Skip to navigationSkip to content

Ideas

Our home for bold arguments and big thinkers.

hacker image
Reuters/Kacper Pempel
It’s like negotiating with terrorists.
BITCOIN PLZ

Should you pay a hacker’s ransom?

Carl Herberger
By Carl Herberger

Vice president of security solutions, Radware

If someone locked down your pacemaker, what would you pay to regain control? If hackers took over a cockpit or locomotive, what would you pay for restitution?

This is the future of ransomware that we’ll almost certainly see if the evolution of these threats holds course. Any time human safety enters the mix, it’s a ripe opportunity to extort money. As more ransomware victims pay, the kind of threats that put lives at risk will be even more incentivized.

For now, though, it’s computers, data centers, and entire IT environments that are held hostage. While these threats are certainly not as grave as those against human lives, they can cripple businesses, health care facilities, and even government operations.

Most of these organizations know what ransomware is, of course, but when you tell them they’ve been infected, they often don’t understand what that means. There’s a bit of shock—they haven’t gone through the mental exercise to figure out what they would do in that situation. Most companies are thoroughly knowledgeable about ransomware, but ignorant about what their first steps should be if they become victims of an attack.  

Consider this before you pay a ransom

Typically, the decision on whether to pay the ransom ends up in committee. They want to know the options: How much the ransom would cost, if payment would be lower than the cost to remediate, or whether culturally they refuse to pay on principle.

Do the mental exercise right now: Your business has been infected with ransomware. Your system is locked down and encrypted, and the hacker holding the key is demanding thousands of dollars in Bitcoin. Or maybe you received an email threatening a DDoS attack that will bring down your site, which can be avoided with a quick deposit in the hacker’s account.

Should you pay the ransom?

The answer is simple: Pay if you want to keep paying. Playing into ransom attacks is akin to negotiating with terrorists. Do you have a tolerance for negotiations, or do you draw a line in the sand? If you reward certain behavior, you’ll get more of it. If you show yourself willing to pay, hackers will be knocking on your door.

With ransomware, paying will sometimes work at the individual level, but in the aggregate, it only incentivizes the whole ransomware industry to continue to develop new and better attacks. Why would they stop? It’s lucrative. Paying will worsen the situation with ever-increasing new threat vectors of code and programs and techniques aimed at ransoming your systems.

For some, paying the ransom is the best—or only—option

On the other hand, paying is sometimes victims’ lone option. Often the targets of ransomware aren’t who you’d expect. The headlines cover hospitals paying tens of thousands of dollars to regain access to their systems, and the US House of Representatives blocking use of Yahoo Mail and Google apps in a move to cut off an influx of ransomware. Of course enterprise companies and other large organizations are being hit with attacks, but the hackers also make a point of preying on the weak and defenseless.

College students, for example, are a big target. Think about it. Few of them have sophisticated systems or the resources or know-how to combat this kind of attack. If their computer is locked down, who do they turn to? What do they do? It’s much simpler to pay the $50 the hacker demands and get their computer back.

Small businesses are another common victim. Dentist offices, accounting firms, and law offices are all vulnerable. For a small law office, a locked-down environment means work halts.

Employees can’t do research, can’t file documents, can’t review contracts, wills, and other files. They’re usually working on out-of-date hardware and software, and lack the vendor assistance or acumen that larger organizations have to protect themselves. Paying up gets the office running again quickly without much effort, an option made more attractive by their lack of resources—paying is often their only recourse.

How to slow the flood of ransomware

Paying the ransom doesn’t mean the attacks stop—many companies that pay up are likely to then be hit repeatedly as soon as it’s clear they’ll pay. It becomes a protection racket of sorts, with hackers collecting payments to keep your systems up and running. Those that pay also contend with hoax threats that amount to nothing.

The only way to slow this particular threat is to stop paying. Security threats will always exist. Those who take steps to be aware of attacks and raise the proper defenses and fail-safes are less likely to be targets. And even if they’re hit with ransomware, they won’t have to bow to the hacker’s demands.

Subscribe to the Daily Brief, our morning email with news and insights you need to understand our changing world.

By providing your email, you agree to the Quartz Privacy Policy.