To pay or not to pay: how victims deal with ransomware demands

24 March 2022

Analysis: the choices are not straightforward for those organisations who face blackmail demands from cybercriminals

By Gwenyth Morgan ADAPT DCU, Bert GordijnJoss Moorkens, ADAPT DCU and Renaat Verbruggen, DCU; and Dave Lewis, ADAPT TCD

When the HSE was hit with a Conti ransomware attack in May 2021, management was faced with a dilemma that many organisations would find familiar. Should they pay the ransom demanded for the return of their data or not? The Irish government consistently said that its policy was not to pay but, within days of the ransom demand, unnamed Oireachtas members were reported to favour negotiation with the hackers.

For organisations that fall victim to a ransomware attack, there is little guidance on how they should respond. Some victims choose to pay, others negotiate a lower fee and a small few choose to not pay at all. The choices are not straightforward.

Ransomware attacks, in which attackers encrypt data or block access to devices and demand a ransom in exchange for a decryption key, have become common since the mid-2000s. The aim of the game for attackers is to encrypt as many machines as possible, targeting servers and computers and sometimes, back-up data. The attacks most commonly use ‘phishing spam’: email attachments masquerading as a trustworthy file. Ransomware can often remain undetected until it presents itself to the user by way of a ransom note, as happened in the case of the HSE.

Bitcoin is the preferred digital currency used in 99% of ransomware transactions. The payments are anonymous, can be very difficult to trace and present a low risk of the attacker getting caught. This makes ransomware a popular and low-risk business model.

The HSE attack is one of an increasing number that successfully target organisations that cannot afford any service interruption or downtime, such as hospitals, financial or legal institutions. The risk of stalling urgent patient care or legal proceedings forces such organisations into making difficult, time-constrained decisions that often result in the targeted organisations paying hefty ransoms to the attackers. While the act of launching a ransomware attack is a criminal offence, there is no ramification for the victim organisation who decides to pay a ransom or negotiate a lower sum with the attackers. Organisations are left to decide for themselves whether to pay, not pay, or negotiate with attackers.

The time during which services or data remain inaccessible, referred to as downtime, is usually a key consideration when organisations are trying to decide to pay, not pay or negotiate. On average, downtime is 23 days and the average ransomware payment is currently $220,298. If downtime is prolonged by the decision not to pay the initial ransom, the overall cost of the attack is likely to increase. For example, one research study states that the average bill for rectifying an ransomware which includes downtime, device and network costs, lost opportunity and the ransom paid is on average $1.27 million.

When the ransom demanded and the overall cost of recovery is in the millions, it is not surprising that organisations are choosing to pay ransoms as it seems like the clear cut option. However, the crux of the problem is that paying the ransom does not guarantee that access to data or devices will be returned. It also does not guarantee that operations will immediately resume as normal. In some cases, a payment is made and, through a faulty decryption key, the data has been already been deleted, corrupted. In some cases, a decryption key never existed to begin with and the files remain unrecoverable. 4% of organisations who have paid the hefty ransom are left out of pocket with unrecoverable files.

The organisation must also consider the growing trend of attackers leaking victims’ data if a payment has not been made in a timely fashion. This appears to have occurred with the HSE attack, with many ransomware groups now hosting their own sites for publishing stolen data. Minister for Health, Stephen Donnelly has said that “no ransom has been paid by this Government directly, indirectly, through any other party or in any other way. Nor will any such ransom be paid.”

We can make some assumptions as to why the minister is taking this stance. The first is that paying ransoms contributes to cybercrime. Ransom money can be invested in new software to launch more sophisticated ransomware attacks or to fund other nefarious activities like organised crime or terrorism. A second assumption is that organisations who decide to pay are contributing to an increase in cybersecurity protection against future attacks.

Another assumption is based on the fact that paying affirms to the attackers that the ransomware business model works, which is likely to encourage them to launch more attacks. Paying up also suggests to the attackers that similar organisations from the same sectors may also be willing to pay.

With this in mind, paying is usually not in the long-term interests of everyone involved. However, in the case of the HSE, where health and lives are effectively at stake, short-term interests are of critical importance. The HSE will also have to appropriately deal with the repercussions of a data leak which is likely to be costly and reputationally damaging.

Negotiating is an alternative to outright paying or not paying. Interestingly, attempts to negotiate a lower price with ransomware attackers might actually work. F-Secure found that organisations can bargain an average discount of 27% on the original sum demanded through negotiation with their attackers.

One disadvantage of negotiating is that it causes the same negative reinforcement as paying outright because money is exchanged with cybercriminals. Negotiating can also prolong downtime and raise the costs of recovery. If the affected organisation has no intention to pay, they can still start negotiation talks as it buys time to allow for engagement with law enforcement.

There are some advantages if the HSE decides to pay the ransom. If a working decryption key exists for example, and the attacker supplies it upon receipt of payment, downtime will be minimal (approximately 23 days). Normal working conditions may resume for employees and suppliers and most importantly, access to services for patients.

Whilst representatives from the HSE have publicly declared no ransom will be paid on principle, the latest news stories are asking why the attackers have provided a decryption key in the absence of a payment. Publication of HSE data in response to a payment, late payment or no-payment, could prove very damaging to Irish patients and the HSE, while also exposing the HSE to fines under the General Data Protection Regulation (GDPR). As one criminal group posted, “GDPR. Do not want to pay us – pay x10 more to the government. No problems.”

Gwenyth Morgan is a Senior Information Security Advisor to the New Zealand government who is in the final stages of submitting her PhD thesis on Ethical Issues in Cybersecurity at the Institute of Ethics and the ADAPT Centre at DCUProf Bert Gordijn is a Full Professor of Ethics and Director of the Institute of Ethics at DCUDr Dave Lewis is an Associate Professor at the School of Computer Science and Statistics at TCD and the head of its Artificial Intelligence Discipline. He is also Deputy Director of the ADAPT CentreDr Joss Moorkens is an Associate Professor of Translation Studies and Chair of postgraduate translation programmes at the School of Applied Language and Intercultural Studies at DCU, a Funded Investigator at the ADAPT Centre and Co-Editor of the journal Translation SpacesRenaat Verbruggen is an Assistant Professor in the School of Computing at DCU, Director of the MSc in Computing and a funded Investigator on the Erasmus+ Forensic Computing Project FORC.

The views expressed here are those of the authors