Blog: DFIR

To Pay or Not to Pay? That is the Ransomware question

Duncan Slater 21 Mar 2022

During a review of a client’s incident response capabilities the discussion turned to ransomware and strategies for handling it. The client’s board-level view was that if they were unable to restore their systems they would pay-up. They’d gone so far as considering setting up a cryptocurrency wallet to cover the payment.

The idea of paying ransoms really surprises me, and as surprising is the support that has in the cyber security community.

Is this what it has come to, that an acceptable way to deal with a ransomware attack is to pay?

Expert opinions

It’s not only some cyber security people that recommend organisations should consider paying, legal teams and cyber insurance providers also contemplate it. When reviewing an organisation’s position they may conclude that paying a ransom will be the better option compared with costs from data loss compliance fines- or the expense of recovering a company’s assets.

Paying a ransom is also considered as the faster means to return to business as usual, quicker by far than having to rebuild networks from backups. Most organisation are under prepared for sophisticated cyber-attacks, leaving security experts with no option but to advise their board to pay.

Ransomware is not new

Ever since we have had the internet, there has been some form of ransomware. Back in the early days it came in the form of kids hacking individual workstations, holding a file or two hostage and demanding to be paid in ice-cream or chocolate. As cyber crime grew the attackers moved their demands to Starbucks gift cards. Not because they liked coffee but it because it gave them an anonymous payment route.

Then along came cryptocurrency which poured petrol onto the ransomware bonfire. In many ways ransomware is a perfect crime. The risks of getting caught are low, and the rewards run into tens of millions. Ransomware is now the go-to for organised crime groups, syndicates, and Advanced Persistent Threat gangs. It is undoubtedly effective as many companies are willing to pay to recover their data.

That willingness to pay up is a not new phenomenon. It could be seen as a result of poor business continuity planning, specifically a lack of effective back-up process and hygiene. More likely it’s simply because ransomware gangs are at the top of their game. Their techniques and tactics constantly evolve.

Where are we now?

My experience is that rather than simply going straight for weak, unpatched systems, attacks now begin with a stealthier approach. “Time spent in reconnaissance is never wasted” and on average an attack starts with 3-6 months of the ransomware gang fully understanding their victim.  Moving laterally throughout the network conducting their reconnaissance into their victim’s network attackers seek out key information for which to target with the final exploitation.

They seek key financial information such as insurance documents as well as researching the victim’s financial situation all for the purpose of targeting a ransom demand that has a high chance of being paid. Ransoms are no longer set at a standard 0.5 or 1 cryptocurrency. Now the cost is based specifically on the value of a maximum insurance pay out, or at least set at a level that is within the victim’s financial reach.

This change is what makes paying a ransom an attractive option.

Once the attackers have the full measure of their victim they begin the strike. Any backups or disaster recovery sites are located and removed, either by deletion or encryption.

Next the attackers announce themselves in the network as the ransomware is executed and left to propagate throughout the victims’ systems and estate.

The final execution is incredibly precise, often taking place when the network is at its quietest, such as a weekend or overnight. Increasing the time before discovery reduces the effectiveness of any response that can be mounted.

Attitudes are changing

Is it this new advanced use of ransomware that has led to more companies paying out? A recent study conducted in the USA showed that 83% of ransomware victims surveyed had paid to recover their data. This included some high-profile cases such as the Colonial Pipeline, JBS, and Travelex.

With such organisations electing to pay, what example does this set to other victims and to criminals?

Ransomware as a Service

Ransomware is a global threat with the ability to affect critical national infrastructure, remember WannaCry? No industry or organisation is off limits. Both the NHS and the Irish Health Service have been victims.

Ransomware is a serious organised business, operating at scale, and potentially at a nation state level. Ransomware as a Service (RaaS) has turned this attack into a slick and effective business, where RaaS operators offer their skills and software for sale.

It’s a familiar business model. RaaS is advertised on the DarkWeb like a traditional service, with 24/7 support, bundled offers, reviews and forums. They even offer call centre facilities to enable payment by victims.

Organised Crime Gangs such as Conti or REvil offer a RaaS service for either a monthly subscription or one-time purchase. They’ll not only provide the ransomware itself, but also deployment support, hosting the victim payment facilities, and management of the leak sites.

What would you do?

I discourage paying ransoms for the following reasons:

What are you funding?

Ransomware attacks fund other criminal activities such as money laundering, drug production and importation, human trafficking, slavery, and terrorism. To that end some governments have threatened to prosecute organisations for funding terrorism if they pay ransoms.

In the UK it is also covered by Section 17A of the Terrorism Act 2000.

You REALLY can’t trust them

Just because you pay does not guarantee that the criminals will even provide the decryption keys. If they do, you can’t trust that they do not have copies of the data which they could still monetise by selling it on the dark web, or threaten to make public.

Hackers are not always skilled and as such many decryption keys fail to work properly or correct a network back to normal working order. This was the experience of the Irish Health Service, who months after being given the decryption key still struggled to bring services back online.

It’s also not uncommon for decryption keys to contain other forms of malware, backdoors, or logic bombs, just waiting to give the attackers another bite of the cherry.

You become their cash cow

Repeated extortion is a common scenario. Once they have you over a barrel they’ll likely keep you there. This survey found that 83% of successful ransomware attacks were followed by double, or even triple extortion.

Only 17% of those attacks surveyed involved a single ransom payment for the decryption keys. The survey data showed at least a fifth of organisations who paid still had their data exposed on dark web markets. One in ten organisations saw attackers move on to try and extort their customers, and over a third of victims who paid were unable to decrypt their data.


Paying ransoms may break the law in some jurisdictions. Regardless of your position on paying or not, you should get expert legal advice.

What should I be doing?

There are ways to prepare for, and recover from, ransomware attacks without paying the ransom.

Backups are still key when it comes to recovering from a cyber incident such as a ransomware attack. However, backups are useless unless you can use them effectively and they are a time efficient tool.

Backups must be stored off network, with no facility to move laterally from within the network to the backup location.

Some things to consider:

  • Databases, configurations, and application code must be included in backups.
  • Access to the backup locations should be monitored, logged, and alerted on.
  • Deletion of backups should be time delayed (a delay between sending the delete command and execution) in case deletion is performed as part of an attack.
  • Roll backs should be practiced regularly, at least once a year.
  • Keep all insurance policies and company wealth documentation offline or segmented away from the rest of the network.
  • Before making any decision to pay a ransom conduct your own research into the group and their relative trustworthiness.


Ransomware will grow and evolve and is a hugely damaging threat to organisations.

A planned response to pay a ransom is not a good option and should not be considered.

Paying ransoms fuels criminals to seek more, which has spawned the rise in double and triple extortions.

Again, paying ransoms is a bad idea because:

  • Most ransomware attacks will cause some form of data corruption, so the chances of full recovery are limited.
  • Many decryption keys fail to work.
  • Paying a ransom could constitute a criminal offence.
  • By paying a ransom you are fuelling the greed of the attackers, potentially identifying yourselves as an easy target for payment.
  • Many cases of ransomware attacks involve multiple extorsions.
  • This is not a trustworthy business transaction.