Ransomware – To Pay or Not to Pay

Hanna Mathai

By Simon Willgoss, Head of MSS

2 min to read
Ransomware – To Pay or Not to Pay

If your organization was hit by ransomware, the group behind the attack demanded a ransom, and if your business could no longer operate, would you pay the ransom?

Many organizations in the UAE have faced this question, and the variety of responses is surprising, given there are only two options – you either pay, or you do not pay.

On the surface, the decision appears simple. Most organizations who are hit with ransomware are targeted again – by some reports it is as high as 80%. The implication is simple: if you pay once, this may give confidence to attackers about your ability and willingness to pay a ransom.

In recent months, several organizations including two large entities in Australia have been hit by ransomware or suffered a serious and damaging data breach. Medibank, an Australian-based private health insurer, made public their decision to not pay a ransom, despite significant external pressure to do so.

This decision angered many individuals, including cybersecurity professionals. Why? Because the threat actor who demanded the ransom had threatened to release and make public information about individuals – information which would link individuals to specific health conditions. At best, this information could be embarrassing.

At worst, this information could in theory be leveraged to pressure, coerce or force behavior from those impacted. On one side, I saw many customers (including my friends and ex-colleagues who work in cybersecurity) demanding that Medibank pay the ransom to protect the privacy of their personal data.

On the other side, I saw many valid and thoughtful opinions urging Medibank to resist paying the ransom. Clearly, the decision is not as simple as many believe.

The following questions will help you understand the risk, and can be used to discuss how to make decision with your senior management:

  • What confidence do I have that paying the ransom will ensure protection (or recovery) of data?
  • Aside from reputation damage, what is the impact of the release of the data, if the data is made public or sold? How could the information be used?

Thinking and preparing now, including understanding your critical data – and how it could be used against you or your customers – is an important part of your preparation for when a critical incident or breach occurs.

If you have not spoken to Help AG about how we can help you prepare and respond, reach out to us – we are here to help

Share this article

Upcoming event

Black Hat MEA 2024

  • KSA
  • Riyadh