Cybersecurity blog header

Paying a ransom after a cyberattack: Can you and should you?

- Ciber 4 All Team
Paying a ransom after a cyberattack is a decision that can worsen the victim's situation.

In the EU, there is still no specific rule prohibiting the payment of a ransom after a cyberattack, but both cybersecurity experts and authorities strongly advise against it

The United Kingdom plans to prohibit public entities and companies that operate critical infrastructure from paying a ransom after a cyberattack. This measure seeks to address security incidents that result in the spread of ransomware in the systems of public bodies and, above all, companies.

Using this type of malware, criminals can exfiltrate and encrypt their victims’ data, such as confidential information or personal data of their customers or employees, and demand a ransom in exchange for allowing organizations to regain access to their data and ensuring that it is not sold or made public.

Is paying a ransom only demanded after a ransomware cyberattack? Although this is the case in most instances, it is also possible for a criminal group to demand a ransom payment, for example, to halt an ongoing DDoS attack, especially during critical periods for e-commerce businesses, such as Black Friday or Christmas.

However, paying a ransom never guarantees that the adversaries will fulfill their part of the bargain.

1. Why does the UK want to ban critical organizations from paying a ransom after a cyberattack?

The main objectives pursued by the UK in prohibiting ransom payments after a cyberattack are:

  1. To combat the business model of criminal groups, especially those that use ransomware. These groups are financed by companies and public sector entities that pay ransoms after cyberattacks.
  2. To discourage criminal groups that plan to use ransomware to extort public organizations (hospitals, ministries, schools, etc.) and companies that manage critical infrastructure. If they know in advance that they will not receive payment after a cyberattack, these organizations become a less attractive target.

What will happen to other companies? The UK has two different measures on the table that do affect it:

  1. The obligation to inform the government of any intention to pay a ransom so that public authorities can advise and assist organizations.
  2. The implementation of a mandatory reporting system will enable companies to facilitate the actions of law enforcement agencies and receive the best support.

Although this package of measures will only affect the UK, it allows us to glimpse the possibility that the European Union will approve similar measures in the coming years. After all, with the approval of the NIS2 Directive, the EU has already made a firm commitment to enhancing the resilience of organizations operating in critical sectors that are integral to the productive fabric of society.

2. The arduous fight against ransomware

To understand the UK’s strategy for combating ransomware, it is essential to consider the complex threat landscape in which we currently find ourselves.

In the UK itself, there have been serious security incidents in which ransomware played a leading role.

For example, the British Library, one of the world’s most important libraries, suffered an incident in 2023 from which it took months to recover. During that time, its digital service was paralyzed. This year, Marks & Spencer, a leading retail company, also suffered a ransomware cyberattack that is expected to cost the company a total of £300 million.

We could continue to list examples, but perhaps the most graphic way to highlight the danger of ransomware is to emphasize that a patient died as a result of a ransomware attack on the National Health Service (NHS) blood transfusion services in London hospitals and medical centers in June 2024.

By hijacking patient data from the agency that manages the laboratories, there was a delay in obtaining the patient’s blood test results, and this became one of the factors that led to the patient’s death.

3. Social engineering to gain access and malware to hijack: What companies are facing

To understand the rise of ransomware, three key factors must be taken into account:

  1. The emergence of the Ransomware-as-a-Service model. Criminal groups with resources and expertise offer a large number of malicious actors all the resources they need to launch ransomware campaigns against specific targets. What do these groups get in return? Generally, a percentage of the ransom paid by companies or public bodies. They also sell malware tools in various subscription packages, enabling them to cater to different types of customers.
  2. Social engineering techniques are constantly evolving to turn business professionals into a vector for entering corporate systems. This has been reinforced by the rise of AI and generative models.
  3. Despite warnings, many organizations still do not use multi-factor authentication (MFA) to hinder illegitimate access to corporate systems and software. Added to this is the fact that criminal groups have worked hard to subvert this security mechanism.

A good example of the dangers facing companies is the increase in security incidents in which the initial victims are the companies’ technical support professionals. Criminal groups such as Scattered Spider have impersonated company employees and tricked these professionals into resetting passwords and/or MFA to gain access to corporate accounts.

Once inside, they have been able to take control of the accounts and launch ransomware from there, hijacking data from companies and their customers.

Another example we can mention is the case of Interlock. Recently, CISA, the agency responsible for cybersecurity in the United States, has alerted companies about a criminal group that employs popular techniques, such as ClickFix, and resorts to double extortion.

First, they publicly exfiltrate company data and then encrypt the company’s systems.

This puts organizations under double pressure to pay a ransom after a cyberattack: on the one hand, they fear that their data will be made public, and on the other, they need to recover it to return to normal and ensure their operations.

Incident response services are key to combating attacks.

4. Why do some companies decide to pay a ransom after a cyberattack?

The use of ransomware to encrypt corporate data and systems has a very clear objective that is obvious to everyone: to obtain money directly. So there is no doubt about the criminals’ motivation. But… why do victims choose to pay a ransom after a cyberattack?

Given what we have just explained, it is not difficult to establish the reasons that motivate some companies to pay a ransom after a cyberattack:

  1. Recover the encrypted data and return to normal as quickly as possible.
  2. Prevent their information from being made public. Especially when criminals have encrypted critical data such as customer information, industrial property, or business strategy.
  3. Reduce the economic impact of the incident by limiting its duration and trying to ensure that it does not undermine business continuity.
  4. Try to prevent the incident from becoming public and causing serious reputational damage.
  5. Consider that the cost of paying a ransom after a cyberattack is lower than the expense of responding to the attack and returning to normal, and/or the possible penalties for violating data protection regulations.

