Last week, the City Council of Riviera Beach stated that its decision to pay $600,000 in ransom to threat actors that infected the city network with ransomware, was made based on the advice of external security consultants. This move was criticized by many in the cybersecurity industry, because paying up may encourage ransomware actors to continue targeting organizations.
However, the advice given to Riviera Beach is far from exceptional. In fact, many risk and security analysts are urging organizations to include a scenario for paying ransom into their incident response plan. The central advice remains for companies to secure their systems, but many professionals believe that in case of an attack, paying ransom is a legitimate course of action that needs to be considered among alternative options. Earlier this month, Forrester Research even published a guide on this. Adam Kujawa of Malware also doesn’t believe that it’s possible to “make a blanket statement of ‘pay the ransom’ or ‘don’t pay the ransom,” adding that “if you have failed to segment your data or your network, or failed to check your backups or other measures to get your company back on track quickly, then you will have to deal with the fallout.”
However, as ransomware attacks get increasingly targeted, ransom demands are surging. In the early days of automated ransomware campaigns, victims were urged to pay relatively small sums of hundreds or at most thousands of dollars in bitcoin. However, threat actors have started setting ransom amounts based on the budget or annual revenue of organizations. As a result, six and seven-digit ransom demands have become rather common.
Read more: Pledges to Not Pay Ransomware Hit Reality