Ransomware to pay or not to pay?

by Black Hat Middle East and Africa
Ransomware to pay or not to pay?


Ransomware attacks have been on the rise across the globe. With major enterprises and governments falling victim to it, the question that is repeatedly raised is, should you pay for ransomware?

The popularity of ransomware attacks has increased since the onset of COVID-19, accounting for 10% of all cybersecurity breaches. In fact, their frequency doubled in 2021, according to the 2021 "Verizon Data Breach Investigations Report." Adding to that, approximately 37% of global organisations stated that they were victims of some type of ransomware attack in 2021, as per the IDC's 2021 Ransomware Study. Moreover, the financial repercussions of successful ransomware attacks are massive. Cyber Security Ventures predict that the global ransomware damage costs will exceed $265 billion by 2031. Various ransomware attacks affected countries all over the world in just this year alone. The Costa Rican government faced a devastating ransomware attack that crippled its economy and healthcare systems starting in April 2022, while US-based chipmaker company Nvidia was attacked in February 2022 by cybercriminals who threatened to leak 1 terabyte’s worth of employee data. Meanwhile, Indian airline company SpiceJet was struck by a ransomware attack in May 2022 that left travellers stranded and delayed hundreds of flights. These attacks caused mayhem across all of these entities and compelled some of them to give cybercriminals what they wanted, a ransom payment.


As cybercriminals find more sophisticated ways to launch ransomware attacks, they’ve developed formidable programmes to do the job. Some of the most complex ransomware programmes in recent years include


Also known as Black Cat, ALPHV has been labelled “the most sophisticated ransomware of 2021”. It’s a Ransomware-as-a-Service gang that was discovered in November 2021. They hit over 60 organisations and big enterprises. ALPHV is known for using ransomware written in the Rust programming language, with a binary payload designed specifically for each target. ALPHV is fully command-line driven, human-operated and very configurable, allowing for the use of different encryption routines spread across computers. It can kill virtual machines, ESXi VMs and wipe out ESXi snapshots to block recovery.

  • Conti

Conti is a very harmful ransomware because of how quickly it encrypts data and proliferates to other systems. It was first discovered in 2020 and is believed to be led by a Russian-based group called the Wizard Spider. In May 2022, the US government announced a reward of up to $10 million for information on the group. The Conti ransomware works with phishing attacks used to install TrickBot and BazarLoader Trojans to gain remote access to infected devices. Conti can also spread through Server Message Block (SMB), which enables the group to encrypt data on other machines in the attacked network.

  • LockBit 3.0

Launched in June 2022, the new strain of the infamous LockBit ransomware is a RaaS enhanced with new extortion strategies and Zcash cryptocurrency payment options. The LockBit group pioneered the first bug bounty programme launched by a cybercrime gang, offering between $1,000 and $1 million for bug reports. In addition to introducing these new features that make LockBit 3.0 one of the most advanced ransomware programs, the group now sells victims’ data.


Crypto and locker ransomware are the two most common types of ransomware, and while they operate differently, they both can devastate your infrastructure and cost you massively. A notable example of crypto-ransomware is Ryuk, one of the most expensive ransomware in history, with ransom payments that could go over USD 300,000 to release an entire system. According to the FBI, Ryuk's attacks caused more than USD 60 million in damage globally. This type of ransomware became popular in 2018 after halting the operations of major newspapers in the United States and attacking hundreds of companies. Ryuk's attacks have had devastating impacts globally as well. For instance, French IT company Sopra Steria faced a Ryuk ransomware attack in 2020 that cost it a loss of between €40 million and €50 million. "The remediation and differing levels of unavailability of the various systems since 21 October is expected to have a gross negative impact on the operating margin of between €40 million and €50 million," stated Sopra Steria. Additionally, Universal Health Services (UHS), a Fortune 500 hospital and healthcare services provider, suffered a Ryuk attack in September 2020 that cost it around $67 million. Ryuk also targets various public-sector entities that often use older software and don't practice the best cybersecurity protocols. For instance, Lake City, Florida, had to pay $460,000 in ransom after an employee opened a phishing email that contained a variant of Ryuk malware in June 2019. The cyberattack disabled the city's computer systems, causing massive disruption as even phone lines went down.

