Experts Weigh In on Refusing or Paying After a Ransomware Attack

Ransomware attacks have shown signs of decreasing in recent months. Yet they still pose enough threat for organizations to rethink whether a successful breach of their computers justifies paying a ransom demand in hopes attackers will not divulge their stolen content.

According to the NCC Group Threat Pulse Report released in May, the ransomware landscape remains turbulent despite fewer reported incidents since April. Industrials (34%) and Consumer Cyclicals (18%) remained the first and second-most targeted sectors.

There has been a significant shake-up among the top 10 ransomware actors since April. Hunters, one of the leading bad actors, moved from eighth to the second most active threat actor. It launched 61% more ransomware attacks in April than in March. RansomHub replaced RA Group in third place and saw a 42% increase in attacks over March.

The policy of not paying ransom, often called a “no concessions” policy, is a widely debated strategy in counterterrorism and hostage situations. Its effectiveness continues to be argued from multiple perspectives. Cybersecurity experts apply the same reasoning when deciding whether to make or not make ransomware payments.

Some argue that paying ransomware demands finances future criminal activity. Legal considerations are also part of the decision equation. In some countries, paying ransom to terrorists is illegal. Others say similar laws are needed to help curb ransomware crime.

According to the U.S. Department of the Treasury, no federal law in the United States makes paying ransomware demands illegal. However, making such payments comes with significant legal and financial risks.

The rationale behind a “no concessions” policy is that eliminating the financial incentive for cybercriminals could decrease the frequency and severity of ransomware attacks, according to Anne Cutler, cybersecurity evangelist at Keeper Security.

“However, this approach, while commendable, presents real-world challenges for organizations,” she told TechNewsWorld.

No-Pay Ransomware Strategy is Gaining Support

Cybersecurity experts and government officials have long supported the policy of not paying ransoms due to its potential to curb criminal activity and reduce attacks, noted Cutler. Paying ransoms is risky and unreliable and does not guarantee that cybercriminals will restore access or decrypt files.

“Cybersecurity insurance companies are increasingly excluding ransomware payments from coverage, enticing organizations to invest more heavily in proactive preventative measures,” she added.

Cutler offered Japan’s strategy as a pertinent example. Nikkei Cross Tech and Japan Proofpoint report that Japanese organizations maintain a notably low rate of ransom payments compared to other countries. Despite a surge in ransomware incidents through 2023, the first half of 2024 has seen a slight decline, according to the Metropolitan Police Department’s Threats in Cyberspace Report.

“While it is not clear if this decrease is directly related to Japan’s low payment rate, it suggests that minimizing ransom payments could influence overall ransomware activity,” she explained.

Challenges Enforcing Ransomware Payment Bans

Craig Jones, vice president of security operations at Ontinue, admitted that cyber experts discuss the pros and cons of banning ransom payments to combat ransomware. But that is a multifaceted proposition.

“While it could dishearten attackers by cutting off their financial incentives, enforcing such a ban is difficult, especially with the anonymity provided by cryptocurrencies,” he told TechNewsWorld.

In critical situations, organizations may still choose to pay ransoms covertly to recover vital data or restore operations, undermining the ban’s effectiveness, he added.

Jones views a more well-rounded approach as potentially more effective. He favors enhancing cybersecurity defenses, promoting international cooperation to track and prosecute cybercriminals, and regulating the cyber insurance industry.

“This multilayered strategy addresses the root causes and consequences of ransomware without the significant enforcement challenges and potential negative consequences of a ban,” he reasoned.

“Such an approach acknowledges the complexities and the global nature of cyber threats, offering a balanced solution to mitigate ransomware risks.”

‘No Concessions’ Ransomware Policy Risks and Realities

In theory, no payment clauses try to disrupt the profitability of cybercrime by denying attackers their desired outcome. However, applying this strategy universally can be challenging, warned Jason Soroko, senior vice president of product at Sectigo. His company offers comprehensive certificate lifecycle management (CLM) services.

“While banning ransomware payments might deter attacks over time, it also puts victims, especially critical infrastructure, in a precarious position, potentially leading to severe disruptions,” he told TechNewsWorld.

Legal frameworks prohibiting payments would need to be carefully crafted to avoid unintended consequences, he suggested. This includes forcing organizations to operate in secrecy or exacerbating the damage during an active attack.

“The balance between disincentivizing crime and protecting essential services is delicate,” he observed.

Strengthening Cybersecurity Through Employee Training

Employee training and education on cybersecurity best practices are crucial for protecting an organization from evolving cyber threats, countered Patrick Tiquet, vice president for security and architecture at Keeper Security.

“Employees are the first line of defense. Regular training sessions should emphasize the importance of vigilance when receiving unsolicited multi-factor authentication (MFA) prompts,” he asserted.

This education process should focus on training employees to question unexpected notifications immediately and report any suspicious activity without delay. Simulated phishing attacks and push notification exercises can effectively help employees recognize and respond to threats, Tiquet noted.

“Fostering a culture where employees feel comfortable reporting potential security issues without fear of reprimand is essential for timely threat detection and response,” he said.

Tips to Avoid Ransomware Payment Dilemmas

Ngoc Bui, a cybersecurity expert at Menlo Security, argues that paying ransoms should not be illegal anywhere. While it might incentivize threat actors, not paying could be more damaging, especially for organizations involved in critical infrastructure.

“The disruption from ransomware can be catastrophic, and organizations must prioritize protecting operations and stakeholders. Organizations that suffer a ransomware attack should also use it as a learning opportunity to adjust their security measures and ensure they are using actionable intelligence to do so,” said Bui.

A primary strategy for avoiding the pay-or-do-no-pay question is proactively preventing ransomware attacks. Tiquet recommends companies manage third-party contractor security. Start by conducting thorough background checks and security assessments to ensure contractors meet stringent standards before granting access to sensitive systems.

“Once contractors are onboarded, applying the principle of least privilege is critical to an organization’s security,” he said.

This approach means granting them only the minimum access necessary for their specific tasks and roles within the organization. Regular audits of third-party access are crucial to detect any unusual or unauthorized activities early on, enabling prompt action to mitigate potential risks and breaches.