Should businesses negotiate with ransomware criminals? 

By David Trump, above, Cyber Security Director, BOM IT Solutions 

Since the beginning of 2023, household names such as Royal Mail, Arnold Clark, WH Smith and Uber have all fallen victim to cyber-attacks. The reality is, however, these are just a few of the high-profile names that make up thousands of UK businesses and organisations that have been targeted by cybercriminals in the first quarter of the year. 

Ransomware is one of the most common types of malwares used in cyber-attacks. These attacks involve cybercriminals blackmailing victims in order to extort large amounts of money from them, usually in exchange for stolen data being returned, unencrypted, or the promise that it won’t be released publicly. Other ransom threats also include locking organisations out of critical systems, causing untold disruption to customers and potentially leaving reputations in tatters. 

Last year one in four SMEs experienced a ransomware attack, and during the first half of 2022, there were 236.1 million of these types of attacks worldwide. The costs associated are eyewatering too. According to IBM’s 2022 report, the average ransom payment is $812,360, or £650,000. However, this is only part of the total cost. When taking into account disruption, downtime and loss of business, IBM puts the average cost per attack at $4.5 million, nearly £4 million. In the UK, businesses should note they will also be liable to fines from the ICO for breaching GDPR guidelines should they fall victim to an attack where data is stolen. This can be up to 4% of global revenue. 

It’s not all doom and gloom, however, and there may be some light at the end of the tunnel in how organisations are responding. While an ever-greater number of companies are being held to ransom, the amount of money cyber gangs are managing to extort from victims is in decline. 

The amount paid to cyber criminals last year totalled $456.8 million (£402million), down from $765.6 million (£675million) the year before – a decline of over $300 million (£264million) in 12 months. While underreporting of costs and breaches can be commonplace, these figures definitely indicate a downwards shift. 

There are potentially a multitude of reasons for this trend, but the most likely is that decision makers at SMEs and larger businesses are choosing not to pay ransom demands. This is something we’ve seen in a number of public extortion attempts, such as with the Royal Mail and Pendragon breaches most recently. However, although it is positive that attacks are becoming less fruitful for criminals, there are pros and cons to choosing not to pay a ransom. 

In the UK the government states that it does not condone paying ransoms, which is also the same line taken by the FBI in the United States, as paying continues to fuel a cycle of online crime. But this is often easier said than done though when the reality of the situation hits. If your business becomes the victim of a ransomware attack, your reputation is massively at risk, and if your data and files are stolen or encrypted, then it can make it impossible for your company to operate in any capacity. There is also the chance that sensitive customer or staff data could be leaked onto the dark web or sold to other malicious groups. These factors must all be considered when making the decision on whether to pay up or not. 

So, this brings us to the question, ‘should I negotiate with the ransomware criminals?’. 

Unfortunately, the answer isn’t black and white, and must be decided on a case-by-case basis, taking into account all of the relevant factors, including those mentioned above. 

What are the options? 

For some businesses, paying a ransom may seem like the only choice when it comes to getting back stolen data or regaining access to systems that may have been compromised. 

Circumstance normally plays a role in these situations, perhaps the company in question handles extremely sensitive data, or there is pressure from shareholders to pay up, or the company may want to avoid more reputational damage by appearing to do everything they can to rectify the problem. For these organisations, there are steps they can explore. 

Firstly, they should employ the help of a cyber negotiation service. These professionals understand best practice when it comes to negotiating with cybercriminals and can give organisations the best chances of successfully negotiating a deal.  

All organisations should have a cyber insurance policy in place, so it’s also important to reach out to providers as soon as possible. They’ll be able to advise on the best course of action and will be there to potentially facilitate negotiations and sometimes payment. You may be under the impression that negotiations don’t work, but Royal Mail is an example of where it did. While the organisation went on to decline payment, negotiations with LockBit, the group behind the attack that shut down international delivery services, saw the original ransom halved from £66million to £33million. Consideration should also be given to incident response and who will be responsible for removing the offender from your network, although this can be a long process and very expensive. 

It should also be noted that it can be illegal to pay a ransom in the UK, and this is something that you should discuss with your insurance provider at the earliest opportunity. Current legislation states that making funds available to sanctioned parties is prohibited, and it can carry serious consequences should someone be proven to have done so. This is why many businesses often negotiate through third parties based outside of the UK. 

You should also remember that paying a ransom does not guarantee anything. These are still criminal groups you’re dealing with who may decide to leak or keep the stolen data regardless. In fact, a report by Sophos found that while almost all (99%) of businesses which are hit by a ransomware attack get some of their encrypted data back, just 4% have all of their data returned. On top of this, by paying a ransom, people may be opening themselves up to yet more demands, as the hackers know that these targets are likely to pay up if attacked again. 

For those who decide not to pay a ransom, the only drawbacks are the obvious ones. Your data may be leaked or permanently encrypted, and through the publication of sensitive information online, your reputation may be seriously impacted. 

If your company relies on its data and files, you may also be unable to operate for an extended period of time while you work to recover these files, and the amount of money lost could grow on an hourly or daily basis for faster-moving companies. 

The question of whether you should pay a ransom will never be black and white, and should be decided on a case-by-case basis by every business and organisation. The government and NCSC will always say you shouldn’t pay, however, decision makers at companies may feel differently when reality strikes and they are put in this very difficult position.