Ransomware: To Pay or Not to Pay?

​​By District Attorney Summer Stephan
Ransomware is a massive problem that doesn’t just affect corporations. It’s also a danger to ordinary citizens and government entities. Ransomware locks out the rightful user of a computer or computer network and holds the information hostage until the victim pays a fee. Hackers are also known for threatening to leak sensitive information to get victims to meet their demands.

​You’ve heard these stories in the news recently, such as the Colonial Pipeline hack, which disrupted a major supply of fuel to the East Coast for about a week in May. The corporation admittedly paid more than $4 million in bitcoin to the criminal hacker group, much of which was recovered by the Department of Justice.

When it comes to getting hacked, many people want to know: should you pay the ransom?

There is no simple answer. But there are practical, ethical, and moral considerations argued by proponents of both sides of this debate. While the unique circumstances of each incident need to be considered by the victim, in most cases the answer is no, you should not pay the ransom. This is the position taken by federal and local law enforcement.

Despite this answer, many high-profile victims of ransomware have chosen to pay the ransom, in the hopes of restoring their systems and operations, with ransom sums in the millions of dollars. These decisions were hopefully made by individuals in positions of power that conducted a cost-benefit analysis and found that it made financial or operational sense for their entity.

While some organizations have made this decision, the practical reasons for not paying the ransom are compelling. Here reasons we recommend against paying the ransom:

• Often a system is not really compromised and if law enforcement is contacted, they can help a victim discover that their system isn’t being held for ransom – rather it’s an idle threat.
  
• The bad actors may not unlock the victim’s computer even if the ransom is paid. There are no guarantees that criminal hackers will keep their word, and there are documented instances where this has been the case.
  
• Once a victim has paid the initial ransom demand, the hackers may request more money, either immediately or sometime in the future, creating a cycle of victimization.
  
• If you pay the ransom, it could identify you as a target for future bad actors.
  
• If everyone refuses to pay, there will be no incentive for criminals.

Prevention and preparedness are the best strategies to combat ransomware. Technology is constantly evolving and our own reliance on that technology is intertwined on nearly every level of life. That’s why it’s vital to have good digital hygiene – which is cleaning up and maintaining your electronic information or assets and regularly updating them.

If you fall victim to a ransomware attack, report the incident to your local law enforcement as quickly as possible.

As your District Attorney, I’m committed to increasing communication and accessibility between the DA’s Office and the public. I hope these consumer and public safety tips have been helpful.