Ransomware: To Pay or Not to Pay

A 2023 Statistics Canada report revealed that Canadian Small and Medium Businesses (SMBs) paid between $10,000 to $500,000 per Ransomware incident. The majority (84%) paid less than $10,000, while 4% paid more than $500,000.  When these sophisticated attacks strike, they can cripple operations, encrypt vital data, and even expose sensitive information, leaving organizations in a state of crisis. For leaders, the immediate aftermath presents a daunting question: should we pay the ransom? 

While law enforcement agencies consistently advise against it, the reality on the ground is far more nuanced. Many businesses, faced with dire consequences, ultimately choose to pay. There are complex factors influencing this critical decision with compelling arguments against it, the legal considerations involved, and the vital support available from cyber insurance providers and law enforcement. 

The Aftermath of a Ransomware Attack: A Critical Juncture 

Once a ransomware attack has successfully infiltrated a system, locking down data or threatening its public release, the immediate focus shifts from prevention to response. The damage is done, and the organization is now a victim. At this point, executive teams must weigh a difficult set of choices, often under immense pressure. The decision to pay, or not to pay, can have far-reaching implications for the company's finances, reputation, and long-term security posture. 

Why Businesses Might Consider Paying the Ransom 

Despite widespread recommendations to resist, a significant number of organizations facing ransomware attacks do opt to pay. According to a 2024 report by the Ponemon Institute, over half (51%) of surveyed organizations impacted by ransomware ultimately paid the demanded fee. Their reasons often stem from pressing business imperatives: 

• Expedited Recovery: When data recovery through internal means promises to be lengthy and costly, paying the ransom might appear to be the quickest route to restoring critical systems and resuming normal operations, thereby minimizing costly downtime. 

• Mitigating Business Damage: Ransomware can inflict severe financial losses and tarnish a company's reputation. The potential revenue loss and erosion of customer confidence can be immense. Many organizations, fearing public disclosure of a breach and subsequent loss of trust, may choose to pay to keep the incident under wraps. 

• Controlling Recovery Expenses: In some scenarios, the projected cost of rebuilding systems from scratch, engaging forensic experts, and compensating for lost productivity can exceed the ransom amount. From a purely financial perspective, paying might seem like the lesser of two evils. 

• Protecting Sensitive Data: Attackers often exfiltrate confidential customer or employee data before encrypting systems, threatening to release it publicly if the ransom isn't paid. Organizations with significant privacy obligations may feel compelled to pay to prevent sensitive information from falling into the wrong hands. 

Recent high-profile cases underscore this trend. In 2024, Change Healthcare reportedly paid $22 million to the BlackCat ransomware-as-a-service (RaaS) group to recover its services. Similarly, a Fortune 50 company, later reported by Bloomberg to be pharmaceutical giant Cencora, allegedly paid $75 million of a $150 million demand to the Dark Angels group in 2024 after 100 TB of data was stolen. In 2023, Caesars Entertainment paid $15 million in an attack linked to ALPHV/BlackCat, which had initially demanded $30 million. 

The Perils of Paying: Why Resistance is Crucial 

While the immediate pressures to pay can be overwhelming, the broader implications of giving in to ransom demands are often detrimental, not just to the victimized organization but to the entire cybersecurity ecosystem. 

• Fueling Future Attacks: Every successful ransom payment directly funds criminal enterprises, empowering them to develop more sophisticated tools, recruit more attackers, and launch more frequent and severe assaults. As long as ransomware remains profitable, threat actors will continue to exploit it. 

• Risk of Repeat Attacks: Organizations known to have paid a ransom can become targets for future attacks, as they are perceived as more likely to comply again. 

• Escalating Demands: In "double extortion" schemes, attackers might demand an initial payment for decryption keys and then a second, separate payment to prevent the public release of stolen data. Paying the first demand doesn't guarantee an end to the ordeal. 

• No Guarantee of Data Recovery: Perhaps the most critical risk is the lack of a guarantee. Even after paying, there's no certainty that attackers will provide a working decryption key or genuinely delete the exfiltrated data. The Ponemon Institute report indicated that only 13% of organizations that paid their ransom successfully recovered all their data. 