As for locker ransomware, a popular strain known as Ragnar Locker was used to attack U.S. travel management firm CWT in July 2020, forcing 30,000 computers offline. The attackers claimed to have stolen 2 terabytes of data and demanded $10 million to restore CWT's files and delete stolen data. The company ended up paying $4.5 million in bitcoin (414) as a result of a negotiation with the hackers due to the negative impact of COVID-19 on their business. Fortunately, Ragnar Locker did not publish the stolen information and even shared guidelines to prevent future hacks after the ransom was paid.


Awareness and using preventative measures are your best bets for protecting your organisation from a ransomware attack. Learn all the tips and tricks you need to implement a robust cybersecurity strategy for your firm at Black Hat MEA, the largest cybersecurity conference in the MENA region. Formerly AtHack, the 2021 conference was the biggest infosec event ever held in the world. It brought together an international group of CISOs from front page companies, elite ethical hackers, and more Black Hat trainers than anywhere in the world, short of Vegas. The 3-day event included a rich programme of ethical hacking and cybersecurity courses and trainings. The 2022 edition is coming back even bigger than before. Join the world’s leading ethical hackers and CISOs to learn the latest techniques to prevent ransomware attacks. Black Hat MEA is co-organized by the SAFSCP, as a part of Saudi Arabia’s 2030 vision to enhance the digital skills of Saudi youth and pave the way to a digitally-robust future.


Ransomware could debilitate organisations in a myriad of ways. Some of the damage it can cause include:

1. Extended downtime

Downtime happens when an organisation experiences less than 100% productivity or a material business interruption. According to Statista, the average downtime caused by a ransom attack increased from 15 days in quarter 1 of 2020, to 22 days in quarter 3 of 2021. This much downtime could have a crippling effect on any organisation, no matter how large and well funded. For instance, JBS, a Brazilian meat processing company, underwent a ransomware attack on 30 May 2021 that temporarily shut down many of its facilities in Australia, Canada, and the U.S until 2 June 2021. The company had to pay a ransom of $11 million in Bitcoin to resume its operations.

2. Hurting Brand Reputation

The notorious Colonial Pipeline ransomware attack that took place in May 2021 made the company's name synonymous with the term ransomware in the United States. In fact, according to Forbes Insights, 46% of organisations who faced cybersecurity breaches suffered damage to their reputation and brand value.

3. Exposing sensitive data

Around 80% of ransomware attacks in the first half of 2021 included threats to leak exfiltrated data. Cybercriminals use data exfiltration to pressure victims to pay the ransom, threatening to publish pilfered sensitive data on the dark web if the payments aren't made.

4. Severe Financial Impact

The average ransomware payment increased to $570,000 in 2021, as opposed to $312,000 in 2020, according to a GRC World Forums report. The financial impact of a ransomware attack includes:

  • The ransom payment (if paid)
  • Downtime costs: you won't be able to carry out regular business operations, halting your ability to service clients or produce goods
  • Loss of revenue: 66% of organisations reported large revenue losses after a ransomware attack.

The best course of action is to take preventative measures and employ cybersecurity best practices like multi-factor authentication and frequent backups. Paying the ransom should be avoided as much as possible since it exacerbates crime and does not guarantee full restoration of your data.


Businesses, governments and healthcare systems are all common targets of ransomware attacks. Recent attacks in 2022 shed light on just how pervasive these cybercrimes are across various facilities worldwide. One of the most significant ransomware attacks that took place this year were those on the Costa Rican government and the healthcare system that started in April 2022, impacting the country's economy and citizens' health. In addition to the aforementioned ransomware attacks on Nvidia in the US and SpiceJet in India, UK.