5. Why do experts and authorities advise against paying a ransom after a cyberattack?

Special cybercrime units within law enforcement agencies, public bodies responsible for cybersecurity, such as Spain’s INCIBE, and cybersecurity experts all agree: you should not pay a ransom after a cyberattack. Why?

  1. Paying a ransom after a cyberattack is financing criminals. This provides them with more resources to design and implement more complex techniques, tactics, and procedures, and utilize them in future attacks.
  2. Companies have no guarantee that criminals will decrypt their data once they have paid the ransom.
  3. Similarly, there is no guarantee that malicious actors will not retain copies of the information and sell or disclose it to damage the business. Paying a ransom after a cyberattack means trusting the word of criminals.
  4. No one can guarantee that companies will not be asked to pay a higher ransom after a cyberattack, even if they have already paid a ransom following a cyberattack, or that criminals will not demand a higher amount to restore access to their data or, in the case of a DDoS attack, to end the attack.
  5. Companies that decide to pay a ransom after a cyberattack can become an attractive target for the same malicious actors or others, as they have demonstrated a willingness to pay after being extorted.
  6. In some cases, cybersecurity insurance policies cover part of the ransom or the costs associated with negotiation. Still, many insurance companies are limiting or excluding these payments to avoid encouraging the financing of criminal groups.
  7. In addition, entities such as ENISA recommend having robust business continuity plans as an effective alternative to paying ransoms.

6. Could paying a ransom after a cyberattack be breaking the law?

In addition to the solid reasons above, there is another factor to consider: Is paying a ransom after a cyberattack a legal option?

As noted above, one of the measures the United Kingdom plans to approve in the fight against ransomware is the duty to report the intention to pay a ransom after a cyberattack. Among other things, this action will enable the British government to notify companies that paying ransoms could constitute a violation of the law by sending money to cybercriminal groups sanctioned by the United Kingdom, such as some APT groups financed by powers like Russia.

Similarly, the US Office of Foreign Assets Control (OFAC) has warned companies about the risk of potential sanctions for paying a ransom following a ransomware cyberattack launched by malicious actors who themselves are subject to office sanctions.

What happens in Spain? As we pointed out at the beginning of this article, there is no express legal prohibition on paying a ransom after a cyberattack. However, we must consider that the Penal Code (Article 576) considers it a crime to finance terrorist activities.

Therefore, if the malicious actor attacking a company is a group that carries out cyberterrorism actions, such as attacking critical infrastructure, would paying a ransom after a cyberattack be financing terrorism?

There is no case law on this issue; however, it is essential to consider that not all criminal groups are the same. As authorities and experts argue, paying a ransom after a cyberattack is a decision that can have negative consequences for companies.

Paying a ransom after a cyberattack is a measure that is not recommended by experts and authorities.

7. How should you respond to a security incident in which a ransom is demanded?

If time is money, in a cyberattack, every minute is worth its weight in gold. Once the idea of paying a ransom after a cyberattack has been ruled out, it is crucial to act as quickly as possible to address the issue. Therefore, a proactive incident response service should be called in immediately. Why?

Unlike a reactive incident response, a proactive response enables a team of cybersecurity experts to initiate action within less than an hour, thereby limiting the incident’s scope. What does a proactive incident response service do?

  • Conduct preliminary work to identify malicious activity, including incident drills and analyzing the threat actors a company faces. To what end? To develop an incident response plan and ensure that the team can be deployed immediately when an incident occurs.
  • Investigate the attack to identify the scope of the compromise, ascertain the information affected, and determine what permissions the hostile actor has that could allow them to do more damage to the company.
  • Design and implements the necessary measures to articulate an effective response to the attack and contain the incident.
  • Expel the malicious actor from the company’s assets.
  • Pilot the recovery process after an incident to ensure that it is carried out in a secure and agile manner with minimal impact on the organization’s business model.
  • Analyze the incident in depth:
    • Establish the timeline of the attack.
    • Identify the vulnerabilities exploited by the criminals.
    • Evaluate security controls to understand why they were not effective.
    • Draw up a list of improvements that can be implemented to prevent future attacks.
    • Provide advice on compliance.

8. Reporting incidents to public authorities

One of the most important measures in the NIS2 Directive, which will be transposed into Spanish law through the Cybersecurity Law, is the reporting of security incidents.

Companies operating in critical sectors, such as transportation, healthcare, or banking, must inform the competent authority within hours of any security incident they experience.

Until the Cybersecurity Law is approved, companies must bear in mind that they are already required to notify the Spanish Data Protection Agency (AEPD) of personal data breaches that may affect the rights and freedoms of citizens.

Beyond legal obligations, it is important to note that several public bodies can assist a company in the event of a security incident and advise it not to pay a ransom after a cyberattack and to manage the situation:

  • The National Cybersecurity Institute (INCIBE), through its CERT (Computer Emergency Response Team).
  • The Civil Guard’s Cybercrime Group.
  • The National Police’s Central Technology Investigation Brigade.

Collaboration with law enforcement is crucial for investigating malicious actors and dismantling criminal groups that cause significant economic losses to companies.

9. Conclusions

In short, although it is not explicitly prohibited to pay a ransom after a cyberattack, it is a wrong decision that can trigger unwanted consequences for a company and further worsen the victim’s situation. Furthermore, the fact that the United Kingdom is on track to ban ransom payments after cyberattacks sets a path that the European Union may follow in the near future.

So… how can a security incident be managed when criminals have encrypted a company’s information? It is crucial to have a proactive incident response service that is thoroughly familiar with the company and the threats it faces.

Additionally, law enforcement and cybersecurity authorities can be of great assistance in resolving the incident and identifying the perpetrators.