Ransomware, Managed Security Services

Ransomware: To Pay or Not to Pay — What the Experts Say

Your first reaction is you hope this is someone’s idea of a sick joke, but it doesn’t take your security team long to confirm the dreaded truth. Your organization, end-customer or channel partner has been hit with a ransomware attack.

The day you wished would never come is now a stark reality and the potential cost to your business or customer is staggering, reputation notwithstanding.

If you’re an MSSP, MSP or any type of cybersecurity company, you most likely have an incident response plan in place for you and for your customers.

But is that plan a good one? Is it a sound strategy and a viable plan of action to respond to the incident. Has it prepared you to make the correct decision about whether or not to pay the ransom?

Obviously, it’s not a black-and-white question. The answer is dependent on a variety of factors both internal and external.

Should You Pay the Ransom?

MSSP Alert was pondering the very same questions that our readers surely have about paying ransom. So we asked our security expert community about the right approach to take in the case of a ransomware attack.

MSSP Alert examined two scenarios: What to do if your end customer is hit with a ransomware attack; and what actions to take if it’s your MSSP or MSP that faces a demand for ransom.

Ransomware Attacks Spike in 2023

First, here's some background about the scope of the problem. No surprise, but ransomware attacks surged during 2023. In fact, a Corvus Insurance Q3 2023 report found a 95% increase year-over-year on ransomware leak sites, with many attacks increasing against law firms and municipalities. The number of ransomware victims in 2023 surpassed what was observed for 2021 and 2022, Corvus found.

Sophos’ State of Ransomware 2023 report revealed that in three out of four cyberattacks cybercriminals succeeded in encrypting victims’ data. On average, those cyber victims paying ransoms for decryption forked out $750,000 in recovery costs versus $375,000 for organizations that used backups to recover their data, according to Sophos, an MSSP Alert Top 40 MDR company. Moreover, those companies that resorted to paying the ransom usually experienced longer recovery times. Of companies that were able to use backups instead of paying the ransom, 45% were able to recover within a week. That compares to 39% of those that paid the ransom.

Chester Wisniewski, Sophos’ field chief technology officer, believes that rates of ransomware encryption, returning to very high levels after a temporary dip during the pandemic, is “concerning."

“Incident costs rise significantly when ransoms are paid,” Wisniewski told MSSP Alert. “Most victims will not be able to recover all their files by simply buying the encryption keys. They must rebuild and recover from backups as well. Paying ransoms not only enriches criminals, but it also slows incident response and adds cost to an already devastatingly expensive situation.”

When Your End Customer is a Ransomware Victim

Wisniewski said an MSSP or MSP should advise their impacted customer to immediately pull out its incident response plan and “execute it with the least emotion possible.” If there is no plan, he advises contacting their cyber insurance company, legal counsel, PR team and law enforcement as soon as possible.

“It is critical that legal be involved, as many laws and regulations now require reporting or at a minimum assessing the risk of the incident and possibly reporting the incident to different government authorities,” he said. “Outside incident response is often recommended, as they will have a solid understanding of how to block off the attackers and regain control of the network with the utmost speed."

Quentin Simmons, senior lead analyst of Digital Forensic and Incident Response for eSentire, a company specializing in managed detection and response (MDR) services, advises victims against paying ransom in most instances.

“We usually advise against paying a ransom if our Digital Forensics and Incident Response (DFIR) team has been able to verify the integrity of their backups (if they have any),” Simmons said. “Another variable that’s critical to paying or not is if there has been any data exfiltration and if that data contains PII (personally identifiable information) or any sensitive data.”

The loss of old, legacy or non-sensitive data is not something that should necessarily throw a victim into panic and cause them to immediately cough up the cash to get the information back.

Mari DeGrazia, director of Incident Response at ZeroFox, a provider of products and services to MSSPs, explained that paying a ransom demand depends on how many systems were encrypted. The viability of backups and if the cybercriminal is threatening to release sensitive data are also key considerations.

“We recommend that companies assess the ethical and regulatory implications,” DeGrazia said. “We advocate against payment whenever possible.”

She cautioned that a ransom payment could violate OFAC (U.S. Office of Foreign Assets Control) regulations.

“Payment can encourage criminal behavior to continue,” DeGrazio said. “Even if the ransomware is paid, there is no guarantee that the decryption keys will work or that the threat actors will keep promises to not release sensitive data or extort the victim.”

DeGrazia cautioned that even if a ransomware payment is made, it can take weeks or even months to fully decrypt an environment and get systems back up and running. Therefore, making a ransomware payment does not necessarily mean that a company would be back up and running in a matter of days. 

