In my previous post I outlined why the most cost-effective way to recover from a ransomware attack is to pay the ransom. I got a lot of pushback for this view. After all, many experts, including the FBI, recommend against paying ransoms.
To answer these objections, we will first have to introduce the economic concept of externalities.
A negative externality is an economic activity that imposes a negative effect on an unrelated third party. It can arise either during the production or the consumption of a good or service. Pollution is termed an externality because it imposes costs on people who are “external” to the producer and consumer of the polluting product.Source: Wikipedia
Paying a ransom is economically efficient for the victim organization, but creates a negative extensibility. Paying ransoms encourages more malicious attackers to use the technique against other organizations. Externalities are often countered by regulations. For example, governments regulate the amount of pollution that can be produced by companies or individuals under their jurisdiction. They may even enact some sort of pollution tax.
Similarly, some ransomware payments are being regulated by governments. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctions companies from doing business with Iran, a country that is the source for many ransomware incidents. New York State is considering two bills which would prohibit state agencies from paying ransoms. If organizations are unable or unwilling to pay ransoms, ransomware attacks will in fact become less attractive to criminal entities.
A second argument for not paying ransoms is that the attackers are by definition criminals, and may not actually provide the data back after they have been paid. This is a valid argument for ransomware criminals that are not part of “professional” organizations. However, for ransomware attackers that plan to be in the business for the long term, the worst possible thing would be to not provide the decryption keys. If they took the money and left the victim’s data encrypted, it would crash ransom fees and destroy their business.
In summary, at this time, paying ransoms is in fact the most cost-effective way to recover from a ransomware attack. This increases negative externalities (that is, the cost of ransoms is high and the number of attacks is on the rise). We will need to see how things like government regulations and practices by ransomware criminals change this situation in the future.