To pay or not to pay: CISOs weigh in on the ransomware dilemma

In its “2024 Voice of the CISO” report, Proofpoint found that ransomware remains a top concern among CISOs worldwide.

More surprising, however, is how CISOs say their organizations would deal with a specific incident: 62% stated that their enterprise would likely pay a ransom to restore access to systems.

The top three countries where CISOs anticipated this course of action were Saudi Arabia at 83%, Canada at 82%, and South Korea at 79%.

These figures may come as a shock. Enterprises usually take a hardline stance against other threat actors, including disgruntled employees, corporate spies, hacktivists, and cyber terrorists.

Why are so many willing to negotiate with ransomware operators, procure and send cryptocurrency to a given address, and cross their fingers in the hope that they stay true to their side of the bargain?

We spoke with several CISOs on what factors are involved in making this crucial decision — and what influence the CISO ultimately has in determining the chosen course.

Calculating the direct and indirect costs of ransomware 

Leonard Kleinman, CISO of Enablis, a managed service provider in Australia, says enterprises often cooperate based on a cost-benefit analysis.

“If we look at it from a very basic economics perspective, it’s simply a cost versus benefit [equation],” he says. “Simple analysis tells you that [you should] compare the value of the organization’s revenues on a yearly basis — whatever that case is — versus what the ransomware cost is going to be.”

He pointed to the Colonial Pipeline attack in May 2021 as an example. The US fuel transportation company paid a ransom in Bitcoin equivalent to US$4.4 million, a drop in the bucket given that it made US$1.3 billion the previous year. The company would have lost significantly more from the continued disruption to its operations.

Referencing the ransomware attack on Kaseya in Switzerland in 2021, Derek Gooh, CISO of Singapore grocery retailer NTUC, adds that there is not only the direct cost of lost business but also the opportunity cost of restoration. “If you imagine, to recover all these things, to rebuild the machine from scratch — it takes time,” he says.

From this perspective, paying the ransom is tempting. “But if you have a recovery key, if you have a decryption key, it could be a 3-minute affair,” Gooh says. “You know that the malware is still inside there and all that. But at least, with the key, you [can quickly] come back on — you don’t have to close the shop.”

Chris Haigh, CISO of MercuryIT, an Australian managed services provider, says critical industries may have an additional incentive to avoid downtime.

“Think medical services: Large hospitals serving a region of a city or a singular town center — it becomes a critical service. So that may weigh into why they decide [they’re] going to take a chance of paying because [they] can’t afford to have all these services offline,” he says.

Ken Newton, CISO of secondwave, a risk adjustment solutions provider in the US, says that when a company deals with a cyber insurer, they want to cut the losses as quickly as possible.

“And they often will allow for a ransom to be paid, knowing that while there is not full honor amongst thieves, there is a history of return on that payment to get an organization back up and operating again quickly,” he says.

Enablis’ Kleinman explains that businesses must also consider legal and regulatory liabilities — risks that can be intertwined with any financial consequences, especially for larger companies, he says, giving the example of a ransomware operator who encrypts a corporation’s data and goes to the stock exchange where it is listed. “‘Oh, by the way, did you know that Acme XYZ over there has been encrypted?’” he says.

Kleinman explains that this is a regulatory risk because publicly listed companies must perform continuous disclosure, given that it is material to the price of their stock. If the ransomware group informs the stock exchange, the company may be in violation of this policy, exposing itself to further regulatory scrutiny and punishment.

The ethics of paying ransomware

If paying ransomware only involved cost-benefit analysis, there would likely be 100% compliance with demands. However, the ethics of paying a ransomware operator are much more oblique, giving enterprises additional factors to consider.

Newton of secondwave says his stance would be not to pay a ransom to a ransomware operator. “I think about where that money ends up. I think about what it funds,” he says.

Although all ransomware operators are criminals, their ultimate aims are diverse. Some are out purely for profit, while others may be connected to rogue nations such as North Korea.

MercuryIT’s Haigh notes that some ransomware operators may even be sanctioned entities by authorities such as the US Department of Treasury.

“We’ve seen, for example, in the UK, US, and even Australia to some extent, where governments have come out and said, ‘Look, you need to be aware that if you pay a ransomware and the payment goes to a sanctioned entity, you can actually face quite serious penalties of litigation,’” he says.

Kleinman adds that most businesses want to avoid interfacing with these criminal groups due to the impression it might make if they did otherwise. “They generally want to be able to look at others — their peers in the industry and across industries — and sort of say they’ve done the right thing from a moral and ethical perspective,” he says.

Moreover, giving in to demands fuels further bad actions, Kleinman and others argue.

“Don’t pay because it just incentivizes them,” he says. “Don’t pay because it actually rewards and funds the next attack,” he says.

Gooh references the example of a law firm in Singapore that paid a S$1.8 million ransom in April 2024, which caused the local authorities to discourage payments.

