Your organization has just received ransom notices across your infrastructure, informing you of what you already fear. All your critical business data has been encrypted. You are angry that someone’s moved your cheese, and you don’t want to reward them for it. Your emotions are confirmed by advisors who give you the conventional advice: “Don’t negotiate with terrorists! Never pay the ransom!” Meanwhile, business operations have come to an abrupt halt, and the cost to the business increases by the minute. As the attack grinds on, your organization scrambles to find new ways to meet core functions, putting stress on everyone, including executive management. As the stress and financial burden rises, hard-line conversations about whether to negotiate with cybercriminals suddenly take a back seat to the reality that you are beholden to the business and its key stakeholders.

The city of Baltimore has been grappling with a highly publicized ransomware attack for nearly a month. The attack has greatly hampered the city’s operations for everything from its police department to its finance department.[i] Estimates of the financial impact of the attack are around $18.2 million. The cost the extortionist demanded for decryption keys was around $76,000 of bitcoin. However, the day of the attack, the mayor of Baltimore announced a refusal to pay.[ii] This was shortsighted.

While many advise against paying ransoms, Forrester has been tracking a trend of companies that negotiated with the extortionists and paid for decryption keys as part of their incident recovery. Here is why:

  • Conventional wisdom does not factor in what is best for your business and the situation you are currently in. Platitudes and emotion are not going to help you formulate an optimal recovery path for your business.
  • Recovery is complicated even if you have good backups that survived the attack. Many organizations significantly underestimate the scale of disruption they need to plan for or make too many assumptions about what functionality will continue to exist after an attack.

Forrester’s guidance is not a recommendation of whether or not to pay a ransom but to recognize paying the ransom as a valid recovery path that should be explored in parallel with other recovery efforts to ensure that you’re making the best decision for your organization. Look forward to our report providing guidance on how to implement incident response workflows to optimally select the best recovery for your organization.

(Written with Madeline Cyr, senior research associate)

[i] Source: Lillian Reed, McKenna Oxenden, and Ian Duncan, “Baltimore ransomware attack: Here’s what’s working and what’s not in city government,” The Baltimore Sun, May 15, 2019 (https://www.baltimoresun.com/maryland/baltimore-city/bs-md-ci-city-agencies-ransomware-20190509-story.html).

[ii] Source: Ian Duncan, “Baltimore estimates cost of ransomware attack at $18.2 million as government begins to restore email accounts,” The Baltimore Sun, May 29, 2019 (https://www.baltimoresun.com/maryland/baltimore-city/bs-md-ci-ransomware-email-20190529-story.html).