Skip Navigation

Cyber Ransoms: To Pay or Not to Pay?

November 1, 2021

Ransomware attacks are an increasingly prevalent form of cyber threat. COVID-19 has contributed to the increase in ransomware attacks, as remote workforces are increasingly dependent on email and therefore susceptible to phishing attacks. In a typical ransomware attack, the hacker encrypts key files and systems at the target organization to cripple its operations and demands a ransom in exchange for decryption keys to unlock the affected systems. In recent years, ransomware attacks have increasingly involved data exfiltration, where the attacker steals sensitive data from the target and threatens to publish it online if the ransom is not paid.

The first question from an organization facing a ransomware attack is invariably: “should we pay the ransom?” Below are our top five tips for approaching that crucial decision point in an informed and practical manner.

1. Engage the right expertise. It is important to quickly seek expert advice on navigating a ransomware attack. Legal counsel should be involved from the outset of any cyber incident response, and in a time-sensitive situation it will usually be prudent to engage external counsel with experience handling ransomware attacks. The organization will also want to engage forensic experts to contain the incident, determine what files or systems have been compromised, look for evidence of data exfiltration and handle any communication with the hacker. If the organization has cyber insurance, the costs of legal counsel, forensic investigators and even a ransom payment may be covered, but it is important to give the insurer prompt notice of the incident.

2. Consider your backups. A robust backup system is often the first line of defence to a ransomware attack. If the attacker has encrypted business-critical files or systems, the organization must assess whether it is able to restore them from backups, how recent the backups are and how long restoration will take. In many cases, an organization that does not have backups may need to consider making a ransom payment to restore operations if the affected assets are business-critical and the organization cannot recreate them within a reasonable period. By contrast, an organization that can restore compromised assets from backups may be able to avoid paying a ransom entirely and limit interruption to their business.

3. Assess the risk of data exfiltration and publication. Increasingly, ransomware attacks involve threats to publish exfiltrated data (e.g., personal information of employees or customers, or proprietary business information) if the ransom is not paid. In this scenario, the cost of the ransom payment must be weighed against the financial, legal and reputational risks of publication. Among other things, legal counsel will be able to advise on the risk of litigation brought by third parties whose information might be exposed. Forensic specialists will often be able to obtain “proof of life” or evidence confirming that the hackers have indeed exfiltrated the data they claim to have before any payment is made.

4. Many ransoms can be negotiated. Hackers frequently set short deadlines for payment to pressure the target to pay quickly without conducting a thorough investigation and assessment. In practice, it is often possible to negotiate the ransom deadline, the amount of the payment, or both. An experienced forensic investigator will generally have expertise in communicating with hackers (usually through the dark web: An Introduction to the Dark Web | Blakes) and conducting these negotiations. Forensic and legal experts will also often have intelligence on whether a particular attacker generally honours its promises to provide decryption keys or to delete exfiltrated data once payment is made.

5. Sanctions checks are essential. It is not illegal to make a ransom payment, although some organizations may have principled reasons to refuse to pay cybercriminals. In many cases, the actual payment of the ransom will be handled by a forensics firm. However, it is essential that appropriate checks be performed through authorities like FINTRAC and the Office of Foreign Asset Control to ensure the payment does not violate international sanctions legislation. If the hacker’s cryptocurrency wallet is connected to a sanctioned individual or entity, it may not be legal to make the payment.

For more information, please contact any member of our Cybersecurity group.