The Million Dollar Question

The million dollar (sometimes, much more) question when it comes to ransomware is... should you pay the ransom? Well, it depends...No one wants to pay these people. Some people will refuse to pay the ransom on principle, even if it means the end of their organization. For everyone else, there is a decision to make.

Here are the questions you'll usually need to answer:

1. Do we have recent enough viable backups of all the systems/data we need to restore?

2. Can the threat actor decrypt the files they claim to be able to decrypt?

3. Is it worth it to us to pay simply for the chance of our name not appearing on the data leak site, or our data not being released?

From a technical recovery standpoint, if you have good backups of the systems/data you need to recover, you don't need the decryption tool, so you don't need to pay. If there are critical resources that would require a decryption key, you need to have them prove that they can decrypt the files. Make sure to try and pick non-sensitive files that likely wouldn't be included in any potential data exfiltration since they could just provide you the unencrypted copies of the files without proving successful decryption. If you don't need the key but are thinking about paying a fractional demand just to avoid your data being posted (if they've proven they've stolen it), remember that there are no guarantees. Law enforcement has confirmed during takedowns that data does not always get deleted and sometimes is sold to third parties on the dark web. There may still be value to the organization in making the gamble, but it's a factor that can't be overlooked.

Take, test, and protect those backups so if a ransomware incident ever does happen, this will be an easy question for you to answer.