Please fill in the form below to subscribe to our blog

What Happens if You Pay the Ransom?

May 21, 2021

Should You Pay the Ransom? Find Out Why That’s a Bad Idea

Ransomware has been a plague on every business. An estimated 61% of organizations worldwide experienced a damaging ransomware incident in 2020, a 20% increase over the same period in 2019. A successful ransomware attack is inevitably an expensive, disruptive disaster. Ransomware cyber insurance claims grew by 260% in 2020. This flood of ransomware has led to a flood of questions from businesses wondering what to do to stay safe and what to do if they get hit – including whether or not they should pay the ransom. 

global year in breach depicted as a printed report.

Give your clients the cold, hard facts that tell the tale of exactly how much danger their business is in. GET THIS FREE BOOK>>

Ransomware is Expensive Any Way You Cut It

This huge surge in cybercrime has helped produce a thriving dark web economy for stolen data. And where there’s demand, there will be cybercriminals ready to supply eager buyers. The most common way for them to do that is through ransomware. An organization that falls prey to ransomware doesn’t just lose its data. Those unfortunate organizations also lose an average of six working days to system downtime, with 37% saying downtime lasted one week or more after that incident. Not to mention, the exorbitant costs of investigation, remediation and recovery. It’s no wonder that 60% of companies that are hit by a cyberattack go out of business.  

One solution that cybercriminals eagerly present to businesses that they’ve attacked is to pay the ransom. An estimated 52% of organizations choose to negotiate with the extortionists or simply pay the ransom that is demanded. Paying off a ransomware demand isn’t cheap. The average ransomware payment in the third quarter of 2020 was $233,817, up 31% from the second quarter of last year. In some ransomware variants, like the current weapon of choice double extortion ransomware, victims can be on the hook for two payments – or even three if they’re ensnared by the new triple extortion variety.   

dark web economy represented by the words dark web in white on a black background blurred like a faint tv transmission

Explore the dark web with experts & get a deck of screenshots in Unveiling Cybercrime Markets on the Dark Web. WATCH NOW>>

If You Pay The Ransom, Who Benefits? Follow the Money

If a company doesn’t pay the ransom, the cybercriminals will still profit from selling the victim’s data. If a company does pay the ransom, their money gets disseminated all over the dark web. Ransoms don’t just go to one person or organization – even an ancillary participant in a ransomware attack will profit. Ransomware practitioners have a high chance of walking away with substantial cash, and everyone gets paid. Major gangs often run their scams through affiliates, so the actual attacker is very likely an independent contractor of sorts. They’ll be responsible for running everything about the operation from planning to execution. The affiliate may be a smaller gang or just a group of freelancers getting together for one job. The boss gang may supply the tech, or the affiliate may be bringing their own. Frequently, the attackers will hire freelancers through dark web forums and gather resources from dark web data markets and dumps.  

If the operation is a success, the attackers will then notify the victims that they’ve got their data. Many gangs maintain their own dark websites where they announce their wins by supplying a sample of the stolen data and the ransom demand. Some cybercrime gangs are regularly in contact with industry journalists. The larger gangs maintain their own publicity operations, contacting industry publications directly with evidence and press releases. The REvil organization, a  major Russia-based gang, has its own website to announce successful hits and a communications staff that handles press releases, announcements and interviews with journalists just like any other business. 

get cyber resilient to avoid healthcare ransomware attacks

Don’t let cyberattacks wreck your 2022! Start your journey on The Road to Cyber Resilience now! DOWNLOAD IT>>

Then it’s payday. Typically, the cybercriminals won’t get the full ransom that they initially demand. Negotiations are an accepted part of the process. Once they’ve secured their payment, usually in cryptocurrency, it’s time for them to do some accounting. First and foremost, they’re obligated to send a cut up the chain to the boss gang, generally 10 – 20% of the take. After paying off freelancers and expenses, the cybercriminals are walking away with a pretty substantial payday and a cushion to finance their next cybercrime operation. Generally, cybercriminals prefer to transact their business in cryptocurrency. The daily variance of that currency the reason why ransom amounts in news stories may seem odd.  

For the attackers affiliated with the DarkSide ransomware gang that just conducted a successful attack against Colonial Pipeline, that payday was an estimated $5 million. But they were victims of their own success. Pulling off that operation drew intense scrutiny from law enforcement and terrorism officials, ultimately driving the gang to announce that they were shutting down. This is not uncommon. Ransomware gangs frequently break up when the heat is on. The gang will pay out it’s funds to its stakeholders who freelance until the coast is clear. Before the gang went dark last week, DarkSide had received $90 million in bitcoin ransom payments, according to blockchain analysts at Elliptic. Of the total haul, experts estimate that $15.5 million went to DarkSide’s developer while $74.7 million went to its affiliates. They further estimated that the average ransomware payment in a DarkSide operation was about $1.9 million.  

malicious insider threats can include cryptocurrency risk represented by a crime comic style blue eye looking through a peephole.

Use our Cybersecurity Risk Protection Checklist to find vulnerabilities before the bad guys do! GET IT>>

Everything Has a Cost

How well does paying off the gang work out? Not very well at all. Just like any other extortion racket, the results of paying the ransom are wildly variable, but none of them are good. An estimated 66% of organizations that pay the ransom are able to recover their data at least in part. Another 34% of companies that pay the ransom never see their data again. Paying the ransom to cybercriminals carries no guarantees that your data won’t be copied, or they won’t leave a backdoor into your systems that allows them to return at their leisure. Payment is also unlikely to be covered by cyberinsurance. While in the past insurers may have covered it, insurance giants like AXA are saying no these days.  

It’s also illegal. In October 2020, The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced that paying ransom to cybercriminals is unlawful. In an official advisory, the agency stated that organizations that facilitate ransomware payments to hackers on behalf of ransomware victims, including financial institutions, cyber insurance firms and companies involved in digital forensics and incident response, are violating OFAC regulations. Also included in the advisory, OFAC said that they may impose civil penalties for sanctions violations if a person or organization is paying a ransom to a gang located in a country that the US government has sanctioned.

Learn the strats to beat today’s nastiest cybersecurity mobs in the Security Awareness Champion’s Guide. GET IT>>

Mount a Strong Defense Against Ransomware 

Even before OFAC’s ruling, experts across the cybersecurity spectrum agreed: never pay cybercriminals the ransom. Instead, use a smart, strong defensive strategy to avoid being a victim of ransomware. These solutions can help. 

Passly packs essential protection that protects your systems and data from intrusion by cybercriminals with a stolen or phished password including single sign-on (SSO), multifactor authentication (MFA), automated password resets and simple remote management at an affordable price. 

BullPhish ID delivers a smooth, painless training experience for trainers and trainees alike. Trainers can run premade simulations or customize their content to reflect their unique industry threats, including video lessons. Then deliver it all through a personalized portal that makes it easy for everyone.  

Contact the solutions experts at ID Agent today to learn more about how the ID Agent digital risk protection platform can enable you to secure your business and your customers against ransomware threats.  

let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!


Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>

See Graphus in action in an on-demand video demo WATCH NOW>>

Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!