Latest News

No one ever wants to be in a position where they have to pay a ransom. But the data and high profile examples from Australia in the last 12 months clearly show that businesses of all sizes are being targeted by cyber criminals. 

When this happens, valuable data can be stolen or business systems encrypted with users locked out. In both instances the hacker might offer a simple solution: pay this ransom to me and I will delete your sensitive data from my possession or unlock your systems.

The question is, should you pay? That’s what this article is here to cover.

The dilemma for businesses

Businesses that fall victim to ransomware attacks face a difficult decision: pay the ransom and hope the attacker follows through on their promise to provide the decryption key, or refuse to pay. Refusing to pay can have serious consequences. 

If you permanently lost access to all, or even half of your data including your contacts, bank details, invoices and records of payments, what would that do to you? This dilemma is compounded by the fact that there is huge uncertainty when any payment is made. It’s typically made in cryptocurrency or a cash transfer offshore. So no guarantee that paying the ransom will actually result in the safe return of the encrypted data, and it may even encourage further attacks in the future.

The “for” case – why should you pay a ransom?

Some arguments in favour of paying the ransom include:

1. Recovering critical data: Paying the ransom may be the only way to regain access to important data or systems that are necessary for the functioning of the business. This is a basic cost-benefit analysis: is the cost to you of not paying greater than the cost of paying the ransom?
2. Avoiding negative consequences: Ransomware attacks can result in significant financial and reputational damage to a business, or to the business' customers. Paying the ransom may be seen as a way to avoid or mitigate these negative consequences.
3. Faster recovery: In some cases, paying the ransom may result in a faster and more complete recovery of data and systems than attempting to restore from backups or other means.

Some high-profile examples of companies that paid ransoms include:

1. Colonial Pipeline: In May 2021, the US pipeline operator paid a ransom of USD 4.4 million to the DarkSide ransomware gang after a cyberattack shut down its operations.
2. JBS Foods: In June 2021, the Brazilian meatpacking company paid a USD 11 million ransom to the REvil ransomware group after it was hit by a cyberattack.
3. University of California San Francisco (UCSF): In June 2020, UCSF paid a ransom of USD 1.14 million after a ransomware attack on its medical school servers.

It's important to note, however, that there are also strong arguments against paying the ransom, which we will explore in the next question.

The “against” case – why should you not pay a ransom?

Similarly, there are compelling arguments against paying any ransom. These can be divided into concerns that affect the individual business and those that might have wider consequences too.

Individual concerns

1. No guarantee of recovery: As we noted above there is no guarantee that paying the ransom will result in the decryption of your data. In fact, some victims have reported paying the ransom and still not receiving the decryption key or having their data restored. Or in an even more frustrating scenario, the initial payment has just triggered a new ransom demand, or only a part decryption. 
2. Damage to reputation: Paying the ransom can damage an organisation's reputation, as it may be seen as a sign of weakness or lack of preparedness. Customers and partners may lose trust in the organisation's ability to protect their data and may be hesitant to continue doing business with them.
3. Cost: Paying the ransom can be expensive, especially for small and medium-sized businesses that may not have the financial resources to pay large sums of money. Even if the ransom is paid, the cost of restoring systems and data can be significant.

Broader concerns

1. Funding criminal activities: Paying the ransom supports criminal activities and may encourage further attacks. It is possible that the ransom paid to the attacker may be used to finance other illegal activities such as organised crime, people smuggling and money laundering.
2. Legal and ethical concerns: Paying a ransom may violate laws, regulations, or the ethical standards expected of your business.
3. Supporting the development of more advanced ransomware: If you think of ransomware and hacking as an ‘industry’ then paying a ransom may incentivise attackers to develop more advanced ransomware, since the ‘profit pool’ from their criminal activity grows with every ransom payment. 

Some high-profile examples where ransoms were not paid include: 

1. Optus: Optus experienced a major cyber attack in September 2022, where sensitive customer data was accessed by hackers. Optus did not pay the ransom and it is believed that the attack was aimed at extracting data for other fraudulent activities.
2. Medibank: In October 2022, Medibank confirmed that all of its 9.7 million customers’ data had been stolen by cyber attackers, including dates of birth, phone numbers, email addresses, and health claims. Medibank refused to pay the ransom demands, following which the cyber criminals published the full 5GB dataset online.

Does Australia have any legislation covering ransomware payments? 

Despite the Australian government's recommendation against paying ransoms to cyber criminals like those who targeted Optus and Medibank, many companies choose to ignore this advice and pay up. Notably, as of March 2023, there are no laws prohibiting this practice, leaving businesses to weigh the risks and benefits of paying a ransom.

While there is no clear data in Australia covering ransomware payments, a report by cyber security firm Kaspersky reveals that an alarming 80% of businesses worldwide that suffered from ransomware attacks, ended up complying with the demands. What's even more concerning is that almost 90% of businesses that have already been targeted would pay the ransom again.

How an incident response plan can help

An incident response plan is a pre-planned blueprint for what you will do as a business in the event of a ransomware attack. It’s meant to be a comprehensive plan that outlines how to respond to a range of scenarios. The value of this approach is that it provides a structured approach to dealing with the situation. And perhaps most importantly, it is prepared before any such event takes place, so that decision making is not influenced by heightened emotions like fear, anger and frustration.

An incident response plan should include a clear process for assessing the situation and deciding on whether to pay the ransom or not. It should also include steps for isolating and containing the infection to prevent further damage, identifying the extent of the attack, and restoring systems and data. To comply with local rules and regulations, it should also include relevant organisations and contact details for the agencies (government and industry) that need to be notified when an event like this occurs.

Key takeaways

If you’d like to discuss your current levels of cyber defence, your options if you get hacked, as well as your reporting responsibilities or want some help putting an incident response plan in place, CyberUnlocked can help. We are experienced, local and provide tailored solutions based on your size, industry and needs.