1800 334 625 or Send a message

Should You Pay the Ransom? Peter Coroneos (Cyber security speaker) - 15 May 2017

Should You Pay the Ransom? Peter Coroneos (Cyber security speaker)

Peter Coroneos is an internationally recognised authority on cyber policy and cyber security speaker. He is principal advisor at Coroneos Cyber Intelligence and was recently appointed Regional Head, Asia Pacific for the Paris-based Cybersecurity Advisors Network.

With the recent Ransomware attacks crippling business around the world, Peter discusses the risks associated with complying with these hackers demands. 



The current global ransomware attack highlights a practical and ethical set of dilemmas that businesses and organisations must face when deciding whether to concede to ransomware demands.

Ransomware involves criminal hackers hijacking your computer and denying access to operations and/or data unless a ransom is paid. It can cripple an entire business within minutes. 

It is the most prevalent and rapidly growing cyber threat today. According to security firm SonicWall, in the twelve months from 2015 to 2016 the incidence of ransomware attacks globally grew from 3.8 million to 638 million–that's more than a sixteen thousand percent increase in a year.

Its rapid growth has come about because of two main factors. Firstly, ransomware technology has become democratised. Today, anyone can play. The proliferation of low-cost, easy to use malware kits makes the cost and skills involved in implementation very low.  If you don’t want to do it yourself, you can hire pay-per-use ransomware services to execute the exploit and collect the ransom on your behalf.

Secondly, payment via Bitcoin affords the perpetrator a negligible risk of detection, since traditional law enforcement methods of following the money are essentially void in the cryptoworld these cyber criminals inhabit. 

Relative to the costs and risks, the yields are immense. Last year, according to FBI sources, over $1 billion was paid to ransomers, who use the psychology of small numbers to their advantage. The demands are typically in the $300-600 range, increasing the propensity of victims to pay compared to the costs of holding out.  

For these reasons, ransomware exploits are the near-perfect crime. Its little wonder business is booming.

Given your chances of being hit are somewhere north of 60%, the obvious question facing boards, the self-employed, small enterprises and institutions with low access to IT support is: should we pay?

As a matter of principle, the answer should always be no. This is the advice from law enforcement and government, and its hard to disagree based on the simple dynamics of perpetuating bad conduct. As a society, we simply can’t concede to criminality, and businesses who hold to ethical principles should be clear on this stance, internally and externally. Ideally.

However, as a matter of practicality and necessity, the situation is somewhat more complex. Let’s paint that picture. Staff with locked computers unable to work. Customer data at risk. Brand reputation trashed if the news gets out. The cost of remediation and potentially rebuilding entire information systems and databases. Backups which may be themselves be compromised so that no restoration is possible. 

In this light, five questions must govern the decision to resist or pay a ransomware demand:

First, will we recover our data/regain machine access? Regrettably, it's hard to know whether you can ‘trust’ your ransomer. The ransomware community condemns broken promises to restore upon payment. The renegades effectively poison the well for all by bringing the ransomware industry, such as it is, into disrepute. The irony would be funny if the consequences weren’t so serious. 

Despite whatever honour applies among thieves, the recently released Telstra 2017 cybersecurity report, which surveyed over 150 Australian businesses, found that roughly one-third of the sixty percent of those hit by ransom demands last year did not recover their data, even after the ransom had been paid. 

With a one in three chance of getting nothing in return for the ransom, the next question is: are we labelled as a soft target if we do pay? 

Cyber criminals often share or sell information about compromised systems and users. A payment of a ransom demand is almost certainly going to elevate you to a list of compliant targets which increases your chance of a future attack by the same or other actors.

So with a one in three chance, you won’t get your data access restored, and a near 100% chance you’ll be tagged for future attacks, in any case, paying at this point looks like a dubious choice.

Next, to prevention: assuming we pay this time and do recover our data, how do we make sure it never happens again? 

Assuming you get your data access back, the payment of a ransomware demand affords a small respite and time to invest in getting systems cleared and reliably backed up. This now becomes a first order priority for the entire organisation.

A full compliance program must be devised and instituted to get your house in order before the next attack. If you do this right, you may be better placed to resist future demands and to recover from their effects. Latent infections, where the malware lies low, quiet and invisible to traditional scanning methods, make complete disinfection more difficult, so you will never be certain the system is completely clear. However, you will likely be safer than you were before.

Critically, the risks of re-infection remain for as long as your staff remain susceptible to exploitation. You must seize the chance to initiate and enforce tough policies on staff email use, organisation-wide training from top to bottom, and implement, test and refine up-to-date remediation and recovery protocols. Your escape is a reprieve, but also a wake-up call. Understand what best practice looks like for your sector and embrace it.

Finally, the hardest question you have to confront is this: if we don’t pay, what are the consequences we must live with?  Will the business survive? Did we have the right recovery strategies in place? What protocols did we have in place for media and stakeholder management and regulatory compliance? Did we adequately resource recovery and remediation (clearly, we failed on prevention). Did we back up and are our backups clean? Did we identify, isolate and protect mission critical information resources? 

If the answer to any of these questions falls short, you may have to be pragmatic this time and hope you’re dealing with a decent ransomer. And vow never to let it happen again.


Learn more about Peter Coroneos, leading Cyber Security expert here.

Blog Search

Privacy © 2016 Copyright ICMI. All Rights Reserved.

Website by Beautiful Websites