Thales Blog

How Not to Pay the Ransom? No Soup For You, Ransomware!

August 12, 2021

David Balaban | Guest author More About This Author >

Ransomware campaigns such as WannaCry and Petya attacks made this malware type a top threat to all organizations worldwide. Cyber crooks are getting more sophisticated and IT professionals have tough times struggling to detect and block malicious interventions at early stages.

Be it health care or information security, it reasonably attempts to take actions in advance. Preventing malware intervention is cheaper and easier than dealing with it once the invasion completes. This is of particular relevance when it comes to ransomware.

There are plenty of guidelines laying down basic and advanced steps for identifying dangerous entries by leveraging high-tech security suites. Businesses also use cyber traps, also known as honeypots, to lure the attackers into revealing their plots.

Again, prevention is better than cure. Where prevention fails, a fast cure is crucial. If ransomware infects your device, you would be happy to have a reliable recovery plan ensuring your most important information survives any attack. Even the most critical damages caused by ransomware are repairable as long as you have a solid backup strategy.

The rule of thumb says that no demands set by ransomware must be satisfied. Most security experts advise both corporate and private victims to refuse to pay the ransom. There are many strong reasons for not paying a penny to the crooks.

No payments to ransomware operators is the FBI’s policy

Yes, data is a critical asset. Too many businesses cannot continue their activities until they recover the data encrypted by ransomware. No matter how critical your damages are, paying the ransom is not a solution. That is the FBI's official position.

Yes, companies seek to resume their operation as soon as possible. Subject to the malware class and timeframes for decryption set by the attackers, too many victims end up transferring funds to the hacker’s accounts. The FBI Cyber Division strongly recommends making no contributions to the malefactors.

Online assistance is always available

Many collaborative platforms can help you recover the data encrypted by ransomware. They do it free of charge. Intergovernmental organizations, national police departments, and antivirus vendors do their best to have the information corrupted by encryption malware available to its legitimate holders. Again, they do not charge any fees for that. Here you can explore some data recovery apps and guidelines covering various ransomware strains and scenarios.

Criminals will be back

Paying ransom as requested by the crooks is a far cry from ensuring data recovery. Meanwhile, it is a sure way to provide more options to the criminals for further campaigns. The hackers remember their successes and practice shows, repeat them with the same and new targets. Enough is as good as a feast? Not for addicts.

Paying a ransom does not always decrypt data

Once the ransom is settled, the decryption does not start automatically. Crooks will be crooks; they are used to telling lies. Once they get your money, they may disappear at once for security reasons or just because they so decide. In addition, the decryption key might fail to work correctly, and no further explanations follow. Your own systems may fail to process the encryption key. Remember all this!

The more they get paid, the bigger they grow

Let's try to play the Captain Obvious here: payments to the hackers operating the ransomware or data-stealing schemes provide further resources and incentives for them to deploy even more attacks. That's what the FBI says. Any funds transferred to the criminals hoping to have your data decrypted are likely to be invested in other crimes. And what is very important: success stories of bigger groups of malefactors attract more and more wanna-be hackers.

Successful attacks against high-profile organizations propel this cybercrime model the most. The recent Colonial Pipeline incident fits the mold of such a catalyst. This extortion drama featuring the American fuel supply giant and adversaries from the Russia-based DarkSide ransomware gang hit the headlines in early May 2021. In the aftermath of unauthorized data encryption, the victim had to take some of its digital infrastructure offline and temporarily halt all the operations of the pipeline system, which caused gasoline shortages and price spikes along the East Coast.

To get back on track, the company chose to pay 75 bitcoins (worth $4.4 million at that point). Although the U.S. Department of Justice traced down the payment and recovered almost 64 bitcoins (about $2.3 million) before crooks could transfer funds away from their cryptocurrency wallet, this newsmaking breach demonstrated how lucrative this foul play could get.

In another episode that took place last May, the world’s largest meat processing company JBS fell victim to the REvil ransomware and was forced to close its plants across the United States and Australia for at least 24 hours. When faced with major disruption of its computer systems, the victim decided to pay a whopping $11 million worth of bitcoins in exchange for data decryption.

Kaseya, a vendor that provides IT services to thousands of organizations and managed service providers (MSPs) worldwide, was sucker-punched by ransomware distributors on July 2, 2021. To orchestrate the breach, perpetrators from the above-mentioned REvil group piggybacked on a security flaw in the company’s popular remote network management toolkit called VSA. This paved their way towards executing a supply chain incursion affecting up to 1,500 enterprise customers.

The silver lining is that the company’s incident response team succeeded in obtaining a one-size-fits-all decryption key from a third party. The breakthrough allowed the affected clients to set the recovery process in motion. Furthermore, Kaseya denies paying the ransom. This sounds like a happy ending, but with the caveat that crooks showed for the umpteenth time that even the networks of such innovation-driven organizations have loopholes critical enough to make them vulnerable.

No pain, no care

Things that do not kill you make you stronger (sometimes). They may also make you careless. If you survive a sting without significant pain, let alone illness or injuries, you soon forget it and get another. Users would do their best to enhance their security and avoid further infection if the data decryption costs too much, especially if coupled with a long-time system outage. If you get your data back instantly and for the amount that does not really affect your balance, that will not teach you a lesson. Set a routine of backing up your system at regular intervals even if you feel like you can ignore the malware. Next time the hacker’s demands and your damages might be far beyond your comfort zone. And do not forget about data encryption, both data in transit and static. Some ransomware bands started to quit the encryption routine and focus on stealing valuable data with claims to make it publicly available.

Ransomware incidents covered by cyber insurance policies

Insurance is a valid and efficient tool mitigating the risks of encryption posed by your system's exposure to malware. The insurer provides funding to the insured parties in the event they suffer ransomware invasion.

To use the funding in the best possible way, involve infosec experts so that they could suggest and implement a robust recovery method. The crew should be skillful enough and realize the affected data is your top priority. Meanwhile, they should pay attention to the other malware that may lead to ransomware, such as redirect viruses.


Let's face reality, ransomware attacks may occur in a variety of implementations. There is no ultimate solution to protect you from all kinds of ransomware. Where the infection has managed to infect your computer and encrypt your data, seek an expert's assistance.

First, try to get help from your company staff members who are skillful in security. Web communities often publish free decryption keys and other valuable bits of advice. Submit your report on the infection to a competent public organization. If the assistance offered for you is limited to a single method, consult other parties for more options.

Introducing a set of well-elaborate measures against ransomware invasions is critical. Meanwhile, your cyber insurance should extend to all varieties of ransomware that may encrypt or steal your data. Learn the financial assistance options available from your insurer in the event of such attacks.

Any experience with malicious encryption provides extra insights into the ransomware infection vectors and payload. It is a lesson to learn for the users and businesses.