While most of the decision makers would likely prefer to hear a simple yes or no when asking if they should pay, nothing in security is simple. By and large, the position of many leaders in the industry is that the ideal situation is not to pay.
Security experts across the industry would like to see all enterprises, large and small, be prepared for a hit so that they can recover their data without paying a ransomware fee. The question of whether to pay the ransomware fee is tricky, though, as sometimes organizations are left with no other options.
When asked whether companies should ever pay a ransomware fee, Ryan Manship, security practice director at RedTeam Security said, “The first thing about ransomware is that it’s in many ways like terrorism. The US has a policy not to negotiate with terrorists. Where does that come from? Why does it exist? The reality is, you can’t trust the bad guys. You can’t trust them to do what they say they are going to do, which is to give back access to your data.”
The first thing about ransomware is that it’s in many ways like terrorism. The US has a policy not to negotiate with terrorists.
Ryan Manship, security practice director at RedTeam Security
True, there is the issue of being able to trust that this is a single payment that will result in the return of data as promised, but enterprises that are hit with ransomware also experience the hard fact that a hit can make your most critical information inaccessible and in some cases not recoverable at all.
“Some people might argue that paying is a viable option at that point,” Manship said. In paying though, they also have to consider whether they can trust the bad guy is going to keep their word. Certainly, this act of holding their data hostage could become a continuous cycle.
Manship said, “There is no evidence that decrypting data means they are out of your system. Are they going to give you the key? How many times are they going to try to extort money out of you until they laugh and walk away and you are out of luck?”
Determining whether or not to pay is a call much easier made in the hypothetical. Hospitals have been frequent targets of ransomware attacks of late, which presents a precarious situation for those who have to weigh out the risks and rewards of recovery. One extreme consequence of being hit by ransomware for the healthcare industry is that downtime could directly impact patient health.
Though it’s likely little help to say that every situation is different, Manship said, “I don’t presume to be able to predict the right action when people’s lives are on the line. I can’t presume to suggest the right course of action. Still though, I have to suggest that we don’t recommend that course of action because it sets a precedent and that’s a dangerous precedent to set.”
Sign up for CIO Asia eNewsletters.