One of the key decisions that needs to be made in the aftermath of a successful ransomware attack is whether or not the victim organization can or should pay the ransom.  Of course, there are many considerations that go into such a decision – for example, whether the payment is legally permissible, the ease of system restoration absent paying the ransom, the harm that might result to the company or its consumers if systems cannot be timely restored, or whether there are reputational risks or ethical concerns, amongst many other considerations.

A new study by Hiscox, a privacy and cyber security insurance company, sheds light on additional practical concerns that should be taken into account in that balancing of potential risks and benefits.

More specifically, Hiscox released its sixth annual Cyber Readiness Report 2022.  In it, Hiscox raises a number of interesting findings:

  • Ransomware attacks have risen approximately 19%, which is up from 16% from last year.
  • Approximately 60% of surveyed companies paid a ransom in response to a successful ransomware attack.
  • Of the companies that paid a ransom, approximately half of those ultimately paid ransoms on multiple occasions after suffering additional successful attacks.
  • In the United States specifically, the number of ransomware attacks have stayed generally the same from 2021 to 2022, but the amount paid has increased. More victims paid attackers the ransom amount this year than last.
  • Only 59% of companies that paid the ransom successfully recovered their data.
  • 29% of companies who paid the ransom still had their data leaked.

In other words, an organization that considers paying a ransom must do so with the understanding that not only are there legal, reputational and business risks, but such a payment may not even mitigate the harm of the attack.  Further, while it was widely understood that paying the ransom might encourage future criminal activity against others, the statistics suggest that such a payment may in fact lead to further attacks against the paying organization itself.

What should now be clear if it was not already, is that the decision of whether or not to pay a ransom is complicated, and accordingly, it would be preferable not to have to consider this question for the first time on the fly in the middle of an actual ransomware attack.  It is accordingly a best practice– prior to an attack occurring – to thoroughly consider the factors that go into the payment decision and – ideally – document those, along with an analysis of your organizations’ particular weighing of those factors, in an internal policy or manual that can be adopted by consensus, and then be consulted for guidance should the worst happen.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Nolan Goldberg Nolan Goldberg

Nolan M. Goldberg is a partner in the Litigation Department, co-head of the Data Privacy and Cybersecurity Litigation Group, and a member of the Patent Law Group. His practice focuses on technology-centric litigation, arbitration (including international arbitrations), investigations and counseling, covering a range…

Nolan M. Goldberg is a partner in the Litigation Department, co-head of the Data Privacy and Cybersecurity Litigation Group, and a member of the Patent Law Group. His practice focuses on technology-centric litigation, arbitration (including international arbitrations), investigations and counseling, covering a range of types of disputes, including cybersecurity, intellectual property, and commercial.  Nolan’s understanding of technology allows him to develop defenses and strategies that might otherwise be overlooked or less effective and enhances the “story telling” that is critical to bringing a dispute to a successful conclusion.

Nolan is a registered patent attorney before the U.S. Patent & Trademark Office; and an International Association of Privacy Professionals (IAPP) Certified Information Privacy Professional, United States (US CIPP) and Certified Information Privacy Technologist (US CIPT).

Cybersecurity

Nolan’s electrical engineering background, coupled with a litigation and risk management-centric focus, allows him to assist companies in all phases of incident response. Nolan often acts as a bridge between the technical and legal response teams (both inside and outside forensic consultants). Nolan uses this deep familiarity with the company and its systems to defend the company in litigations, arbitrations and regulatory investigations, including before the Federal Communications Commission (FCC); Federal Trade Commission (FTC) and before various State’s Attorneys General, including Multi-State investigations.

Nolan has worked on incidents that range from simple phishing attacks on e-mail accounts by cyber-criminals to intrusions by (formerly) trusted inside employees to complex technical breaches of hosted systems by state-sponsored advanced persistent threats (APTs). These incidents have involved both client systems, and systems of a vendor of a client that hosted its data.

It is often the case (both in response to an incident and for other reasons) that a company will want to undertake an assessment of its security posture, but has concerns about the discoverability of any such analysis.  Accordingly, Nolan also frequently assists companies’ scope and conduct privileged security assessments, including “dual purpose” assessments where privileged analysis are also used for ordinary-course purposes.

Commercial Disputes

Nolan also assists companies with commercial disputes, particularly in cases where there is a technology component, including disputes arising from hosted software agreements; outsourcing and managed services agreements; software and technology development agreements and the dissolution of joint ventures.  When these disputes cannot be amicably resolved, Nolan has litigated them in State and Federal Court and in arbitrations, including international arbitrations.

Intellectual Property

Nolan’s work has included numerous patent and trade secret litigations and negotiations, primarily in cases involving computer and network-related technologies. In particular, the litigations have involved at least the following technologies: hosted software; telecommunications, computer networking; network and computer-related security hardware and software; microprocessors, voice-over Internet protocol (“VoIP”); bar code scanners  financial business methods and software, including securities settlement, fail management and trade execution and reporting software; data compression; handheld computers; pharmaceuticals; cardiac electro-stimulatory devices and prosthetics.

Nolan also has experience prosecuting patent applications before the U.S. Patent and Trademark Office in encryption, CMOS, HDTV, virtual private networks (“VPN”), e-commerce, XML/XSL, financial instruments, semiconductor electronics, medical device technology, inventory control and analysis, cellular communications, Check 21 and business methods. Nolan also has conducted numerous freedom-to-operate searches, written opinions, and counseled clients in the areas of bar code scanners, imaging, book publishing, computer networking, business methods, Power Over Ethernet (“PoE”), and digital content distribution.

He has assisted in evaluating patents for inclusion in patent pools involving large consumer electronics and entertainment companies concerning CD and DVD technology.

Computer Forensics and Electronic Discovery

Nolan is often called upon to develop e-discovery strategies to be used in all types of litigations, with a particular focus on selecting appropriate tools, developing proportionate discovery plans, cross border electronic discovery, managing the overall burden and cost of the electronic discovery process, and obtaining often overlooked electronic evidence, including computer forensics. He also assists clients to develop and implement information management programs to reduce expense and risk, meet compliance obligations, and tame e-discovery burdens.

Thought Leadership

Nolan has authored numerous articles and given numerous presentations on emerging issues and trends in both technology and law, and has often been called upon to comment on various media outlets including Business Week, IPlaw360, IT Business Edge, CIO.com, Forbes, and The National Law Journal.

Prior to practicing law, Nolan was a computer specialist at Underwriters Laboratories (UL).

Photo of Margaret Ukwu Margaret Ukwu

Margaret Ukwu is an associate in the Litigation Department and a member of the Intellectual Property and Product Liability groups. She focuses her practice on complex patent litigation involving a broad range of technologies, including electrical arts pertaining to mechanical systems, computer architecture…

Margaret Ukwu is an associate in the Litigation Department and a member of the Intellectual Property and Product Liability groups. She focuses her practice on complex patent litigation involving a broad range of technologies, including electrical arts pertaining to mechanical systems, computer architecture, pharmaceutical and medical devices, internet applications, mobile operating systems, wireless communications and user interfaces. She also advises clients on all aspects of patentability and provides patent counseling regarding invalidity, non-infringement and freedom to operate assessments.

Margaret also specializes in all aspects of pre-trial work and trial preparation, including drafting motions in limine, jury instructions, working on demonstrative and exhibit lists, preparing witnesses for trial and drafting opening and closing statements.

While in law school, Margaret interned for the Honorable Sam Rugege at the Supreme Court of Rwanda. Prior to practicing law, she worked as a control systems engineer at a large multinational company.