author photo
By Bruce Sussman
Wed | Nov 28, 2018 | 9:50 AM PST

Ransomware: should you pay or not?

It's a philosophical question, really, until you get hit with ransomware.

Then, your organization (or household) must make a tough choice.

And for the City of Valdez, Alaska, the choice was to pay the ransom if hackers provided a proof of concept (POC). The hackers agreed and the city paid.

The city manager of Valdez posted details on Facebook and said the city is in its final phase of recovery from the summertime ransomware attack, and is gradually moving decrypted files out of quarantine once they are certified to be virus free.

And the city's recent ransomware post details some interesting payment approaches:

  • The city hired a third-party firm to handle ransomware negotiations with the hackers: "Through the third-party firm, the cyber attackers demanded four bitcoin, digital currency equal to $26,623.97 at the time, in exchange for an electronic decryption tool."
  • The city has cybersecurity insurance, and the insurer covered the ransom: “After consultation with the City legal team, our insurance carriers, and careful consideration of the best interests of the City, I authorized the third-party firm to negotiate and pay up to the amount of the ransom demand,” said Elke Doom, Valdez city manager.
  • The city demanded a POC and the hackers agreed: “Negotiation terms required demonstration of successful decryption of multiple City documents and verification the decryption key would not reinfect our system.” Over a period of several weeks, city IT personnel used the tool to successfully decrypt all city data infected by the ransomware. 

Demanding a decryption tool demo seems to limit one risk we hear about at SecureWorld regional cybersecurity conferences: many pay, but only some get decryption tools that actually work.

SentinelOne did research in 2018 that revealed, "45% of US companies hit with a ransomware attack last year paid at least one ransom, but only 26% of these companies had their files unlocked."

Other significant risks remains, however, if you decide to pay the ransom. You've just identified yourself and your organization as a party that is willing to pay, and so hackers may try to take advantage of that again.

Also, cybercriminals may have copied your data before encrypting it, so they may continue to have access to sensitive information.

There are more arguments on both sides, of course.

And that's why the debate over whether or not to pay ransom will probably last as long as the threat of ransomware does.