Ransomware: To Pay Or Not To Pay?

October 1, 2020
Steve Fox

By the end of last year, the Federal Bureau of Investigation (FBI) received 2,047 ransomware attack complaints, accounting for approximately $8.9 million in losses. In fact, researchers are predicting that email-based ransomware attacks will continue to rise, especially as more people work from home amid the COVID-19 pandemic. Despite the rise in incidents, the average ransom amount has actually dropped: In some cases, as low as $100 in Bitcoin. The big question facing businesses today, however, isn’t the average ransom amount demanded from cybercriminals. It’s how the business should prepare for a ransomware threat and whether it should pay (or not pay).


You’ve probably heard it before: Ransomware and other malware can gain access to your entire company’s data and systems through seemingly innocuous digital activities (e.g., opening an infected email attachment, visiting a corrupted website, clicking on a malicious digital advertisement). Once infected, the ransomware can encrypt your data or otherwise block your ability to access information or systems. It happens all the time and it can render a business incapacitated.

In many instances a person may unknowingly infect not only his or her computer, but the company’s network and data infrastructure as well. That is, until you lose access to your data or receive a ransom demand! As with most IT security initiatives, it’s important to have a plan in place for how you will address ransomware attacks.


Your ransomware action plan should include input and buy-in from key stakeholders throughout your organization. Protecting your business from ransomware is an organization-wide initiative, so it’s important to include representatives across the organization as well.

Here are three items to include in your action plan:

  1. Response team: When a threat is identified or a ransom received, who will be involved in the response? What are the roles and responsibilities of those on the response team? Clearly documenting the team members and their respective roles within the response will help each person hold themselves and team members accountable should a threat surface.
  2. Payment decision: As an organization, you must decide whether paying a ransom will even be an option. Will this be determined on a case-by-case basis or will you establish a ransomware payment policy? If you decide that payment is an option, you’ll want to consider how you will obtain and deliver those funds. For example, ransom is often requested in Bitcoin, so be sure you have a documented plan for issuing crypto-currency payment.
  3. It should also be noted that there is an inherent risk associated with ransom payment. There is no guarantee that payment will result in your company regaining access to your data. In fact, according to the FBI, “due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.”
  4. So even if your company chooses the payment option, there’s still a possibility that your data will remain corrupted and inaccessible. Paying could result in even higher monetary losses, business interruptions, and damage to your company’s reputation (internally and externally).
  5. Data recovery: Evaluate your company’s current process and policy for data backups. How often will your business backup data? Daily? Weekly? How long will those backups be stored? If your data is compromised due to cybercriminal activity, what will your process be for recovery? Who will be involved?

Outlining the details and responsible parties will help your team create a solid action plan that can be executed immediately should a threat occur.

Proactive, organization-wide security measures

Preventing an attack should be priority number one. Through effective security measures and staff training, your organization can minimize the risk to your organization.

  • Ensure operating systems, software, and applications are updated and/or patched regularly to address any security vulnerabilities.
  • Back up company data regularly and store those backups in a secure location. Do not leave your backups vulnerable to additional attacks.
  • Establish a business continuity plan.
  • Train staff members on cybersecurity threats, including malware. Provide examples and educate your team on the risks and consequences of engaging with websites or emails from untrusted sources.
  • Establish an escalation plan for suspicious emails or digital activity. Encourage the entire organization to be on the lookout for potential vulnerabilities.

Cybercriminals and cybercrime are not going away. As businesses continue to evolve and adopt new technologies, cybercriminals will do the same and will attempt new, sophisticated methods of attacking your systems. Although you can’t prevent cybercriminals from trying, you can prepare your team and your business to defend against them – or in the worst-case scenario, quickly and effectively address an attack to minimize disruption and losses.

join our email list