It’s happened, computer screens are filled with demands, data is encrypted and inaccessible, systems are disrupted, your backups were not protected (see our “Backup Plan” blog post) and you’re experiencing the panic of ransomware. What do you do? Try to negotiate with unknown attackers or start from scratch and rebuild your IT environment? Either option can be costly and Soteria is sharing our experiences as well as factors to consider, to ensure the best decision for your company is made.

Attackers may research who you are to set the ransom.

Most ransom notices provide an email address for victims to contact in order to negotiate. Unfortunately, some attackers will research their victims and then determine the price using this research. This may work to the benefit of a smaller organization that doesn’t appear to have as much monetary value, but can result in huge ransoms for larger organizations.

Paying the ransom may not resolve the issue.

Due to the widespread availability of ransomware code, it is possible for novice attackers to utilize poorly constructed ransomware. As a result, the attacker may not put the correct contact information or payment location on the ransom and/or the decryption keys provided may not work once they are paid for. This is becoming less common as the threat of ransomware depends on the attackers ability to decrypt files which encourages victims to continue to pay. Soteria’s incident response experts highly recommend if the attacker can decrypt 2-5 files to prove this capability before paying the full ransom.

You can be targeted again.

Recovering your data does not mean you are done dealing with the situation. It is important to understand how the attackers gained access in the first place. In some cases, ransomware is deployed using backdoors or trojans provided by a malicious 3rd party. If these backdoors are not also removed in remediation efforts, your organization may still be vulnerable to ransomware or another type of malware. You should always have experts in incident response examine and determine the root cause of the incident and assist with remediation efforts in order to ensure all aspects of the ransomware are contained and eradicated.

The ransom may cost less than starting over.

Many times the ransom is set at a price that is lower than the cost to completely restore your environment or less than the value of the business’ daily revenues. Before making decisions it is important to discuss the impact from the ransomware and conduct an analysis of restoration costs.

Payment goes to criminal organizations.

Hacking, unauthorized access, computer trespass, and sending viruses or malware is an illegal offense in all 50 States with California, Connecticut, Michigan, Texas & Wyoming having specific laws against ransomware and computer extortion. Paying these criminal organizations unfortunately only encourages the continued activity. The FBI advises that US based companies and organizations do not pay these ransoms, but instead report them to the FBI for investigation. Organizations should consider the public opinion of paying ransoms and how that may affect reputation if it becomes public knowledge payment was made.

Your cyber insurance company may sway the decision.

Cyber insurance has become a key tool for security leaders to transfer the risk of incidents outside their organization. In the event of an incident, your insurance provider will likely provide a list of preferred response companies or assign one to your incident. This response company will provide a recommendation on how to best respond keeping cost in mind for the insurance provider.


Regardless of whether you decide to pay or not during a ransomware attack, an investigation will need to happen. All your business relationships, both service providers and clients, are going to want assurance that your systems are free of malicious code and that your company is taking action to enact correct controls before they will allow you to resume the relationship and business operations.