Ransomware: To Pay or Not to Pay?

August 2, 2021

Ransomware attacks against high-profile corporate, educational, and governmental entities continue to make the news. What the media often overlook, however, are the continuing attacks against consumers' home networks and devices. Imagine your panic when you turn on your personal computer and you get a message demanding $500 in cybercurrency or gift cards for your tax, banking, investment management, family photo, and other important files that a criminal has encrypted. Do you pay or not?

Law enforcement and cybersecurity professionals almost all say 'no.' A March 2021 report from a cybersecurity firm described a study of 15,000 consumer ransomware attacks in 2020 worldwide. In more than half of these attacks (56 percent), the victims paid the ransom-but only 17 percent of those making payment regained full access to their files. Adults 55 and older were the age group least likely to pay a ransom (11 percent), while the 35-44 age group, at 65 percent, were most likely to pay.

Arguments against payment are threefold:

• It encourages further attacks because the victim has already shown willingness to pay.
• It rewards criminal behavior and provides funds for additional attacks.
• It may not result in 100 percent recovery of files.

Those consumers making a ransomware payment do it because they hope the payment will restore their files faster and they'll soon resume normal use of their computer.

As this type of cybersecurity attack against consumers and business continues to increase, education about its process and the defenses that should be undertaken are critical. What is the best way to provide that? Let us know what you think.

David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed