hidden
  • Hidden
  • This field is for validation purposes and should be left unchanged.