7 November 2023
Expert Insights

Ransomware: To Pay or Not to Pay?

Publié par Arnaud Le Men

The number of cyber attacks involving ransomware demands is skyrocketing globally, and particularly in France. This raises a crucial question: should one pay or not pay when faced with a ransomware demand?

How Ransomware Operates

Regardless of the nature of the attack, the scenario is always akin to a game of battleship. With one notable difference: here, a financial way out is offered:

To avoid sinking, many companies have paid the ransom. So much so that the issue has become a national concern, and representatives from the Judiciary, the Ministry of the Interior, and the French National Agency for the Security of Information Systems (ANSSI) sounded the alarm to the Senators in April 2021.

Following in the footsteps of the decision made by the U.S. Treasury in October 2020, the message from French authorities is clear: Do not pay the ransom. It is forbidden and illegal to pay.

From a purely economic standpoint, paying the ransom is nevertheless tempting. The amount is significantly lower than the sum of the loss of business and the cost of reconstruction. Not to mention the reputational impact, potential penalties, and so on. Additionally, the necessary investments in operational security, which become apparent post-crisis, add to the cost.

Thus, payment is a tempting option: it’s simple, faster, and “less” expensive than reconstruction.

Why Not Pay?

Why Prohibit? Let’s set aside ethical considerations and look at things from a strategic and global perspective.

There are two major reasons for this prohibition:

  • The more companies pay, the more they will be targeted

Attackers are in a business mindset; they consider their operations as work. This is often how they present their invoice: “Hello, the cost of work to decode your data will be xx €.”

To do their work they spend time and money: identifying their target, searching for vulnerabilities, exploiting flaws, penetrating the system, understanding the organization’s operations, etc.

Their goal behind the ransomware is profitability.

If the ransomware is not effective, the attacker faces a financial loss. At a certain level, the sum of the losses incurred becomes a deterrent and the interest in carrying out this type of operation is null. Conversely, if ransoms are paid, the phenomenon intensifies and accelerates.

  • Paying significantly increases the overall threat level

It is important to understand the economic model of cyber attacks. Let’s take the case of ransomware and summarize it with a diagram:

  • You do not solve the problem. It does not protect against a new attack. The method used to attack is resold to other criminal groups who will take a keen interest in you.
  • You increase the global cyber risk. You contribute to a malicious ecosystem that will use these funds to strengthen its techniques, tools, and attack surface.
  • Speculation on cryptocurrency markets intensifies. The transactions create spikes that increase the volatility and instability of cryptocurrencies.
  • You are funding criminality. These funds circulate within criminal environments and can be used for the development of all types of activities.