Now paying ransomware is likely to go against conventional wisdom. The practice may also make you throw up in your mouth. However, there are real costs to having your company or city dead in the water for days. Paying ransomware should be viewed as any other business decision. Forrester analysts Josh Zelonis and Trevor Lyness wrote in a research report:
We now recommend that even if you don't end up paying the ransom, you should at least consider it as a viable option. The average ransomware attack lasts 7.3 days.
Why is paying ransom a viable option? Forrester noted:
As ransomware grinds on, daily business operations come to a halt, and you may find your organization scrambling to find new ways to meet core functions, which puts stress on everyone. This problem is complicated even if you have good backups that survived the attack. Many organizations significantly underestimate the scale of disruption they need to plan for or make too many assumptions about what functionality will continue to exist after an attack.
Forrester also added that decryption at scale is difficult and requires consultants. It is also possible that hackers may not deliver the decryption keys.
In the end, paying ransomware starts to look like every other business decision. Forrester even noted that ransomware actors may be open to discounts. Organizations need to weigh everything from their ability to recover to consultant costs to recovery plans as well as cybersecurity insurance and whether it'll cover ransom. There has been an ongoing discussion about how insurers may play into ransom payments and even play a role in negotiations given it may keep costs down.
Forrester's best practices include:
Invest in cybersecurity and business interruption insurance.
Benchmark ability to recover from backups at scale.
Plan how you would acquire and pay out cryptocurrency since ransom is paid in Bitcoin.