Each year, we continue our everlasting hope that ransomware attacks will disappear. The unfortunate reality is that ransomware is as prominent as ever. Experts predict that ransomware attacks will only become more frequent and sophisticated, posing an even greater threat across all industries.

When ransomware strikes, the biggest question a company has to answer is typically whether to pay the ransom. But paying the ransom is only a fraction of the total cost to a business. In some cases, companies may even face fines for paying up and not even getting their data back.

So why are companies still paying? Why are they not pulling in the experts, such as government support from the FBI or CISA, from the beginning?

Before answering these crucial questions, we start with a cautionary tale about paying the ransom.

A case study in ransomware

In November 2021, an attacker exploited a vulnerability in a law firm’s Microsoft Exchange email server that provided adversarial access to the firm’s systems. Patches for this vulnerability had been available for months, but the firm had not applied them. Then, in December 2021, the attacker installed malware on the company’s systems.

The law firm represents New York City hospitals and is responsible for maintaining patients’ sensitive private information. The 2021 data breach exposed 114,000 patients’ data, including over 60,000 state residents. The data breach was possible due to the firm’s poor data security measures that violated state law and HIPAA regulations. As a result, New York Attorney General Letitia James ordered the firm to pay $200,000 in penalties for failing to secure their clients’ personal and healthcare data.

The fine adds to the firm’s financial setback, as it had already paid the $100,000 ransom in exchange for the return and deletion of the data, despite a lack of evidence the data was deleted.

The law firm failed to adopt several measures required by HIPAA, including regular risk assessments, encryption of private information and data minimization practices. Accordingly, the firm has been ordered to strengthen its cybersecurity measures. This includes implementing a comprehensive information security program, encrypting private and health information, implementing centralized logging and monitoring, establishing a patch management program, developing a penetration testing program and updating its data collection and retention practices.

Attorney General James stated that “confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud, and companies should strengthen their data security measures to safeguard consumers’ digital data.” The New York Attorney General’s office will continue to hold companies accountable for their actions and protect New Yorkers from harm.

Why are companies still paying the ransom?

Brett Callow, Emsisoft’s threat researcher and renowned ransomware expert, explained that most companies are probably not foolish enough to believe that a bad actor will adhere to their pinky promise and actually delete the data. “In reality, most companies that pay for deletion probably do so in the hope that being able to say they took action to ‘protect’ the data will lessen the likelihood of fines or angry customers hitting them with a class action.”

Callow advised that it makes absolutely no sense to pay for deletion. “It’s akin to sending money to the guy who burgled you in the hope he’ll return your stuff. Spoiler: he almost certainly won’t. Unsurprisingly, some companies which paid found themselves being extorted for a second time using data that had supposedly been deleted while others discovered that the data was being auctioned on cyber crime forums.”

What about seeking help from the government?

Victimized companies have several reasons why they may not seek help from government agencies like the Cybersecurity and Infrastructure Security Agency (CISA). Often, organizations may not want to disclose that they have been breached — fearing reputational damage, regulatory scrutiny or legal liability. More often, some companies may not have adequate cybersecurity measures or trained personnel to detect and respond to ransomware attacks effectively, decrypt their data or develop a recovery plan.

The worst-case scenario for not seeking help is for those companies without adequate backups of their data. This makes it more difficult, or even impossible, to restore their systems without paying the ransom.

Seeking expert help from government agencies like CISA can provide companies with additional resources, technical expertise and guidance on responding to ransomware attacks effectively. Plus, the government may have access to tools or resources that can help recover data or prevent future attacks.

But according to Callow, too many companies fail to implement basic good practices such as MFA. “So it makes sense to use legislative or administrative penalties as part of the solution to the problem,” he said. “If penalties increase the potential cost of a breach, companies may be less inclined to skimp on security — and insurers may be less inclined to permit them to skimp.”

To pay or not to pay? (Or, why you shouldn’t pay)

Before deciding whether to pay a ransom, organizations should consider some important factors. First, paying a ransom doesn’t guarantee the recovery of the encrypted data. Plus, as experts like Callow always say, there is no guarantee that the criminals will fulfill their part of the deal after they receive payment. Even if companies pay the ransom and the attackers provide a decryption key, the recovery effort can be complex and time-consuming.

In addition, paying a ransom can be considered a federal offense; especially if the attacker is from a country under sanctions by the U.S. government. In 2020, an advisory from the U.S. Treasury’s Office of Foreign Assets Control (OFAC) served notice about potential fines for all those involved in aiding payments to attackers from sanctioned countries. Those countries include Russia, North Korea and Iran. Firms that offer ransomware negotiation services aren’t exempt from this advisory. While your organization may not be able to attribute the attack to a specific group or geography readily, you may still incur fines from the OFAC if you pay a ransom.

Most importantly, paying a ransom can strengthen the criminals’ business model and encourage more criminals to engage in the same activity, ultimately increasing the frequency and price of attacks. It’s also crucial to note that while some private firms offer ransomware negotiation services, they are not exempt from the legal consequences of paying a ransom.

For additional insight into ransomware and to learn how your organization can manage the threat more effectively, download IBM’s Definitive Guide to Ransomware.