It might be the worst-kept secret in all of cybersecurity: the FBI says don't pay ransomware groups. But corporations do it all the time, sending millions consistently in Bitcoin to recollect information that has been taken "hacker." Sometimes, government operators even assist casualties with finding experienced virtual payoff moderators.

For the time being, it appears to be that paying ransomware, while clearly unsafe and enabling/empowering ransomware aggressors, can perhaps be comported so as not to break any laws (like anti-terrorist laws, FCPA, conspiracy and others) ¬ and even if payment is arguably unlawful, seems unlikely to be prosecuted. Thus, the decision whether to pay or ignore a ransomware demand, seems less of a legal, and more of a practical, determination ¬ almost like a cost-benefit analysis.

The arguments for rendering a ransomware payment include:

• Payment is the least costly option;

• Payment is in the best interest of stakeholders (e.g. a hospital patient in desperate need of an immediate operation whose records are locked up);

• Payment can avoid being fined for losing important data;

• Payment means not losing highly confidential information; and

• Payment may mean not going public with the data breach.

The arguments against rendering a ransomware payment include:

• Payment does not guarantee that the right encryption keys with the proper decryption algorithms will be provided;

• Payment further funds additional criminal pursuits of the attacker, enabling a cycle of ransomware crime;

• Payment can do damage to a corporate brand;

• Payment may not stop the ransomware attacker from returning;

• If victims stopped making ransomware payments, the ransomware revenue stream would stop and ransomware attackers would have to move on to perpetrating another scheme; and

• Using Bitcoin to pay a ransomware attacker can put organizations at risk. Most victims must buy Bitcoin on entirely unregulated and free-wheeling exchanges that can also be hacked, leaving buyers’ bank account information stored on these exchanges vulnerable.

Refusing to pay a ransom no matter the circumstances is. “When it comes to the question of paying a ransom, our recommendation is to never pay a ransom, and there are a few reasons for this. “First, paying a ransom will never guarantee that all of your data will be returned – it might be partially returned or not at all. There is also no way to tell if your information has been sold in underground markets once obtained”. “Second, paying a ransom only encourages cyber criminals to further carry out these attacks as they are one of the most financially profitable attacks malefactors can perform. The more business organizations give in to ransomware attacks, the more we will see them continue to trend in the threat landscape.”