Why It May Be Worth Paying The Ransom In A Ransomware Attack


Australia is being hit hard by ransomware attacks and we've heard a lot of security vendors advise against paying the ransom that cybercriminals demand to decrypt locked files. But RSA CTO Zulfikar Ramzan thinks it's better to just pay up. Here's why.

Ransomware has become a popular tool for cybercriminals to make money, mainly because it's easy to use; there are exploit that require little technical knowledge to deploy and there's a whole underground industry supporting it.

"With traditional cybercrime, it used to be more about getting credit card numbers and the lot," Ramzan told Lifehacker Australia at RSA Conference 2016 in Singapore. Cybercriminals will then need to take a number of steps, from credit card cloning to recruiting money mules to move funds, to make use of the stolen data, which can be exceptionally complicated. "Fast forward to today, ransomware accepts Bitcoins and all of a sudden you've eliminated the whole aspect of the business that requires you to know how to monetise stolen credit cards."

While the recommendation of many security vendors is to not paying the ransom if you or your company do fall victim to ransomware, Ramzan has a different perspective on this.

"I advocate the opposite; I say, usually, just pay the ransom," he said. It should be mentioned that if you've had the foresight to backup your data regularly then you wouldn't have to worry about ransomware locking up your files. But if you haven't, Razman said: "The bad guys have always been bad, but they realise that it's a business opportunity for them; if they don't decrypt your data when you pay the ransom, the reputation of their business will go down."

The ransomware business is so organised that there's even around the clock customer support to answer the questions of victims. For example, if victims don't know how to set up a Bitcoin wallet to pay the ransom, the customer service folks for that ransomware attack will guide them through it step-by-step, according to Ramzan.

"They only make money by following through with what they said they're going to do when you pay the ransom," he said. "Depending on the ransom and all the circumstances, if it's critical data to you, we say you should seriously consider paying the ransom because you're not going to get your data back through some other means.

"Ten years ago it was a different story - a lot of ransomware was not very sophisticated and there were probably other ways to get your data back without paying."

Spandas Lui travelled to Singapore as a guest of RSA


    I am aware that it is only the opinion of Ramzan, but it doesn't sound like a legitimate strategy. If you are big enough to have sensitive data that will cost you money, then you are big enough to be doing backups that you can rollback to. He mentions that for the ransomware guys it is only a business opportunity, and then goes on to suggest paying them. Wouldn't the better solution be to not pay them, therefore decreasing the opportunity? If they are business people as he claims, they will not continue in a market where there is no money.

    Odds are he is mates with a few ransomware companies and is taking a dive for money :P

      Hi Tubby,

      Obviously if your company has done all the backup processes right, then there's no need to pay up. But if you really do need the data back and you haven't taken the steps to back up, he's saying paying isn't a terrible option. Bigger organisations may have had the foresight to put in precautionary measures, but smaller companies may not be so prepared.

      Note he said:

      "Depending on the ransom and all the circumstances, if it’s critical data to you, we say you should seriously consider paying the ransom because you’re not going to get your data back through some other means."

      Hope this helps.



    Don't Pay!
    There a lots of ways to get your data back without paying. Its called Backups!
    If you are too tight to buy backup software, then you deserve to loss your data!

      Exactly. Paying only promotes this type of organised crime.

      If anything, there should be more awareness about these nefarious activities and to encourage all to implement, test their backups, as rudimental as it may be.

      Anyone involved in this industry clearly have no moral standards and are either stupid, arrogant or both to justify that's 'it's just a job' or 'it's just a business'...

      Last edited 20/07/16 5:35 pm

      Buy? Hell windows and macos are capable of being set up to run regular external backups out of the box.

    hahahahaha.... great that this fella is putting his savvy business degree knowledge into practice. Yeah, right; sure, their reputation will take a hit. hahahaahahaaaa


    Ahh it may actually be illegal in this country to pay it.

    I work as a security professional doing forensics, pen testing and incident response, and I have to say that if you don't have backups or some other offline/out-of-band storage then the best bet really is to pay. The other option for non-critical data is to store it and wait a few years in case the master key or other decryption method becomes available. This happened recently with TeslaCrypt, although it's a rare example.

    As the article mentions, it's not in the interests of the criminals to withhold the key if you pay, since it's 'bad for business'. It only takes a few stories online of the criminals failing to unlock the data for the whole scam to be over - no one will pay if they doubt they'll be able to access their data again.

      if you don't have backups or some other offline/out-of-band storage then.... I know of a small business owner who said to his tech guy "back up everything important". When the backups were needed, at one stage, because the premises was broken into (computers stolen) , the tech guy hadn't backed anything up for whatever reason. Point is, I would suggest you ask your tech guy (if you have one) , to tell you about your backups and when they were last made, if that's what you are paying him/her for and don't have the time to make them yourself :) Suggestion only :)

        Absolutely! It's critical to test your restore process. I'd recommend once per quarter, or at least once per year. Media can fail, scripts can break, network addresses can change.. Disaster recovery testing is an oft-overlooked necessity.

Join the discussion!

Trending Stories Right Now