February 1, 2023

Volume XIII, Number 32


January 31, 2023

Subscribe to Latest Legal News and Analysis

January 30, 2023

Subscribe to Latest Legal News and Analysis

Paying the Ransom in Response to a Ransomware Attack Can Sometimes Backfire

One of the key decisions that needs to be made in the aftermath of a successful ransomware attack is whether or not the victim organization can or should pay the ransom.  Of course, there are many considerations that go into such a decision – for example, whether the payment is legally permissible, the ease of system restoration absent paying the ransom, the harm that might result to the company or its consumers if systems cannot be timely restored, or whether there are reputational risks or ethical concerns, amongst many other considerations.

A new study by Hiscox, a privacy and cyber security insurance company, sheds light on additional practical concerns that should be taken into account in that balancing of potential risks and benefits.

More specifically, Hiscox released its sixth annual Cyber Readiness Report 2022.  In it, Hiscox raises a number of interesting findings:

  • Ransomware attacks have risen approximately 19%, which is up from 16% from last year.

  • Approximately 60% of surveyed companies paid a ransom in response to a successful ransomware attack.

  • Of the companies that paid a ransom, approximately half of those ultimately paid ransoms on multiple occasions after suffering additional successful attacks.

  • In the United States specifically, the number of ransomware attacks have stayed generally the same from 2021 to 2022, but the amount paid has increased. More victims paid attackers the ransom amount this year than last.

  • Only 59% of companies that paid the ransom successfully recovered their data.

  • 29% of companies who paid the ransom still had their data leaked.

In other words, an organization that considers paying a ransom must do so with the understanding that not only are there legal, reputational and business risks, but such a payment may not even mitigate the harm of the attack.  Further, while it was widely understood that paying the ransom might encourage future criminal activity against others, the statistics suggest that such a payment may in fact lead to further attacks against the paying organization itself.

What should now be clear if it was not already, is that the decision of whether or not to pay a ransom is complicated, and accordingly, it would be preferable not to have to consider this question for the first time on the fly in the middle of an actual ransomware attack.  It is accordingly a best practice– prior to an attack occurring – to thoroughly consider the factors that go into the payment decision and – ideally – document those, along with an analysis of your organizations’ particular weighing of those factors, in an internal policy or manual that can be adopted by consensus, and then be consulted for guidance should the worst happen.

© 2023 Proskauer Rose LLP. National Law Review, Volume XII, Number 336

About this Author

Nolan M. Goldberg Litigation Attorney Proskauer Rose New York, NY
Senior Counsel

Nolan M. Goldberg is a senior counsel in the Litigation Department and a member of the Patent Law and Privacy Groups.  His practice focuses on technology-centric litigation, arbitration (including international arbitrations), investigations and counseling, covering a range of types of disputes, including cybersecurity, intellectual property, and commercial.  Nolan’s understanding of technology allows him to develop defenses and strategies that might otherwise be overlooked or less effective and enhances the “story telling” that is critical to bringing a dispute to a successful conclusion...

Margaret K. Ukwu Los Angeles IP Attorney Proskauer

Margaret Ukwu is an Associate at Proskauer's Los Angeles office. As a litigation associate, Margaret Ukwu focuses her practice on complex patent litigation involving a broad range of technologies, including electrical arts pertaining to mechanical systems, computer architecture, medical devices, internet applications, mobile operating systems, wireless communications and user interfaces. She also advises clients on all aspects of patentability and provides patent counseling regarding invalidity, non-infringement and freedom to operate assessments.