The end of ransomware payments: How businesses fit into the fight

A CGI render of a metal safe representing ransomware payments, viewed from an isometric angle and placed against a dark grey background resembling a motherboard. At the bottom of the safe, gold pins like on a chip can be seen, and four blue lines of light emanate from each side of the square safe.
(Image credit: Getty Images)

A global crackdown on ransomware payments is underway after a coalition of forty nations signed an agreement designed to stop digital extortionists. Part of the International Counter Ransomware Initiative, the no ransoms pledge aims to address ransomware attacks globally, with plans to leverage artificial intelligence (AI) and enhance information-sharing capabilities among nations. 

The Initiative will see countries designing platforms to share information on digital payment accounts and wallets associated with ransomware. The idea is to make it easier to trace the accounts used by criminals and prevent the transfer of funds.

Global organizations including the UK’s National Cyber Security Centre (NCSC) and US Federal Bureau of Investigation (FBI) already advise against paying ransoms, but many firms still pay up.

As the new crackdown on ransomware ramps up across the globe, what are the rules now – and what can firms do to avoid paying the ransom?

Crackdown on public sector ransomware payments

The Initiative does not directly impact private firms, as it focuses on government organizations and agencies. However, the overall aim is to increase collaboration between the public and private sectors and discourage payments by all organizations, says Javvad Malik, lead security awareness advocate at KnowBe4.

In doing so, the initiative hopes to make things difficult for ransomware-as-a-service operators and their business model. The agreement sets the stage for governments to collaborate more closely with each other to attack the problem from multiple angles, says Daniel Clayton, VP of security operations at Expel. This includes measures such as analyzing the blockchain to identify funding for ransomware and track and capture extortionists. 

The initiative also aims to boost information sharing between member governments, he says, a step towards the kind of information-sharing framework for which experts in the space have long called. Recent developments such as the information sharing agreement between the European Union Agency for Cybersecurity (ENISA) and US Cybersecurity and Infrastructure Security Agency (CISA) may complement this.

Of course, no firm wants to pay the ransom but the reality is often complex. It is not illegal unless the payment is made to a sanctioned entity, says Picus researcher Huseyin Can Yuceel. “Many businesses weigh the financial losses and legal repercussions of the attack and choose to pay the ransom as an unforeseen cost.”


Red whitepaper cover with title and logo

(Image credit: Trend Micro)

Discover how the ransomware epidemic influences global supply chains


But there are also multiple risks associated with paying ransoms. There is no way of knowing for certain if the attackers will honor the agreement and provide the decryption key, says Matt Roach, head of International information integrity institute (i-4) cyber security leaders community at KPMG UK. “Nor is there a guarantee that they won’t attack the company again. There are numerous instances of repeat victimization by different groups of cyber-criminals once word gets around that a particular company is a ‘cyber-soft touch’.”

At the same time, there are important ethical considerations to bear in mind, says Roach. “There is a risk that the money paid to cyber-criminals will be used for organized crime, human trafficking, terrorism, or other illegal activities.”

Recent Trend Micro research found that ransomware payments could fund up to ten new attacks, with researchers warning that ransomware groups can escalate attacks using payments from just a few victims.

Roach adds that law enforcement is closing in on cyber crime and that this should also be something businesses take into consideration. “Several governments are now imposing sanctions on cyber criminals. Hence, you might be breaking the law if you intend to acquiesce to their demands for payment.”  

In February 2023 the UK government issued sanctions against members of Ryuk and Conti, ransomware groups known for attacks victims including Sopra Steria and the government of Costa Rica respectively. The US Department of Justice (DoJ) has also charged three members of Lockbit, the group behind the most dangerous ransomware strain and known for attacks such as the February 2023 Royal Mail cyber attack which cost the firm £10 million ($12.58 million) in remediation costs.

While you shouldn’t pay unless you have to, for private companies it is still a business decision. There is a need to weigh up the pros and cons of cost, reputational damage linked to a data breach, and downtime with the risks associated with paying the ransom and the potential mitigation of cyber insurance, says Clayton. “It is a reality that if a company has not been sufficiently diligent with response planning, they may have no choice but to make the payment.”

Richard Breavington, partner at international law firm RPC describes how his firm has dealt with cases where organizations have had to pay a ransom due to encryption of their main servers. “This meant that they were unable to carry out business and as a result, were suffering ongoing and unsustainable losses to revenue and commercial reputation that could only be remedied through getting their data back.”

Another firm needed to delay the publication of sensitive commercial information.  “In one case, the publication of data relating to a sensitive corporate agreement could have jeopardized the deal at the time. Once the deal was complete, the sensitivity decreased considerably, but the ransom payment to delay imminent data release was considered necessary by the client.”

Negotiating with attackers over ransomware payments

Whether a firm pays in the end or not, it is often necessary to negotiate with attackers. If they need to do so, organizations shouldn’t go it alone. First and foremost, consult with your legal team before and during any negotiation, says Clayton. He recommends using a well-regarded third-party ransomware negotiation service to interact with attackers, especially if you plan to pay. 

Of course, the ideal outcome is to avoid paying the ransom at all – something backed up by all the advice from experts and governments. 

Organizations are better off investing money that would be paid to a ransomware adversary in improving their security, says Allan Liska, threat intelligence analyst at Recorded Future. “Invest in better backup capabilities, as well as more effective data management. Because of the way ransomware attacks have evolved, where data exfiltration is integral to an attack it can be just as important to know where your data is, both locally and in cloud environments, and how it is being secured at all times good backups and other effective security steps.”

Businesses should remember the basics to help mitigate ransomware risks, says Adam Harrison, managing director in the cybersecurity practice at FTI Consulting. “Identify what and where critical data is and make sure it is properly protected; ensure backups are complete, offline, and tested; and employ multi-factor authentication (MFA) wherever possible.”

In addition, Malik advises patching vulnerable software and providing security awareness training to employees. No business can escape this threat altogether, with small business ransomware attacks on the rise as attackers exploit the lower security budgets and outdated software of smaller businesses for financial gain.

The global ransomware crackdown is likely to expand as the data-locking malware continues to be a part of many modern cyber-attacks. The new agreement is about discouraging payments, rather than banning them, to try and disrupt the ransomware business model for good. For now, experts agree that collaboration between companies and the public sector is key – and paying the ransom should only be a last resort.

As ransomware evolves, it is vital that organizations anticipate how stolen data could be used for secondary crime and fraud, says Roach. “Place additional cyber security measures around the data that would cause the greatest embarrassment or damage in the hands of enemies.”

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.