Ransomware in reality: people pay
In real life, noble intentions give way to business truths


Everyone knows the mantra: if you're infected with ransomware, don't pay up as it just encourages more attacks.
By paying the attacker, the theory goes, you're proving that their method of extortion works that they will make money (potentially a lot of it) by holding data hostage.
However, at this year's RSA Conference, there's been a shift in tone within the security community. While nobody is outright advising businesses, or individuals, to pay up, they are acknowledging that many companies that fall victim to a ransomware attack do just that. Indeed, a survey by IBM towards the end of 2016 showed around 70% of companies affected by ransomware have paid to get data back, with payouts reaching the $1 billion mark that year.
Why businesses pay
There's one strong business imperative to pay ransomware: it's less expensive to cough up than it is to hold out against the attackers.
"You may say 'look, we have a business principle here, we're not going to pay the bad guys'. But if you're confronted with the business reality of paying the bad guys a few Bitcoins versus being offline or losing millions of dollars worth of data, your business principle might give way to the business reality of having to pay the ransom," said Ed Skoudis, an instructor at the SANS Institute, during a panel titled The Seven Most Dangerous New Attack Techniques.
Marcin Kleczynski, CEO of Malwarebytes, gave the example not of crypto ransomware, but of a DDoS-based ransom attack, where a business is taken offline until a ransom is paid.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Speaking to IT Pro, he said: "Imagine a botnet being pointed at an airline's ticketing website, which produces tens-of-millions of dollars in revenue per hour. I [as the botnet controller] say 'this will continue unless you pay me $1 million now."
"$1 million is much less than the $10 million it makes per hour, so why not extort that kind of money?"
Indeed, having a backup and recovery system in place is no guarantee that a company won't pay the ransom, even though in theory it should negate the need to do so.
Jeremiah Grossman, chief of security strategy at SentinelOne, told IT Pro: "What we find in [our] research, of those who pay the ransom around 50% actually have backups. So the backups aren't a panacea.
"What happens is, say you have the backups but the bad guys have encrypted 1,000 of your machines. IT says 'yeah, we'll recover, no problem in a week'."
If the ransom is only $50,000, Grossman said, then they "write the cheque", as it's more expedient and quite possibly cheaper.
Ransomware, consumers and the IoT
For businesses that do end up hit by ransomware, there is at least some consolation in the form of cyber insurance an industry that's currently raking in an estimated $3 billion in the US alone as well as access to sophisticated defensive tools and backup and recovery.
For consumers, the situation is a little more bleak.
"[They're] going to get left out for a while," said Grossman. "There's nothing out there for the consumer yet. It's going to be unfortunate while the enterprise can leverage cyber insurance, crisis management teams to negotiate, high-end, really next-gen antivirus, there's no equivalent for the home user. They're really going to be on their own and that's really going to be pretty nasty."
As well as being nasty, it could also be a very expensive experience. While now it may be a consumer's computer or phone held to ransom, with the IoT the potential targets will expand dramatically. What's more, consumers may be left with no option but to give into the cyber criminals' demands.
"If ransomware were to reconfigure or encrypt the control architecture of Internet of Things devices, we have a big problem," said Skoudis.
"What would you pay to turn your lights back on? What would you pay to turn your heat back on? Or your car you want to drive your car to work today? You're going to have to pay ransomware for that."

Jane McCallion is Managing Editor of ITPro and ChannelPro, specializing in data centers, enterprise IT infrastructure, and cybersecurity. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.
Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.
-
Palo Alto Networks snaps up CyberArk in identity security push
News The acquisition marks the latest in a string for Palo Alto Networks
-
Stack Overflow CEO Prashanth Chandrasekar on embracing AI
Q&A The chief executive at the well-known developer resource Stack Overflow talks future strategy and how AI has forced the company to shift its focus
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
News The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
RSAC in focus: Key takeaways for CISOs
The RSAC Conference 2025 spotlighted pivotal advancements in agentic AI, identity security, and collaborative defense strategies, shaping the evolving mandate for CISOs.