Do you pay or not?

With Ransomware/Extortion continuing to be in the press almost daily, there is the ongoing conundrum of should you pay an extortionist or not?

While it is easy to talk about the moral aspect and the trust issues that stem from having faith in someone that actively threatens the viability of the organisation, it is different when it’s 2am, it’s your data and someone is asking your advice.

That said, one of the most important thing is to retain perspective on the issue and to look at what you are getting (or not) and how that leaves you positioned.

Person looking shocked at a generic laptop

What are you actually buying?

Before we look at what you are buying we should consider the current Ransomware proposition, what the attacker has and what they want from you. We should consider the leverage they have and how that influences your decision process.

So, lets assume that a variation of following standard attack could happen to you:

  • Attackers break into your network via one of three common means:
  • The attackers then sell the access (aka acting as an Initial Access Broker). A ransomware operator buys the access and plans out their attack.
  • A ransomware operator undertakes recon of the network looking for open Windows File Shares (SMB) e.g. \\Company_Files or \\Finance_records something that they can apply leverage with.
  • Ransomware operator exfiltrates data they believe will have value and prove they were in the network.
  • Ransomware operator will look for ways to escalate their privileges to enable them to get access to the Domain Controllers (DC); there they will configure the DC to instruct the domain systems to run the encrypting program.
  • They leave the ransom message method and await the victim’s connection.

Now the ransomware group will probably undertake a triple extortion:

  1. Pay them to get the data decrypted (and returned to you in the case of them deleting/wiping the data) – Extortion.
  2. Pay them to prevent them publishing your data online – Second extortion.
  3. Ransom operators contact suppliers and customers for payment to stop the data being released onto the internet – Third extortion.

For sale or for rent?

There are a few things to note when considering the ‘offer’ from the Ransomware ‘Customer Support’ (as they sometimes call themselves).

  • Ransomware encrypting software is optimised to encrypt and reports from victims is that decryption programs are very slow [many report they actually decrypted only small percentages of their impacted systems].
  • The attackers cannot be trusted to not return later for more payments to prevent the leak of the data they stole – despite you paying the initial first ransom.
  • If you pay the ransom and they return your data (or decrypt it) they can still publish it after promising (and taking payment) to destroy it.
  • Even if not published in places you can find, you can never be totally sure that it was not sold on the hacker underground.
  • Regulator reporting action is still required regardless of payments and claims. While some might consider this obvious, the UK Information Regulator and the UK National Cyber Security Centre (NCSC) wrote publicly to clarify the matter here.


There are many aspects to consider when advising the organisational executive on a strategy regarding payment or an extortion or ransom, but these three we believe are the most important:

  • You are renting silence not buying it – that data will come out sometime, so don’t make a payment to ‘secure’ it.
  • Unless the viability of your business depends on getting the exact impacted servers/services restored using the attackers decryption, then you are probably better off rebuilding from new and struggling through – at least that way you know they were clean again when you rebuilt them.
  • If you pay once, you may be labelled as a ‘payer’ and that may result in an increase in future attacks.

Leave a Reply

%d bloggers like this: