For all media inquiries,
please contact:
Ariel Rivera
Communications Specialist
973.530.2453
arivera@csglaw.com

Ransomware: To Pay or Not to Pay, That is the Question...

May 2017

CSG Privacy & Data Security Law Alert

Clients often ask whether they should pay if they receive a ransomware demand. At the risk of sounding like lawyers, it depends...

  • Do you have any other way to recover or access your data?
  • Does the bad actor have access to the data, which the bad actor could then publicly release?
  • Even if you decrypt your data, has the ransomware left behind other malware?
  • Does the decryption key itself contain malware?

Recovering your data

New Jersey Cybersecurity & Communications Integration Cell ("NJCCIC") has reported that approximately one-half of 171 known ransomware variants[1] have publicly available decryption tools. You may be able to decrypt your data without paying ransom. However, depending upon the type of ransomware, even if you can decrypt your data with the key, your data or systems may be infected with implanted worms or viruses. As such, before you restore operations with decrypted data, you should have your data and systems fully assessed. And if you do pay the ransom for the decryption key, you still need to be wary: some decryption keys themselves contain malware. So while you regain access to your data, you may be releasing a new attack into your environment.

Will your data appear on the internet if you do not pay?

Some ransomware "only" allows the bad actor to "lock up" your data. If, however, the bad actor can access your data, if you do not pay, you may find your data released publicly. And it may not only be your data, but that of your customers and/or employees. Thus, even if you can decrypt your data without payment, you may nevertheless make the business decision to pay the ransom so as to prevent disastrous public disclosure.

Best Practices

Ideally, you have planned and prepared by (i) having a tested and proven back up system, (ii) backing up your data regularly, and (iii) having clean servers onto which you can import and run your clean data. In this case, you may still elect to pay to prevent public disclosure, but you can have confidence in the data and systems on which you are running the data.

Other Important Considerations

  • Depending upon the amount demanded, you may decide (sadly) that this is the cost of doing business and that your best option is to pay and move on;
  • If you do decide to pay, bear in mind that you are still dealing with criminals and have no assurance that the "kidnappers" will not demand more money (or bitcoin) to release the key or even that they will provide the key or prevent public release; and
  • If you still decide to pay, check your cyber insurance coverage - it may cover the ransom cost.

Be Prepared!

There is no one "right" answer when confronting a ransomware demand. The best approach is to defend yourself and your data from being compromised in the first instance:

  • Encrypt your data at rest. If a bad actor then accesses your data, it will be useless and the threat of public release will be meaningless;
  • Install patches when you receive them;[2]
  • Train personnel not to click on suspicious links;
  • Implement robust passcode and password protocols and use two factor authentication for accessing your systems;
  • Segregate data in your systems;
  • Monitor your systems to facilitate early detection and isolation;
  • Do not install a USB drive on your LAN. Instead, test any data from a USB drive; on a stand-alone computer;
  • Back up your data regularly to a remote location, and test the data to verify that you will be able to run it if needed; and
  • Maintain clean servers onto which you can reimport data from a disaster recovery site.

For smaller businesses, or for businesses that do not have the budget for these protections, consider a cloud solution. Remember, however, that with a cloud solution, you should make sure that the provider and the cloud solution are reputable and secure, and that the provider has its own tested contingencies.

[1] And of course, there are several yet to be identified variants.
[2] After you confirm from the source that the patch is "legitimate" and not, itself, malware. Do not hit "remind me later" or worse yet, ignore the patch.

These are challenging issues that demand careful consideration. We are here to guide you toward a place where you can have confidence in your ultimate decisions. For more information, please contact your CSG attorney or the authors listed below.


Michelle A. Schaap | Member of the Firm | mschaap@csglaw.com | (973) 530-2026

Frank Peretore | Member of the Firm | fperetore@csglaw.com | (973) 530-2058

Robert L. Hornby | Member of the Firm | rhornby@csglaw.com | (973) 530-2032

Rhonda Carniol | Member of the Firm | rcarniol@csglaw.com | (973) 530-2101