Ransomware attacks: Why and when it makes sense to pay the ransom

Whether you pay ransomware actors or not really comes down to some straightforward business calculations. Sometimes the ransom is worth it.
Written by Larry Dignan, Contributor

Yet another city is deciding to pay ransomware gangs to get their IT infrastructure back and you can almost feel the consternation among officials. That consternation may also be good business.

Simply put, it can make good sense to pay ransomware.

In a recent research report, Forrester Research argued that paying ransomware should be viewed as a viable option and evaluated like any other business decision. Obviously, Lake City and Riviera City in Florida saw paying ransomware as viable. So did Jackson City, GA. A report by US cyber-security firm Recorded Future published in May highlighted a spike in ransomware attacks targeting US cities. Previous victims include Lynn, Massachusetts, Cartersville, Georgia, and Baltimore, Maryland, just to name a few. 

Now paying ransomware is likely to go against conventional wisdom. The practice may also make you throw up in your mouth. However, there are real costs to having your company or city dead in the water for days. Paying ransomware should be viewed as any other business decision. Forrester analysts Josh Zelonis and Trevor Lyness wrote in a research report:

We now recommend that even if you don't end up paying the ransom, you should at least consider it as a viable option. The average ransomware attack lasts 7.3 days.

Also: What is ransomware? Everything you need to know

Why is paying ransom a viable option? Forrester noted:

As ransomware grinds on, daily business operations come to a halt, and you may find your organization scrambling to find new ways to meet core functions, which puts stress on everyone. This problem is complicated even if you have good backups that survived the attack. Many organizations significantly underestimate the scale of disruption they need to plan for or make too many assumptions about what functionality will continue to exist after an attack.

Forrester also added that decryption at scale is difficult and requires consultants. It is also possible that hackers may not deliver the decryption keys.

In the end, paying ransomware starts to look like every other business decision. Forrester even noted that ransomware actors may be open to discounts. Organizations need to weigh everything from their ability to recover to consultant costs to recovery plans as well as cybersecurity insurance and whether it'll cover ransom. There has been an ongoing discussion about how insurers may play into ransom payments and even play a role in negotiations given it may keep costs down. 


Forrester's best practices include:

  • Invest in cybersecurity and business interruption insurance.
  • Benchmark ability to recover from backups at scale.
  • Plan how you would acquire and pay out cryptocurrency since ransom is paid in Bitcoin.
  • Put a cybersecurity response team on retainer.
  • Hire a ransomware expert.

The FBI's most wanted cybercriminals

Editorial standards