“It’s easy to understand, right? I mean, if Singapore [companies] were known to have a weak spot for paying ransom, then we’ll get attacked more, and it’s all a vicious cycle, so to speak,” says Gooh.

Kleinman, however, is quick to point out that organizations aren’t stuck making an either-or decision about whether to comply with authorities, most of whom indeed discourage payments to ransomware operators.

“There’s an understanding these days that the authorities — when engaged appropriately — can help organizations at least mitigate some of the challenges, [such as] losses and things like that,” he says. “They may still pay, but it doesn’t necessarily mean it’s one or the other in that sense.”

Haigh believes that companies should never pay ransomware operators — and that governments should consider making doing so illegal.

“If companies stop paying, there will be short-term pain, unfortunately. So some businesses will go under. … It’s a terrible situation,” he says. “But it’s the only way that this will actually stop. If no one’s paying, then why are you going to [bother with] ransomware? There’s literally no reason to do it.”

CISO as key influencer

Because the CISO’s mandate is to ensure the organization’s security, one would assume that this leader has the final say on whether to pay a ransom in a ransomware attack.

“Here’s the fun part: CISOs don’t get to decide that,” says Kleinman, who learned of a CISO’s role in a ransomware attack from peers.

“And I actually learned that in a discussion with other CISOs. Because I actually answered, ‘I wouldn’t pay.’ And then the next two guys that I really respected in the Portland area, both either a CISO or a director of security, both said, ‘It’s not my decision,’” says Kleinman.

Although they may not be the decision-makers, CISOs are still key influencers to their CEOs or boards. In this capacity, Kleinman says he would advise not paying based on the risk to production, legal and regulatory liabilities, and loss of revenue. “I [would] talk about those four risks. And I [would] try to equate them to the risk to the reputation,” he says.

Kleinman concedes that he has an uphill battle here. Whereas it may have once been bad publicity to comply with ransomware operators, he believes this is no longer true. He says that cyber insurers have normalized ransom payments.

“I think that because federal entities even help … there are companies that exist that assist in negotiation of ransom. That is their sole task. That is [why there] is no longer as much of a reputational hit as it once was,” he adds.

Although the now public nature of ransomware payments may challenge that.

Another challenge is that CISOs may have direct opposition within the C-suite. Haigh references the ransomware attack on the Toll Group in 2020.

“The biggest issue they had [was] that they couldn’t pay their people, and it was like on a weekly or fortnightly basis. And if you’re not paying your drivers and stuff, that business stops, right?” says Haigh. “The person that was under the most stress was the CFO. [He] could see themselves going into a bankrupt state. … I think they only had like a month to run.”

When an organization faces insolvency, most of the C-suite would be in favor of paying a ransom so they can continue with operations.

“Because now you’re talking about essentially an existential threat to your business. And it is the CEO, CFO, [and] the board’s responsibility to not let that happen. So it’s almost like you add a juxtaposition here. Because for the greater good, you should not pay the ransomware. But for your immediate micro view of keeping this business alive, you should. That is a hard one,” he says.

Buying time with third-party experts

To make the best decision, businesses should check whether their data can be restored from backups and whether their cyber insurance covers operational expenses in the event of prolonged business disruption. Both would give enterprises leverage to avoid paying the ransom.

With ransomware getting “faster, smarter, and meaner,” some ransomware operators are increasingly threatening to leak the data, which may cause the enterprise to take additional action. “You’re going to [have to] use a third party that’s going to scour the dark web, find the data, and be able to either retrieve it or take it down. And that’s the best you can do in that case,” he says.

Such is the cat-and-mouse game of modern ransomware. Ransomware operators continually innovate new techniques to exert more pressure on the C-suite and board to pay. Kleinman says that some ransomware operators are targeting information that may hit closer to home.

“[Ransomware operators are] quite creative. They’ve started to dox a lot of executives, senior board members. So that is releasing personal sensitive data on the individual — like the chairman of the board or something like that, or their family — again, to further incentivize the payment,” he says.

Kleinman says this trend is in line with the rise of non-encryption ransomware, a threat built around data leakage.

Suppose a company decides to give in to the pressure. In that case, Gooh says they should consider bringing in a third-party expert to interface with the ransomware operator and, more importantly, buy time to look for decryption keys (which are available for some ransomware strains), coordinate with authorities, and negotiate for a lower price. 

Gooh says that every enterprise’s incident response plan should provide this kind of professional help. “Knowing what to do and knowing who you can call when this kind of thing happens is certainly one of the things that companies need to be prepared for,” he says.

Newton says that it is a relief that the ultimate decision to pay a ransom does not rest on his shoulders as a CISO, but he would still make a strong case for non-payment.

“If I was asked if I would pay a ransom, I would talk about the ethics of it,” he says. “And sometimes ethics is painful. Being ethical is painful.”