This shows that the decision to pay or not to pay a ransom is rarely made on a point of principle. The choice comes down to a rational business decision. When a company loses access to some of its data, this has cost implications: they may face fines, there may be costs involved in recreating that data, and they may even go out of business.
Now, it may be possible to regain access to that data by reimaging the affected systems and restoring data from backups (if backups are available.) This involves a cost, and further costs may be incurred due to loss of business during the time it takes to restore these systems, which can often be several days.
An alternative to restoring data — if that is even an option — is to pay the ransom, and if the cost of regaining access to the data by paying the ransom is less than the cost of regaining access through reimaging and restoring, then it would seem to make good business sense to pay the ransom.
This may explain why ransomware authors offer discounts for prompt ransom payment: if a company can restore its data in a day or two then the cost may be relatively low. That means the ransom also needs to be low for the first few days to be a cheaper alternative. On the other hand, this may just be a marketing tactic intended to incentivize victims to pay quickly without exploring alternatives more fully.
There are, however, complicating factors when deciding whether to pay the ransom based on the economics of recovery. For one thing, there's no guarantee that paying the ransom will result in the criminal handing over the encryption keys. He may just take the money and run.
But that outcome is unlikely because it is in the interest of the criminal to hand over the encryption keys on receipt of a payment. That's because if word gets out the criminal behind a piece of ransomware is not "trustworthy" then ransom payments are likely to grind to a halt.
That's the theory, and in practice it holds true the majority of the time: criminals hand over the encryption keys as often as 70 percent of the time, Sockrider, estimates. "I think a figure of 65 percent to 70 percent is credible," he says. "The majority of these criminals do unlock your data if you pay because they would break the ransomware business model if they didn't. These people do have to trade on their reputation, and if enough people don't get anything back in return for a ransom then why would anyone pay?"
Sign up for CIO Asia eNewsletters.