Ransom Demand Debate: To Pay or Not to Pay


October 31, 2023

World map

MGM was hit aby a disruptive ransomware attack in September, and the company made the decision not to pay the ransom demand. The ransom amount was not disclosed publicly, but it is likely it was significantly less than the estimated $100 million in losses from the attack.

A few weeks earlier, Caesars Entertainment was also the victim of a ransomware attack, but in this case the company made the decision to pay the ransom demand to prevent the exposure of sensitive data exfiltrated in the attack.

“Caesars is by no means alone. According to a survey of hundreds of security leaders published by Splunk, some 83% of organizations admitted to paying hackers following a ransomware attack, and more than half paid at least $100,000, either through cyber insurance or a third-party,” TechCrunch reports.

Takeaway: Ransomware attacks that include data exfiltration have become the norm, with some groups even moving to straight data exfiltration attacks that don’t include a ransomware payload.  

The exfiltration of sensitive data can lead to significant financial losses, damage to reputation, and loss of customer trust, and it motivates victims to pay the ransom demand even if they have the ability to recover from the ransomware detonation.

It is essential for organizations to understand the specific risk that ransomware and data extortion attacks pose to their operations and consider whether or not a ransom payment is in the best interest of their stakeholders.

The recommendation from law enforcement and other experts is that organizations should never pay a ransom demand, which in practice would significantly diminish the financial incentives for these attacks.

In most circumstances this would be the logical approach, but it may not be the right approach for every manner of organization.

For example, it may be within the risk parameters for an entertainment company like MGM to refuse a ransom demand even though downtime is costing the organization revenue, they can obviously afford it when doing billions in revenue a quarter.

But what about a hospital who urgently requires access to systems where any delays could pose a risk to human life? In these cases, the decision on whether to pay a ransom demand is significantly more complicated.  

This is why experts are divided on whether organizations should pay ransomware demands.  

Those who advocate for paying the ransom believe that it's the quickest and easiest way to regain access to valuable data and is the best way to reduce the overall impact of an attack. They argue that the cost of paying the ransom is often lower than the cost of restoring data from backups or the potential financial losses incurred from delayed recovery.

On the other hand, those who oppose paying the ransom rightly argue that doing so only incentivizes threat actors to continue their attacks by reinforcing the financial motivations that drive the ransomware economy.

They point to examples where paying the ransom did not guarantee that the victim's data was restored or cases where the data was corrupted during decryption. They also point out that most victims who paid a ransom demand were often attacked again, and in many cases by the same threat actor because they know the victim will pay.

While paying the ransom may seem like a quick fix, it may not be the best solution for businesses and individuals. Paying the ransom only supports the criminal activities of cybercriminals, leading to an increase in ransomware attacks.

Paying a ransom demand can also present legal liability issues for the victim organization, as many of these threat actors reside in countries subject to strict sanctions, like Russia for example.

Additionally, paying the ransom does not guarantee that the victim's data will be restored. There have been instances where victims have paid the ransom, but the cybercriminals did not provide the decryption key or provided a faulty one, leaving the victim without their data and their money.

Also, even if the victim's data is restored, paying the ransom may result in further attacks. Cybercriminals may see the victim as an easy target and continue to target them with future attacks.

Finally, paying the ransom does not address the root cause of the problem, which is the vulnerability of the victim's systems to ransomware attacks. Instead of paying the ransom, victims should focus on implementing preventative measures to protect their data from future attacks.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.