One notable case is the series of ransomware attacks on the Costa Rican government, which started in April 2022. The country's essential services, including healthcare, have been crippled as a result of two ransomware attacks. The government is struggling to mitigate the crisis as it's facing serious consequences from the attack. Officials report that international trade has been halted as the ransomware attack took over, and more than 30,000 medical appointments were rescheduled. Tax payments were also disrupted, and millions of dollars were lost due to the attacks. The first ransomware attack targeted twenty-seven governmental bodies, while the second attack knocked down Costa Rica's healthcare system. As a result, the Costa Rican government declared a state of "national emergency".

A ransomware gang called "Conti" with Russian ties claimed to be behind the first attack on Costa Rica and has been found to have links to the ransomware-as-a-service operation HIVE, which was responsible for the second attack that crashed the healthcare system. Last year, Conti extorted over $180 million from its victims. The ransom attacks deeply impacted citizens' lives and the Costa Rican government's economy.

Additionally, the recent attack on the chipmaker company Nvidia by a group named Lapsus leaked employees' credentials and announced that they would release 1TB of stolen data in February 2022. This attack led Nvidia to move parts of its business offline for two days as their email systems and developer tools faced outages during that period due to a malicious network intrusion that "completely compromised" the firm's internal systems, according to a Telegraph report.

Another case of enterprise ransomware attacks was the one that hit UK retailer The Works in April 2022, forcing 526 of its stores to shut down. The attack happened due to an employee opening a phishing email. As a result, the Works disabled internal and external access to its systems and staff emails as a safety measure. Fortunately, however, no customer information was leaked.

This sheds a light on just how serious ransomware attacks could be, and many entities feel compelled to pay in order to retrieve their data and protect their people. However, many cybersecurity experts are against paying for ransomware, noting that it exacerbates cyber crimes and usually fails to fully retrieve the victim's data. They instead suggest relying on preventative and other restorative measures to defeat ransomware.


An iconic case of enterprise ransomware attacks was the one that hit Colonial Pipeline, an American oil pipeline system. The cyberattack took place on May 7, 2021 and impacted the computerised equipment that managed the pipeline, forcing the company to halt all pipeline operations for several days. Naturally, this led to gas shortages, panic buying, and price spikes in some states, and an extended shutdown could have caused price increases and shortages across the industry. Luckily, this was averted due to Colonial Pipeline coming back online within a week after paying a ransom of $4.4 million worth of bitcoin to the hacker group DarkSide for a decryption tool to restore oil operations. Colonial Pipeline's CEO Joseph Blount told the Wall Street Journal that although paying the ransom was a difficult decision; it was "the right thing to do for our country." Blount added that Colonial will have to pay much more - tens of millions of dollars - to fully restore its systems in the upcoming several months. This puts into perspective just how severe the repercussions of a ransomware attack are, and how paying doesn't always fully solve the problem.

With that in mind, it's understandable why stakeholders face a lot of pressure to pay ransom in order to save their operations. However, experts have varied opinions, stating that the decision must be carefully studied. "Deciding whether to pay the ransom is a difficult decision and one that must be made carefully at the board level, not by security and risk leaders," says Mark Harris, Senior Director Analyst, Gartner following up with, "Understanding what happens if you pay is key to making that decision." Thus, paying might not always be the best solution to defeating governmental and enterprise ransomware attacks.


What's supposed to happen is that once organisations pay the ransom, attackers will provide them with a decryption tool and revoke the threat to publish stolen data. The reality, however, is different. Payment doesn't always guarantee that all of the data will be restored. Hence, some things that should be taken into account when deciding whether or not to pay for ransomware:

  • Only 65% of the data is recovered on average, and only 8% of organisations succeed at recovering all data.
  • Encrypted files often cannot be recovered. Decrypters provided by attackers may crash or fail. You might have to build a new decryption tool by extracting keys from the tool provided by the attacker.
  • Recovering data is time-consuming and can take several weeks, especially if a large amount of it was encrypted.
  • You can't guarantee that the hackers will delete the stolen data. They could still sell or disclose it later if it has value.

