Ransomware payment
If ransomware locks up your systems and disrupts operations, you might consider paying the ransom. It’s a difficult choice with legal, ethical, and operational implications. You should consider your approach beforehand, when you can weigh the risks without the chaos of a crisis or pressure from employees, partners, customers, and investors.
Prepare for the Decision Before It Happens
Boards and executives should reach an understanding in advance about how the company will approach a ransom demand. That means knowing the legal and financial implications, how capable the organization is of recovering without paying, and how likely payment is to improve the outcome. It also means agreeing on who has authority to make the final decision and ensuring that everyone understands the company’s position before an incident occurs.
If the organization decides to explore payment, it should engage with legal counsel immediately. Breach counsel with ransomware experience can confirm what’s allowed by law. In the United States, the Office of Foreign Assets Control (OFAC) maintains a list of sanctioned entities that U.S. companies and individuals are prohibited from paying. Paying a sanctioned entity can expose the company and its officers to serious legal penalties, even if the payment is made through an intermediary. Counsel can also help coordinate with law enforcement and insurance providers, advise on data breach and other notification laws, and help the company understand its legal exposure.
What Happens If You Do Pay
Paying the ransom doesn’t guarantee fast recovery. Some ransomware groups never provide a decryption tool, even after payment. Others do, but their tools are often unstable or slow. Even when the tools work, recovery can take weeks because each system must be decrypted, cleaned, and/or rebuilt, requiring long hours of manual effort from your IT and security teams.
The threat actor may return with new demands, threaten to leak data, or target the company again. Ransomware groups often claim to delete stolen data and may even provide “proof of deletion.” In practice, they rarely delete the data and the proof is usually fake.
Still, some companies decide that the best option is to pay. For some of them, it works out. It may work out for you too, but don’t make the decision to pay without being aware of the risks.
Specialized Firms Can Help
Specialized firms such as Coveware help organizations navigate ransomware negotiation and payment. They can communicate with the threat actor, gather intelligence on how the group has behaved in past cases, and help determine whether payment would violate sanctions. Even if you decide not to pay, a firm that understands ransomware negotiations can help your team evaluate options and stay informed.
Other firms, such as Fenix24, focus on post-ransomware recovery. They can help coordinate and execute a recovery plan, including decrypting or restoring systems. These firms work alongside your teams and the incident response firm to accelerate restoration and reduce downtime.
Law enforcement agencies generally discourage ransom payments, but unless your company is legally prohibited from paying, it’s a business decision. The right answer depends on how badly operations are affected, how long recovery will take, and what the legal and reputational consequences could be. Experienced counsel and outside experts can help you make that decision with better information.
Build a Policy Before You Need One
It’s helpful to have a ransomware payment policy before an attack occurs. The policy doesn’t need to take a hard line for or against paying. It should define who participates in the decision, what steps are required before payment can be considered, and who has authority to make the final call. It should also cover legal and insurance requirements, communication protocols, and potential reputational risks.
Trying to make a payment decision during an attack, without a policy or guidelines, is a mistake. It creates confusion, slows the response, and increases the chances of poor decisions. A clear policy gives your team structure when the pressure is high and time is short.
You May Not Like the Choices You’re Left With
No one wants to pay a criminal. But when a ransomware group encrypts your systems, deletes your backups, and halts your operations, you may face only bad choices.
The best time to prepare for that situation is before it happens. Define how your company will make that decision and who will be involved. Each option carries risk, but the risks can be managed better by planning in advance.
Disclaimer: I am not a lawyer and this is not legal advice. If you’re making a payment decision, you should get legal advice. My opinions are my own.
