Ethical considerations when dealing with ransomware: ‘To pay or not to pay?'

[1] This is a translation of a Dutch article written for the Dutch market. In other countries, the policies may differ, but the consideration around paying or not are universally relevant.

With the new NIS2 legislation, and the current DORA legislation, the direct obligations of directors are increasingly defined. This also means that one can be held liable for failing to comply with these direct obligation. In a ransomware situation, there is something to be said for both paying and not paying in terms of these obligations. It can be argued that for paying, administrators handle data well; after all, they are (possibly) preventing the organization's data from being out in the streets. For not paying, one can argue that funds are handled reasonably; the criminal circuit is not sponsored. Unlike some other countries, there is no legislation in the Netherlands that prohibits paying a ransom. However, there has been an attempt by the Dutch government in the past to make organizations pay less. In short, the direct obligations are an important consideration to make for both paying and not paying.

The most common argument for not paying is the principle that ‘one does not want to do business with criminals’. Many ransomware groups come from Eastern Europe and Russia, where the Russian government turns a blind eye if the groups attack Western companies. Paying ransomware then contributes not only to maintaining a criminal circuit, but also to a political situation of Russia as an authoritarian regime against Western European democracies.

The principle to do pay is often about its own operations: ‘We have to keep running at all costs.’ Paying often helps restart business activities that were previously blocked. This limits the damage to both the organization and employees. Limiting the damage to one's own organization also contributes to the continuity of the ecosystem in which the organization operates. After all, if the organization is quickly ‘up and running’ again, chain partners are less affected by the disruption. There is something to be said for both principles; discussion of those principles therefore leads to the following question: ‘What will it cost us if we pay or not?’

In some ransomware situations, paying is not necessary. Simply because good backups have been made, for example, or the systems hit are less important than they appear on the outside. If there is no need to pay, it makes no sense to do so either. To be sure that there is no need, however, it must be certain that the attack is isolated and cannot still pop up in other places. Often, unfortunately, this cannot be said with certainty. It may therefore be beneficial to contact the attacker. That way, it is often possible to check whether the attacker has the information and, not unimportantly, the decryption key. An external specialised party can support this contact. Restoring the affected systems may cost so much time and money that it may be more economical to do so. In addition, there may be great moral or social reasons to pay. This trade-off depends very much on the situation and the knowledge available within the organization.

The client has several interests at play when it comes to paying or not paying. In our experience, communication plays a particularly important role when the client needs to be informed, regardless of the choice to pay or not to pay. No or wrong communication generally leads to misunderstanding both internally and externally. For both clients and employees, this can give a possible loss of trust in the organization. When personal data may have been leaked, a report should always be made to the Personal Data Authority. Under the upcoming NIS2 legislation, a reporting obligation also applies. Depending on the business activities, in addition to the duty to report, the client may benefit from the continuity of business operations, protecting business and client data, limiting financial losses, or a combination of the above.

A ransomware is not a ransom without a requested amount of money. Often, the requested amount is a percentage of annual turnover. By negotiating, this amount can still go down: Ransomware groups benefit more from a small payment than no payment. In the past, there have been instances when an organization agreed to an easily negotiable amount. Instead of receiving the decryption key afterwards, the amount was increased. Paying absolutely nothing is then no longer possible. There are also companies that paid, but used their financial buffer to do so, making it impossible for them to take the next hit (such as corona). As a starting point, paying is only wise if it does not undermine business operations AND there is a possibility to pay more, if necessary.

A ransomware attack also affects the employees of an organization. Three effects can be distinguished. First, a ransomware attack is a frightening experience for employees. They are personally confronted with the encrypted files and possibly the threat message. Second, a prolonged disruption can cause frustration if employees cannot, or can no longer, do their jobs properly. Lastly, employees sympathise with clients if possibly their data is out in the open. Paying does limit the damage, while not paying contributes to moral ‘retribution’: ‘They may be in, but they get nothing from us.’

Beneath the questions above, are moral principles and considerations. We started with the governance questions which, with the current and upcoming legislation, mainly revolves around the question: ‘How do I fulfil my direct obligations?’ The next question regarded doing business with criminals: ‘Can we justify that?’ Next came costs and benefits: ‘How do we spend our money most usefully in this situation, by repairing or paying for the repair?’ Fourth, we included the client in the consideration: ‘How do we tell our choice to the client?’ Next, we discussed the financial buffer: ‘What does paying do to our reserves and can we justify using them?’ Finally, we brought the employee into the discussion: ‘How can we limit the impact on employees and meet their moral consideration?’ Depending on the situation and the organization's values, certain considerations are more or less important. When your organization is affected, there is often no space and time for those considerations. We therefore recommend discussing the considerations in the board or management at an earlier moment. The crisis team can then take them into consideration when faced with the choice: Are we going to pay or not; To pay or not to pay?

[2] Digital Trust Center

[3] NOS