Three Reasons Why You Should Never Pay Ransomware Attackers

August 18, 2021 | 4 minute read

After falling prey to a ransomware attack, most organizations are faced with the decision of whether they’re going to pay the ransom demand. We’ll save you some time: it’s not worth it, and here are three of the many reasons why it does not pay to pay.

First off, paying the ransom doesn’t mean that your organization will regain access to their encrypted data. Too often that is because the decryption utilities provided by those responsible for the attack sometimes simply don’t work properly.

Corrupted Data

Such was the case with the ProLock ransomware strain back in May 2020. As reported by Bleeping Computer at the time, the FBI found that ProLock’s decryptor might corrupt files larger than 64MB. Investigators went on to warn that victims could experience integrity loss of as much as 1 byte per KB for files over 100MB.

It’s instances like ProLock that help to explain why some ransomware victims suffer data loss and corruption even if they paid the attackers and the attackers provide the decryption key.

In our recently published ransomware report, titled Ransomware: The True Cost to Business, nearly half of respondents (46%) who fulfilled their attackers’ demands regained access to their data following payment only to find that some if not all their data was corrupted. Just 51% said that they successfully recovered all their data after paying, with three percent admitting that they didn’t get any of their data back after payment.

Potential Civil Penalties for Paying

Organizations could incur penalties from the U.S. government for paying ransomware actors who may reside or operate out of countries who are subject to U.S. sanctions. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) made this point clear in an advisory published in October 2020.

The advisory explains that OFAC has included malicious cyber actors including ransomware attackers in its cyber-related sanctions program. The initiative empowers OFAC to impose penalties on U.S. persons who provide material assistance and/or other methods of support to any designated individuals.

Those powers apply even if someone didn’t know that they were dealing with a sanctioned individual beforehand. As quoted from the advisory:

OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.

It’s therefore possible that organizations could face civil penalties from OFAC for paying malicious cyber actors such as a ransomware group.

Ready and Willing to Pay up

Finally, organizations who pay the attackers are sending the message that extortion schemes work on them, a message which malicious actors could use to justify subsequent attacks and extortion attempts.

This fact cuts both ways: first, there’s nothing that says that ransomware attackers must satisfy their end of the agreement after receiving payment. That goes not only for handing over a *functional* ransomware decryptor, but also for deleting a victim’s stolen data was exfiltrated as part of a Double Extortion tactic.

Double Extortion begins when ransomware attackers steal sensitive information before launching the ransomware encryption routine. As usual, the ransomware encrypts the victim’s data and demands payment in exchange for a decryptor. The threat actor puts extra pressure on the victim by threatening to release the exfiltrated data publicly should the victim refuse to pay the ransom demand.

Although data backups are always a good idea for organizations, the Double Extortion tactic makes backups less effective as a primary strategy against ransomware attacks.

Indeed, ZDNet covered a report in which researchers found that some ransomware gangs didn’t always honor their word after receiving a ransomware payment. Threat actors using REvil/Sodinokibi ransomware sometimes approached victims shortly after they had paid the ransom and demanded another payment for the deletion of the exfiltrated information. Other ransomware groups ended up publishing the victims’ data even after receiving a ransom payment.

It’s not always the same malicious actors who strike again, either. We found in our research that 80% of organizations who paid a ransom demand ended up incurring another attack. Close to half (46%) said it was the same attackers that hit them again, while more than a third (34%) informed us that another threat actor might have been responsible for the follow-up infection.

In general, the FBI advises that organizations refrain from paying ransoms because it simply emboldens malicious actors by telling them that extortion works. Those attackers can then justify expanding their operations and continuing to target organizations, making everyone less safe.

Defending Against Ransomware Attacks

The only way forward for organizations is to prevent an infection from occurring in the first place. To do that, they need to invest in an anti-ransomware solution that doesn’t rely on Indicators of Compromise (IOCs), as not every ransomware attack chain is known to the security community. They need a multi-layered platform that uses Indicators of Behavior (IOBs) so that security teams can detect and shut down a ransomware attack chain regardless of whether anyone’s seen it before.

The Cybereason Operation-Centric approach means no data filtering and the ability to detect attacks earlier based on rare or advantageous chains of (otherwise normal) behaviors. Cybereason is undefeated in the battle against ransomware thanks to our multi-layered prevention, detection and response, which includes:

  • Anti-Ransomware and Deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.
  • Intelligence Based-Antivirus: Cybereason block known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.
  • NGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants prior to execution.
  • Fileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based ransomware that traditional antivirus tools miss.
  • Endpoint Controls: Cybereason hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.
  • Behavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Cybereason Security Team
About the Author

Cybereason Security Team

The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.

All Posts by Cybereason Security Team