Although it's often easier and cheaper to pay cyberattackers a ransom than to recover from a backup, many law enforcement agencies discourage paying, since doing so exacerbates criminal activity. Paying attackers serves their business model, which could only lead to more ransomware attacks. However, not all organisations can afford to be offline for days or weeks, and it can be especially crucial for governmental organisations and healthcare facilities that have to choose between paying a ransom or cutting off people from essential services. Because the decision to pay for ransomware is such a grey area, it's best to focus your attention on preventing and mitigating ransomware attacks.


There are various ways to be safe from ransomware, all of which are part of improving your overall IT security.

  1. Have a defence-in-depth security program. Having multiple layers of defence is a best practice to safeguard against many IT risks, not just ransomware attacks.
  2. Employ advanced protection technologies. Your organisation can use extended detection and response to identify potential risks for ransomware exploitation.
  3. Education is key. Inform employees about the risks of social engineering. Often, it's when users accidentally click on something that they're not supposed to that leads to a ransomware attack.
  4. Patch often. Keeping your software and firmware up to date can help prevent a possible attack vector, as ransomware code often preys on known vulnerabilities.
  5. Regularly backup critical data. Ransomware primarily targets data. Having reliable backups minimises the risk of losing data.


Cryptocurrency is the bread and butter of cybercriminals. It's fast, anonymous, and easy, which explains why it's the primary form of payment for ransomware. Cryptocurrency enables ransomware for various reasons, such as large payoffs, the high likelihood of victims paying the ransom demand, and the opportunity for criminals to make money selling or leasing their malware in the ransomware-as-a-service (RaaS) market. Crypto enables cybercriminals to grow richer beyond what had previously been possible. Not only do they get paid more, but the nature of cryptocurrency helps them add more layers to their operations, which makes it more difficult to trace transactions. They can carry transfer payments in various ways, from USB sticks to printing them on paper. Not only that, but they also have various coins to choose from. They can be paid in Bitcoin and shift to Ethereum or another exchange to wash the payment, which makes it difficult for investigators to trace the transactions as they don't have one coin to follow. The profits threat actors are making off of crypto is fueling the rise of more sophisticated hackers who can build greater expertise on the backend, giving them the ability to carry out bigger and more complex attacks. A major example of that is ransomware-as-a-service (RaaS). Such a sophisticated system creates more complex attacks and more attackers.

RAAS is offered by highly skilled developers who sell or lease expertly coded ransomware to less skilled affiliates to execute ransomware attacks. Reputable RaaS developers design software with a high chance of penetration success and a low probability of discovery. Once it's developed, it's altered into a multi-end user infrastructure which can then be shared with multiple affiliates. Ransomware as a Service (RaaS) is based on the Software as a Service (SaaS) business model. Previously, coding erudition was necessary for all successful hackers, this is no longer the case with RaaS. Just like SaaS users don't have to be skilled or experienced to use the tools, hackers also don't need to be proficient in order to use RaaS. In a nutshell, RaaS allows anyone to launch sophisticated cyberattacks by paying a fee.


Ransomware attacks have been on the rise and are expected to continue increasing. The versatility and profitability of cryptocurrency pave the way for cybercriminals to increase the complexity of their attacks and create sophisticated operations like Ransomware as a Service (RaaS) to increase their profits. The availability of these programs increases the number of hackers out there and leaves organisations at risk. Businesses, governments, and healthcare facilities are often the primary victims of ransomware attacks. This often happens because employees unknowingly click on phishing emails that trigger the ransomware attack. Therefore, the best course of action is to conduct frequent backups of important files and educate employees about social engineering risks. If you can avoid paying the ransom, then you should. As paying gives cybercriminals what they want, which helps exacerbate their crimes.

Share on

Join newsletter

Join the newsletter to receive the latest updates in your inbox.

Follow us


Sign up for more like this.

Join the newsletter to receive the latest updates in your inbox.

Related articles