It’s 7 pm on a Friday night and you just sat down with the family to have a nice dinner. Right at that time you get a phone call from one of your employees informing you that the organization is under a sophisticated ransomware attack and disrupting business operations. These are the dreaded words no executive wants to hear. Hopefully, your team has a good incident response plan that you can enact and quickly recover. But, what if you are not able to fully recover, should you pay the ransom?
Ransomware has long been a lurking threat, but it really took center stage in the last few years. I have been advising my clients in the event of a ransomware attack, never to pay. My rational on not paying is that it encourages the cyber criminals to target additional organizations or they may even re-target you in the future, knowing that you will pay. FBI in their “Ransomware Prevention and Response for CISOs” guide also stated “do not pay under any circumstances“.
But after listening to this NPR podcast below from July 9, 2019, I am now changing my answer to – “only pay ransom as a last resort”.
According to NPR, the city of Baltimore decided not to pay the 13 bitcoin ransom demanded – roughly $75,000 at that time – when their systems were hacked with RobbinHood ransomware. The cost of Mayor Jack Young’s principled stand has topped $18 million as they had to basically start over by replacing their equipment. When the city of Atlanta’s computer network was hacked, the hackers demanded $51,000 in ransom. Atlanta refused to pay, but the resulting damage has been estimated to cost around $17 million. The cost in these two cases were enormous which the taxpayers had to pick up. Would paying the ransom in these two cases would have been justified?