top of page

If you decide to pay the this first.

Updated: Jul 16

If one of your loved ones were held captive for a ransom, there are certain assurances you would want before paying.

  1. How do I know you will return them alive?

  2. How do I know you won't ask for more money?

  3. What procedure do I follow to ensure the correct person gets the money? (i.e., some other criminal doesn't intercept the money)

We should also be very thoughtful when considering whether or not to pay the ransom for recovering our data.

It's a Lot of Work

It is not like on TV where the team pays the money, they get the decryption key, and they press a few buttons and *voila* everything is back online. Quite the contrary. This is not a user friendly process.

The criminals may provide you with numerous encryption keys, and leave it to you to sort out which key decrypts which file or folder. Your incident response team then has to write scripts to automate the use of these keys to decrypt files. Decryption can take many hours.

It Doesn't Always Work

After everything is decrypted, there is a good chance that — in the case of dynamic files like those in a database — everything is out of synch. Encryption happened while the database was still being used. It is quite likely that there are some database integrity issues that will need to be addressed.

An Ethical Dilemma

Paying the ransom funds criminals. It may even be a source of revenue for terrorists or failed states. Does paying the ransom fit in with your organization's code of ethics? How will it be viewed by your executives, your investors, your staff, and your clients? In the heat of the moment, paying the ransom may seem to be the obvious choice, but are we giving up our principles when we do so?

Some Pitfalls

It's possible that paying the ransom is illegal. If the ransomware group — whether it be a criminal, terrorist, or nation state — is on a list of sanctioned organizations, then it is illegal to pay the ransom [1,2].

It's also quite common for the attackers to come back and attack you again! [3]

Important Steps

Involve Law Enforcement Early On.

In my experience, there are several reasons to involve law enforcement — which most commonly means contacting the FBI:

  1. They will take copies of recovered evidence with the goal of tracking down the criminals and bringing them to justice.

  2. They will provide useful information. They may identify the specific group and provide useful information such as

    1. "will they actually provide the keys when you pay the ransom?"

    2. "How difficult will it be to decrypt the data?"

    3. "Is it illegal to pay the ransom to this group?"

  3. It demonstrates that you are cooperating with the Authorities. In some cases the FBI may stipulate that you not make certain information known publicly, and they will back you up when regulators insist that your organization be more transparent.

They will not come into your organization and treat you as a criminal. They will not march into your offices with raid jackets on and confiscate your servers as evidence.

Contact Your Cyber Insurer

Your cyber insurance policy may stipulate that you use a specific incident response firm or else the expenses will not be covered. Also consult with your cyber insurance company before paying the ransom.

Engage an experienced Incident Response Team

An experienced incident response firm will

  • Identify how the breach occurred

  • Shut the hackers out

  • Help your organization to recover quickly

Work with your Legal Team

There are a number of legal pitfalls, and working with your legal team will help you to navigate this minefield. Additionally, certain communications may be considered privileged when your lawyer is included.

Document Everything

It's important to keep records of what was done, when, why, and by whom.

Better Yet - Be Proactive

With ransomware - as with many things in life - it's much more effective to take steps before an incident occurs.

  • Backups: Ensure all critical systems are appropriately backed up

  • Test your backups

  • Offline Backups: Keep the backups (and the systems which restore them) offline so that the hackers cannot get at them

  • Create Incident response plans and test them regularly

  • Implement good cyber hygiene

    • Implement strong authentication (e.g., two factor authentication)

    • Train your staff

    • Build a culture of Cybersecurity - don't punish those who come forward

    • Do all the basics (e.g., antivirus, patching, policies and procedures for onboarding and offboarding, etc.)

    • and much more! Check out the Stop Ransomware Guide from CISA [4]

Before paying the ransom, please review my article "Opinion: Don't pay the ransom."

Let's Get Started!

Interested in a free consultation to discuss your Ransomware Prevention and Incident Response Strategy?


Disclaimer: The information provided here (“material”) is intended for informational purposes only and does not constitute legal or professional advice. This material is not warranted to be exhaustive or complete. Additionally, every organization has a unique set of circumstances, business requirements, contractual obligations, and regulatory compliance requirements which we are unaware of. No guarantee is made that use of this material will secure your organization and help you to meet your compliance obligations.

42 views0 comments

Recent Posts

See All


bottom of page