“Each company's situation is unique, and regardless if a company decides to pay the ransomware or not, we recommend a company hire a third party that specializes in ransomware negotiations to guide them through the process,” she said.

Wayne Selk, vice president of Cybersecurity Programs at CompTIA, a cyber education provider, emphasized that both the cyber insurance carrier and law enforcement can best advise on whether ransom should be paid. For that matter, all organizations should understand what they can and cannot do during a response, per a cyber insurance policy.

“If you find yourself on the wrong end of a bad day, reach out to your insurance company first — yes, before your MSP or MSSP,” Selk asserts. “They will be the one to guide the investigation in most cases. Circumstances will dictate whether or not you can pay a ransom. For example, if you pay a known terror organization, you might be subject to jail time and or fines.”

Huntress Labs’ Ethan Tancredi offers the following judgment call: “I will say I am against paying a ransom because it keeps allowing cybercriminals to do their attacks and funds all sorts of bad things. However, if I am an MSSP advising a small business who is going to close their doors from a ransomware attack and put 100 people out of jobs, and the ransom would allow recovery of the business, I would have a different response.

“Even though the FBI recommends against paying ransoms, they also admit that sometimes there's no other option... because organizations are just so tragically unprepared that the only option, they see is to pay the ransom and hope to decrypt files.”

Ransomware Response Checklist for End Customers  

  • Execute incident response plan (if no plan, why not?).
  • Contact your cyber insurance carrier; review the policy.
  • Seek legal counsel to determine viability of paying ransom.
  • Determine if the ransom violates U.S. Office of Foreign Assets Control regulations.
  • Contact law enforcement.
  • Inform media relations re: crisis management/damage control.
  • Determine if any data exfiltration and what sensitive data it may contain. Some data may be old and not worth the trouble.
  • Assess which systems were encrypted.
  • Hire a third party that specializes in ransomware negotiations.

What to do if Your MSSP or MSP is Hit with a Ransomware Demand

CompTIA’s Selk believes that an MSSP or MSP wait before informing their end customers, especially if the client is not impacted by the same incident.

“Talking to your clients about an attack prematurely may hamper your efforts to recover quickly, since you will have to deal with a flood of questions and other challenges that you may not be ready to handle at the same time,” he said. “Consult with your attorney on the language to use when they give you the okay — if they give you the okay.”

Selk noted that some MSSPs/MSPS may have no choice under the Security and Exchange Commission (SEC) or the Federal Trade Commission’s new rules, which have time restrictions on reporting.

But if the end-customers' infrastructure is compromised in the attack, the rules about informing those customers may change. eSentire’s Simmons believes it important to notify downstream customers of the incident and inform them if it has any impact on their infrastructure.

“We would notify them to ensure that EDR (endpoint detection and response) is deployed to any systems within their infrastructure, and even possibly perform organization-wide password resets as well as reset any VPN sessions or MFA sessions,” he said.

DeGrazia believes there can be a fine balance between keeping the appropriate parties informed of the current situation and disclosing information before all the facts have been determined.

“For an MSSP,” she said, “it can be advantageous to hire a third party forensics expert to conduct an investigation so their customers and clients feel that the situation has been properly contained and remediated. MSSPs often do not maintain a strong bench of seasoned incident responders.”

DeGrazia urges never leaving to chance how your organization will respond to a ransomware attack. Tabletop exercises and ransomware readiness assessments are great ways to identify gaps and processes that should be improved to reduce the likelihood and impact of a ransomware attack. 

Ransomware Response Checklist: MSSP or MSP

  • Execute incident response plan (if no plan, why not?).
  • Contact your cyber insurance carrier; review the policy.
  • Seek legal counsel to determine viability of paying ransom. regulations
  • Determine if the ransom violates OU.S. Office of Foreign Assets Control regulations
  • Contact law enforcement.
  • Inform media relations re: crisis management/damage control.
  • Determine if any data exfiltration and what sensitive data it may contain. Some data may be old and not worth the trouble.
  • Assess which systems were encrypted.
  • Hire a third party that specializes in ransomware negotiations.

Resources and Further Reading

SC Media Infographic: Should I pay a ransom? A 5-step decision-making process

SEC Cybersecurity Breach Rule: What it Means for MSSPs

FTC Amends Safeguards Rule to Require Non-Banking Financial Institutions to Report Data Security Breaches

Download the KnowBe4 Ransomware Hostage Rescue Manual


Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.