To Pay or Not to Pay

A Guide to Ransomware Payments

It's no secret that 2019 was in many ways the Year of Data Breaches. While many cybercriminals steal data in order to mount further attacks or to sell it on the Dark Web, ransomware attackers are unique in that they make a simple offer: pay a ransom and everything will go back to normal.       

We've written extensively about an unprecedented wave of attacks against municipalities, healthcare providers, IoT devices, and Big Tech. However, the question that victims must then ask themselves is whether to continue to fight the hackers (often at a cost far higher than the ransom price) or to simply pay the ransom and return to business as usual.

In resolving this dilemma, there are generally two things to consider. On one hand, there is the business case. This involves a cost-benefit analysis taking into account the severity of the breach, the size of the ransom, and the estimated cost of restoring the system without the hackers' help. Often, as in the case of public utilities or healthcare providers, a disruption of service can have effects far greater than a simple financial loss.

On the other hand, there is a risk that by paying the ransom, even when financially sensible, this may produce certain external risks that are prohibitive. For example, with the new cash, hackers will probably not happily retire but will continue to mount larger or more persistent attacks. Furthermore, there is always a risk that the hackers will simply take the ransom and 'forget' to remove the malware. Indeed, there have been cases where, upon receiving the funds, hackers simply demanded a second, smaller ransom. And lastly, once the word gets out that there is serious money to be made in malware attacks, this will encourage a fresh wave of cybercriminals to join the game.

To help balance the pros and cons of ransom payments, here are the findings from standardized data compiled from actual ransom payments made in Q4 of 2019:

Average Ransom Payment: The average payment more than doubled from just over $40,000 (in Q3) to nearly $85,000. Whether this upwards trend will continue remains to be seen in the coming months.

Hacker Integrity: In 98% of the cases, the hackers delivered a valid decryption tool upon receiving the ransom. This has shown to be the case in the past as well, so it's reasonable to assume that ransom payments will continue to remain effective.

Recovery: Once the decryption tool was received, victims were able to decrypt 97% of their data.

Currency: Bitcoin is now the preferred method of payment for almost all ransomware attacks.

Targets: The largest industry segment is composed of professional services such as law firms, consulting firms, and IT service providers. However, public sector organizations are a growing segment. Interestingly, Maze ransomware has publicly announced that they will not seek to disrupt services that may result in the loss of a patient's life.

Finally, while Silent Breach does not encourage victims to pay a ransom, we still believe that decisions must be made on a case-by-case basis taking into account the factors above and considering all options to protect shareholders, employees, and customers.


If you believe that you're a victim of a ransomware attack, contact law enforcement immediately.

Federal Bureau of Investigation:

Department of Homeland Security:

Silent Breach Emergency Task Force:

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.