The M3AAWG Expert Advisors possess high-level knowledge in a specific area of expertise and are all recognized as go to people in the industry. They also provide industry-leading insight and viewpoints for our members. Expert Advisors contribute to the success of M3AAWG by their work in our committees/sigs and on our Initiatives.

For our newest blog series, Ask a M3AAWG Expert Advisor, we asked our Expert Advisors for their thoughts on specific topics of interest to the industry. This series is intended to give industry peers exclusive insight to the experiences, opinions, and perspectives of our highly specialized and knowledgeable Expert Advisors. Readers are encouraged to submit your questions for Expert Advisors.

Question: Thoughts on Paying for Ransomware Attacks?

Let’s see what M3AAWG Expert Advisors have to say…

John Levine - M3AAWG Expert Advisor

Each time an organization pays a ransom, that tells criminals that ransomware works. If nobody paid the ransom, the attacks would stop. The question is how we get from here to there. If we made it illegal to pay the ransom, that would certainly discourage people from doing so, but how effective would that be?

Ransomware attacks make it as painful as possible not to pay the ransom. If ransomware shut down hospitals and made them turn patients away, a manager could say if we don't pay the ransom, people may die, and she wouldn't necessarily be wrong, even though the long term cost of paying could be to encourage more attacks that could kill more people. I don't know what the right tradeoff is here, let them do it once if it's life critical but not otherwise?

Ransomware works because computer systems have sloppy security that lets criminals in, and poor backups so they can't recover once attacked. How can we adjust the costs up front so organizations have an incentive to fix the security and to make (and test!) their backups, so even if attacked they have a way to recover and aren't tempted to pay.

Laurin Weissinger - M3AAWG Expert Advisor

Ransomware has caused many high-impact outages all over the world. Thus, those interested in the question of ransom payment would find many business-focussed discussions online regarding if one should pay or not. However, while one may assume that paying the ransom will lead to recovery, this is often not the case: data recovery, especially full recovery, often fails. The recovery process might also take a lot of time, and attackers may keep the information to otherwise abuse later. In the end, we are dealing with criminals here who are interested in being paid most of all.

On a more global scale, paying these criminal gangs is highly problematic: first of all, the more and the more often victims pay, the more lucrative and “safe” ransomware is as a criminal business model, increasing likelihood and magnitude of future schemes. As there is often no real recourse dealing with criminals who use technical means to not be found and often reside in “hard-to-reach” places. For example, victims might be "double-abused". One common scheme is having to buy the attackers’ silence to avoid reputational damage or data leaks, in addition to encryption keys. Also, as a good number of ransomware groups are government-backed or at least connived and protected, little stands between victim data and global adversaries of Western countries, payments notwithstanding.

Thus, from a global perspective, no one should be (allowed to) pay(ing) ransomware groups and instead invest in countermeasures, undermining the business model and thus further attacks. For example, the rampant theft and resale of phones has been curtailed considerably by manufacturers implementing device locks (Like Apple’s Activation Lock) that criminals cannot easily circumvent. While these technical measures are not perfect and come with their own drawbacks for customers, legitimate refurbishers, repair shops, and the environment , they do raise the “water level” for our adversaries. As with any enterprise, the criminals’ time and effort must be outweighed by the (financial) gains, and their operations scalable. The more specific an attack needs to be to work, the more human time and effort is needed, ramping up costs, complexity, and the risk of errors. 

If technical countermeasures against ransomware were more widely deployed, attacks would be more difficult and less likely to lead to the end goal of payment. If, in addition,   more stringent rules and policies (be they laws, industry agreements, or insurance rules) against paying were implemented, decreasing the likelihood of payment after successful victimization, the criminal ransomware ecosystem would be impacted.

Rod Rasmussen - M3AAWG Expert Advisor

Ransomware, to pay, or not to pay, that is the question. Or is it? When it comes to an individual company, this can be boiled down to fairly straightforward decisions based on risk-analysis and economics. However, each individual decision ignores the impact of continuing to feed an ever-expanding criminal ecosystem that, all payments for ransomware taken together, is likely create a dystopian future of a mafia-like gangster system where companies, non-profits, and even governments are forced to pay “protection” money to utilize the Internet. So a series of perfectly rational decisions by individual organizations to pay ransomware demands leads to a far higher long-term cost for themselves and everyone else. This is akin to a “tragedy of the commons” but with a twist of "the prisoner’s dilemma” - long-standing concepts from economics and game theory.

So ignoring the societal impact, let’s examine the individual choice, as this is a decision that can be guided by measurable factors. In any ransomware attack, unless you’re in an outlier legal jurisdiction, you’re going to have to report the breach and likely compensate, in some manner, any people whose sensitive data has been stolen. You will probably already be listed as compromised publicly, so your reputation has already been hit. Thus those should typically not be driving factors.  Whether or not the ransomware operator threatens to release the stolen data is largely irrelevant since, if they have a copy, it’s likely to get out at some point regardless. So my simple rule is that if you have good backups and can restore operations quickly, just do it - don’t pay. If you haven’t done a proper job on that front, then you’ll need to weigh several factors, most importantly, the reputation of the ransomware gang. Lots of stories and information pervade the industry on this, but discussions I’ve had with leading ransomware negotiators has led me to believe that groups with “good” (they do what they say) reputations will come through with decryption keys. So paying high reputation groups makes sense from an individual perspective depending on price. Price is a different question - do you have insurance that covers payments, how much data and how important is it, is this a life/death situation, how much would it cost you to try to recover on your own? So price is a straight economic call - do the math and get a good negotiator.

That analysis done, I would strongly prefer that NO ONE EVER PAYS A RANSOM EVER!!! Why? Because it will inevitably end badly for all of us. As rational as it may be to pay for the individual victim, the externalities it causes - funding terrorism, supporting rogue nations like North Korea, increasing the market for cybercrime, and eventually leading to a mafia-state on the Internet left unchecked - make it self-defeating in the long run. Given the nature of the problem along with our actual experience with ransomware, it is clear that getting people to “do the right thing” for the overall ecosystem isn’t going to work to dry up ransomware payments. As with any dysfunctional market, it is beyond high time for governments to bring the right incentives to bear to bring ransomware payments to an end - hopefully with some coordination. This is particularly critical for nation states since the ill gotten gains from ransomware attacks often go to funding the objectives of the very adversaries those governments are spending billions of dollars to counter. Does that require stiff penalties, even criminal ones, for organizations that make ransomware payments? Perhaps. But all the cajoling, reporting requirements, insurance company provisions, civil actions, and other factors that have been employed so far have not done the job.

A discussion about what kind of public policy measures to explore to curtail ransomware payments would be a worthy discussion to have in our community

M3AAWG Expert Advisors have provided varying points of view on the issue of paying for ransomware attacks. John Levine emphasized the problematic nature of paying ransoms, as it perpetuates the cycle of attacks and suggests improving security and backups to avoid the need for payment. Laurin Weissinger highlights the global risks of paying, such as enabling criminal networks and government-backed groups, and advocates for investing in preventive measures instead. Rod Rasmussen discusses the individual decision to pay based on risk analysis but ultimately argues that paying ransoms fuels a larger, more dangerous criminal ecosystem, calling for strong governmental measures to end ransomware payments. Together, these voices underscore the complexity of the issue, balancing immediate risks with long-term consequences.

Learn more about preventing, mitigating, and remediating Ransomware attacks with the M3AAWG Ransomware Active Attack Response Best Common Practices document created by M3AAWG subject matter experts.