• Potential Legal Ramifications: Paying a ransom, particularly if the funds end up with sanctioned entities or state-sponsored groups, could lead to severe legal penalties. The U.S. Department of the Treasury issued an advisory in 2020 highlighting that engaging in transactions with certain ransomware actors could violate Office of Foreign Assets Control (OFAC) regulations, including the International Emergency Economic Powers Act or the Trading with the Enemy Act. While generally legal in the U.S. with these caveats, some states, like Florida, North Carolina, and Tennessee, explicitly forbid public sector organizations from paying ransoms. 

Organizations that have successfully resisted ransom demands often highlight the long-term benefits, even if it means enduring a more protracted recovery. For instance, the Port of Seattle refused to pay the Rhysida ransomware gang in August 2024, experiencing weeks of outages but ultimately avoiding payment. Similarly, Cleveland's city government didn't pay after a June 2024 attack, resulting in an 11-day system closure for restoration. MGM Resorts International famously refused to pay BlackCat RaaS in September 2023, facing estimated cleanup costs of $100 million but demonstrating a firm stance against capitulation. 

Leveraging Cyber Insurance and Negotiation Services 

In the face of a ransomware attack, many organizations turn to their cyber insurance policies. These policies can be invaluable, often covering a range of costs beyond just potential ransom payouts, including business interruption, forensic investigation fees, data recovery expenses, and public relations support. Many insurers also offer proactive, pre-breach services like vulnerability scanning and employee training to help clients reduce their risk profile. 

However, the cyber insurance landscape is evolving. Premiums are rising, coverage is becoming more selective, and insurers increasingly require clients to adhere to robust cybersecurity best practices, like implementing Multi-Factor Authentication (MFA), maintaining regular data backups, and managing software patches, to qualify for or lower the cost of coverage. 

For organizations already hit by ransomware, negotiation services offer a specialized lifeline. These third-party brokers act as intermediaries between the victim and the cybercriminals. Their expertise can be crucial in: 

• Verifying the Attacker's Authenticity: Ensuring the entity claiming responsibility for the attack is legitimate. 

• Pausing the Attack: Entering negotiations can sometimes lead attackers to temporarily halt ongoing assaults, providing victims valuable time for investigation and recovery planning. 

• Reducing Demands: As seen with Caesars Entertainment, negotiators can sometimes significantly lower the initial ransom request. 

It's important to remember that while these services can be beneficial, they don't guarantee a successful outcome. 

The Role of Law Enforcement 

Regardless of whether a company decides to pay, engaging with law enforcement is strongly encouraged. Agencies like the Canadian Centre for Cyber Security (CCCS) and the RCMP provide critical assistance and resources to ransomware victims. 

The report, "The State of Ransomware 2024" from Sophos , indicates that 97% of organizations affected by ransomware contacted law enforcement. Of these, a significant portion received invaluable support: 61% gained advice on handling the situation, 60% received help investigating the attack, and 58% were assisted in recovering encrypted data. 

Reporting incidents to authorities like the RCMP and CCCS is vital for tracking cybercriminal activity, assisting in future prosecutions, and contributing to a broader understanding of evolving threat landscapes. Even if a ransom is paid, notifying law enforcement provides crucial intelligence that can help protect other potential victims. 

A Proactive Defense is the Best Defense 

The decision to pay a ransomware demand is agonizing, fraught with financial, operational, and ethical complexities. While the immediate pressure to restore operations can make paying seem like the only viable option, understanding the broader implications, like funding criminal enterprises to potentially facing legal repercussions and unreliable data recovery, is paramount. 

Ultimately, the best defense against this difficult decision is a robust, proactive cybersecurity posture. Investing in strong preventative measures like comprehensive backups, regular security audits, employee training, and sophisticated threat detection systems, significantly reduces the likelihood of being put in such an unenviable position. For Canadian businesses, understanding these risks and preparing effectively isn't just good practice; it's essential for long-term resilience in an increasingly hostile online world.