One of the key decisions that needs to be made in the aftermath of a successful ransomware attack is whether or not the victim organization can or should pay the ransom.  Of course, there are many considerations that go into such a decision – for example, whether the payment is legally permissible, the ease of system restoration absent paying the ransom, the harm that might result to the company or its consumers if systems cannot be timely restored, or whether there are reputational risks or ethical concerns, amongst many other considerations.

A new study by Hiscox, a privacy and cyber security insurance company, sheds light on additional practical concerns that should be taken into account in that balancing of potential risks and benefits.

More specifically, Hiscox released its sixth annual Cyber Readiness Report 2022.  In it, Hiscox raises a number of interesting findings:

  • Ransomware attacks have risen approximately 19%, which is up from 16% from last year.
  • Approximately 60% of surveyed companies paid a ransom in response to a successful ransomware attack.
  • Of the companies that paid a ransom, approximately half of those ultimately paid ransoms on multiple occasions after suffering additional successful attacks.
  • In the United States specifically, the number of ransomware attacks have stayed generally the same from 2021 to 2022, but the amount paid has increased. More victims paid attackers the ransom amount this year than last.
  • Only 59% of companies that paid the ransom successfully recovered their data.
  • 29% of companies who paid the ransom still had their data leaked.

In other words, an organization that considers paying a ransom must do so with the understanding that not only are there legal, reputational and business risks, but such a payment may not even mitigate the harm of the attack.  Further, while it was widely understood that paying the ransom might encourage future criminal activity against others, the statistics suggest that such a payment may in fact lead to further attacks against the paying organization itself.

What should now be clear if it was not already, is that the decision of whether or not to pay a ransom is complicated, and accordingly, it would be preferable not to have to consider this question for the first time on the fly in the middle of an actual ransomware attack.  It is accordingly a best practice– prior to an attack occurring – to thoroughly consider the factors that go into the payment decision and – ideally – document those, along with an analysis of your organizations’ particular weighing of those factors, in an internal policy or manual that can be adopted by consensus, and then be consulted for guidance should the worst happen.