To Pay or Not to Pay – There Isn’t a Question

Every ransomware attack requires the victims to make a hard decision – whether or not to pay the ransom. The decision is often made on the basis of past mistakes – failure to implement basic security (such as not implementing multi-factor authentication), failure to train personnel in recognizing phishing, or failure to establish and maintain an effective backup protocol. Lack of backups is often the deciding factor – if a company cannot reinstall systems and recover lost data, it may feel that it has no choice except to pay the ransom.

Why You Shouldn’t Pay. Even if that were the case, paying the ransom may be the wrong decision. Here’s why:

  • Paying the Ransom May Be Illegal. Federal and some state and local governments have rules against paying ransom to bad actors because it funds support for illegal activities. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) oversees these incidents, and the International Emergency Economic Powers Act and the Trading with the Enemy Act have strict rules against foreign financial engagement, and it is illegal to conduct a transaction with any person on the OFAC’s Specially Designated Nationals and Blocked Persons List. As it happens, hackers are often on the list. Violations of the sanctions rules can result in civil penalties, and even jail time.

Ransom payments made to individuals and entities on the list can include cases where the victim is unaware that their payments violate these laws; the government can seek civil penalties even if the victims didn’t know the payments were illegal.

  • Paying the Ransom Doesn’t Work. In the vast majority of cases, paying the ransom gives access to an encryption key that may be of limited use, or may be entirely ineffective. The data may be corrupted, and there are even cases where the encryption key gives access to the data of other parties – which means that someone else has access to your data! Studies have shown that it is easier, faster and cheaper to recreate the lost data from a backup – emphasizing the importance of having backups.

Companies should also remember that even if they recover the data, that data has been exfiltrated, and the hacker will likely extort an additional payment to agree not to resell the data. At the same time, we are dealing with criminals –what kind of promise is that? The hacker may sell the data anyway.

There’s another factor – paying the ransom is a message to the bad actor that the victim will pay again. Having proven that they will pay once, the hacker is just as likely to demand additional payments.

  • Paying the Ransom is Wrong. Giving money to criminals funds and encourages criminal behavior. If hackers aren’t paid for their actions, they’ll be less likely to do it again; it impacts their business model. Conversely, ransom payments encourage the behavior.

The British Experiment. The US isn’t the only country that is grappling with the issue. British officials are evaluating mandates that would change how victims respond to these incidents. The proposal, still in its early stages, would require victims to report incidents to the government, and mandate that any victim that wants to make an extortion payment seek a license from the government to do so. This policy would help illuminate the scale of cybercrime issues; the lack of mandatory reporting makes this a matter of mystery and speculation.

Britain is also considering a complete ban on ransom payments by organizations involved with the critical national infrastructure. The stated goal of banning ransom payments is to de-incentivize cyber criminals from targeting such crucial systems and services, reducing the overall security threat to these critical infrastructures.

JMBM’s Cybersecurity and Privacy Group counsels’ clients with a commitment to protecting personal information in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, crisis management and artificial intelligence implementation. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

 Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Clients engage Bob to develop and implement privacy and information security policies, data breach response plans, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. Bob manages data breach response and responds quickly to clients’ needs when a data breach occurs. Contact Bob at or +1 310.785.5331.