The policy of not paying ransom, often referred to as a “no concessions” policy, is a widely debated strategy in counter-terrorism and hostage situations. Yet the effectiveness of such a strategy has been and continues to be debated from multiple perspectives.
Ransomware is the type of cryptovirological malware that permanently blocks access to the victim’s personal data unless a ransom is paid.
The arguments against not paying the ransom include humanitarian concerns – such as the risk to the hostages (i.e., the terrorists may resort to violence), as well as public and political pressure (i.e., the families and public can oftentimes exert significant pressure on the government to pay the ransom). This is according to Chris Denbigh-White, CISO, Next DLP.
Denbigh-White explains to Digital Journal about the arguments for not paying the ransom, which include deterrence in that it could discourage future kidnappings (if terrorists and criminals believe they will not profit from the business of kidnapping) as well as weakening terrorist finances, thereby weakening current and future operational capabilities.
Should this same rationale should be applied to ransomware payments? Denbigh-White says similar ethical considerations need to be addressed, such as whether paying ransomware demands funds further criminal activity.
There are also legal questions. Take the U.S. According to the U.S., Department of the Treasury, “in the U.S., while there is no outright federal law that makes paying ransomware demands illegal, there are in fact significant legal and financial risks associated with making such payments.”
The effectiveness of a “no concessions” strategy needs to be explored, from both a short- and long-term basis., notes Denbigh-White
He adds that some would argue that paying the ransomware demand, in the short term, is a necessary evil to secure the return of your data and/or deter the cybercriminals from making it public.
Concluding, Denbigh-White states: “History has – of course – shown us that this is not always the case. While others would argue that in the long-term payment simply ensures the continuation of this type of cybercrime. Of course, while non-payment may contribute to long-term deterrence, it involves a difficult business trade-off in the short term.”