ICAEW.com works better with JavaScript enabled.

You’ve been hacked: should you pay ransomware attackers?

Author: ICAEW Insights

Published: 26 Oct 2023

In part two of our short series on what to do if you’ve been hacked, we look at whether you should pay up if you are the victim of a ransomware attack.

A ransomware attack can be an end of life event for a small company. Paying the ransom can drain the cash reserves of a small business, sometimes to the extent that it can never recover. There’s also the reputational damage and the risk of losing clients to seemingly more reliable rivals.

When a ransomware attack does occur, it can be tricky to know how to respond if you don’t have a plan of action in place. Ransomware attackers are very good at piling on the pressure and pushing you to make a snap judgement, says Rob Demain, the CEO and Founder of cyber security consultant e2e-Assure.

“As time goes on, the price starts going up. They hit you with time pressure because they don’t want you to have any thinking time. If you’re in a chat window with ransomware attackers and you don’t respond, they will say things like: ‘You’re not responding. We’re going to sell your data.’ They won’t stop pushing you to pay.”

Many SMEs don’t realise that holding their data ransom does not necessarily require sophisticated software. If an attacker can get into a cloud-based system using a compromised email account, they can get your data. 

“They don’t need to use encrypting ransomware or run an exploit because they’ve got your accounts and therefore they’ve got your data. They move on to the ransom,” says Demain.

The big question for businesses in this situation is whether it’s a good idea to pay up or not. On one hand, you have potentially great cost. On the other, there’s the risk of losing your data. It’s important to remember, first and foremost, that you’re dealing with experienced, organised criminals, says Demain. 

“You’ve got to understand what’s going on and who you’re dealing with. They may come across as friendly, but these are criminals and they are dangerous. If you pay a ransom, you’re paying money to terrorists.”

Pravesh Kara, Security and Compliance Product Director for IT company Content+Cloud, recommends that you avoid negotiating if possible. “Paying ransoms adds further fuel to the fire, inciting repeat behaviour in ransomware groups. There is also no guarantee that they’ll actually decrypt or honour any agreement.” 

You also need to be aware of any country-level sanctions that might be in place, says Kara. That could mean that you lose money to ransomware and the government penalises you. “Report it to the National Cyber Security Centre and call Action Fraud, which can help you.”

If you really have no option to get your business back up and running, keep the conversation short and plain, says Kara. “Respond promptly, but delay decisions, cite any issue you can in gathering the amounts they are asking for, ask for extensions on deadlines, then when reaching the final throes of negotiations ask for a significant discount. They usually want to close payment and move on quickly so do tend to reduce their asking price the longer you can negotiate. If you don’t feel comfortable negotiating, then there are ransomware negotiation services available that can help and further limit the damage.”

This, however, comes with a lot of risk. Demain says that the best solution is to take precautions to ensure you can restore your data yourself. Back up your data on a safe, separate drive, he says.

“That’s your weapon; I can restore my data, therefore this ransom isn’t going to work. They’ve still stolen the data – that’s a different issue – but it’s not going to stop your operations. If you make sure you’ve always got a copy of the data, they can’t act.” 

Do not be concerned about playing hardball with ransomware attackers, he says. There is nothing you can do to get back your data; they have it. It is outside of your control, so focus on the factors that are, he says. 

“You might as well just restore everything and not worry too much because the extortion is going to happen anyway. The key is to reinstall the data from a ransomware-proof backup. You can spend a fortune and still have your data sold on to others.” 

Accountancy firms and finance teams should have backups already, so they may already have the solution to the problem at hand, says Demain. “When ransomware really works is when the victim needs that data to function. Unless it’s their busy season, accountants probably have a bit of time to fix the problem. The message is that that could happen, so make sure you have up-to-date backups.”

Read more: You’ve been hacked: how to respond in the first 48 hours

Latest cyber security articles

You've been hacked!

ICAEW marks the 20th anniversary of global Cyber Security Awareness month with a series of resources to help you know what to do when a cyber attack happens.

Cyber Security Awareness month 2023

Further resources

Keep up-to-date with tech issues and developments, including artificial intelligence (AI), blockchain, big data, and cyber security.

Keep up-to-date with tech issues and developments, including artificial intelligence (AI), blockchain, big data, and cyber security.

Read more
ICAEW Community
Data visualisation on a smartphone
Data Analytics

Helping finance professionals develop the advanced data analytics and visualisation skills needed to succeed in this insight-driven era.

Find out more
Finance in a Digital World - support for ICAEW members and students on digital transformation and technology
Finance in a Digital World

ICAEW has worked with Deloitte to develop Finance in a Digital World, a suite of online learning modules to support ICAEW members and students, develop awareness and build understanding of digital technologies and their impact on finance.

Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250