Keeping the Lights On: Is it Ethical to Pay after a Ransomware attack?

When an organisation is held hostage by ransomware, should it pay the fee to keep on operating or is this just emboldening cybercrime?

Globally, ransomware attacks are on the rise, affecting businesses and organisations around the world. The main causes of these attacks are compromised credentials and malicious email, and many victims choose to pay the ransom to recover their data and systems, but this comes at a high price and with ethical dilemmas. Should these companies give in to the hackers’ demands and lose money to stop losing more money – or should they stand up for their principles?

Many companies have contingency plans in place so that they can continue operating in the event of a ransomware attack. These attacks can affect the whole organisation, from the IT team who has to deal with the damaged systems to the customers who may lose trust in the service. The financial losses can be significant. The recovery process can take a long time, even if plans are in place to restore systems after an attack. This makes some companies consider paying the ransom as a quick and easy way out of the crisis.

This may seem like a rational choice. Ransomware attacks are becoming more frequent and expensive, with the average payment reaching $1.5 million and in some cases as high as $5 million. According to a report by Corvus, a cyber-risk insurer, the number of attacks rose again in 2022 and the average cost per attack increased by 63% compared to 2021. But the ransom is not the only cost. There are also the losses of downtime, reputation, productivity and profit. Paying the ransom may seem like a way to end the ordeal, but is it a moral choice?

The ethical dilemma is complex. For some sectors like healthcare or aviation, where downtime can have serious consequences on human safety, the decision to pay is driven by the importance of human lives.. But for other businesses, paying the ransom means rewarding the criminals for their bad behaviour. It is a hard choice. If your business is completely down and someone offers you a way out for a price, you may be tempted to take it. Even if they are the ones who put you in this mess.

However, paying the ransom does not always guarantee that the problem will be resolved. Many of the attacks persist even after they are paid. Organisations are not dealing with ethical people – they are dealing with criminals who may not keep their word. There is no assurance that the issue will be fixed.

The situation is complicated further by the fact that the same companies are targeted repeatedly because they are willing to pay. Ransomware gangs are infiltrating companies, finding out their insurance policies, and then asking for the full amount of coverage. This has led to a crackdown from insurance companies who now require that companies have certain security measures in place, and this is driving a lot of cybersecurity spending.

No situation helps resolve the ethical dilemma. On one hand, paying the ransom does not ensure that the attackers will release the company and its data, or that they will not exploit the data they stole for other gains. On the other hand, paying the ransom means supporting criminal groups, empowering them to become more sophisticated and more likely to attack again. But when a company is facing ruin, human lives are in danger, or the cost of non-payment is too high to bear, then it’s understandable why companies choose to pay to end the ransomware nightmare.

By Martin Potgieter, CIO at Nclose

Please follow and like us:
Social Share Buttons and Icons powered by Ultimatelysocial