Skip to Main Content
PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

Never, Ever Pay the Ransom!

As the attacks on the Colonial Pipeline and meat processor JBS show, ransomware is a huge threat to businesses and individuals, but paying the ransom just fuels more attacks. It's time to change the way we react to this security scourge.

By Max Eddy
June 9, 2021

The news lately has been filled with ransomware attacks like the one on meat processor JBS, and their effects are being felt more broadly than ever. That's bad, but it's also bad that some of the companies affected by these attacks have opted to pay the ransomware. That's why, once again, I'm begging companies and individuals to never pay the ransom. Instead of secretly complying with criminal demands, individuals and especially corporations should loudly ask for help. Giving in and paying up, even with the hope that that government will recover your money, won't undo the damage already done, and it only fuels more attacks. And, as we've seen with he Colonial Pipeline attack, even if you pay and get a decryption tool from the crooks, it might not work—more on this below.

What Is Ransomware?

A quick refresher: Ransomware is malicious software that takes control of infected machines or files, then offers victims the opportunity to pay a ransom to get access to their systems and the data and apps on them. Once the ransom is paid, the criminals promise to release control of the files or machines. It's a style of attack that has actually been around for decades, although some recent high-profile attacks have pushed it back into the headlines.

They're In It for the Money

Money is the root of all evil, and that's especially true for cybercrime. Botnets can be rented out to send spam (which is also a money-making enterprise), stolen data sold on the Dark Web, and so on. Granted, there are probably a few (a very small few) cases where a nation state has deployed ransomware to disrupt a rival government's infrastructure or economy. But until there's evidence that countries are frequently using ransomware to disguise their attacks, we should assume that ransomware practitioners are in it for the money.

The way to combat ransomware, then, is to starve its users of money. There are many ways to cut into ransomware's profitability. Considering that some of these attackers have reportedly brought in $90M in cryptocurrency ransoms, the potential reward for the attackers currently outweighs the risks. To increase the downsides for attackers, governments must engage in some serious international cooperation to bring ransomware groups to justice. The Biden administration's more aggressive stance against ransomware is a good start, but real change will likely require law enforcement cooperation on an international level, which would be no small feat.

Making it harder to convert their ill-gotten cryptocoins into real actual money dollars could limit the reward of ransomware attacks, too. We've actually seen a little of this recently, when some of the Colonial Pipeline ransom was recovered by US authorities. While even the partial recovery of the Colonial ransom is a step in the right direction, it's unclear whether we can expect it to become the norm. It seems unlikely to me that an individual victimized by ransomware can expect the same degree of support that Colonial received. Ransomware taking control of my photos isn't likely to spike gas prices, after all.

While government and industry should move against ransomware on all fronts, the most obvious and perhaps even more effective solution is to simply stop paying the ransom. Consider that every ransomware attack that doesn't pay off means lost time and increased cost for the ransomware attacker, it may not be much cost—the price of these attacks remains alarmingly low—but it's still a cost. Forcing the criminals to incur more costs and expend more effort per dollar pushes criminals toward other kinds of attacks or, ideally, out of cybercrime entirely.

Stop Paying the Ransom

That said, resisting ransom payments is difficult, especially as the impact of ransomware is felt more widely (and more personally) than ever before. That, however, should be a catalyst for greater action, not capitulation. 

Like most scams, ransomware uses fear and urgency to make victims feel trapped. Companies want control of their ransomed systems back, and people want to get their digital photos back. Ransomware plays on the false promise that it will be quicker and easier to undo the damage rather than recover from it. We need to move away from this belief and accept that the damage has already been done.

Perhaps after paying the ransom, law enforcement will disrupt the ransomware operation before you receive the decryption tool. Or perhaps there isn't a decryption tool at all. Remember that ransomware attackers don't care about your files or your computers, they just want to be paid. During the Colonial Pipeline ransomware attack, the company coughed up the cash only to find that the decryption tool they got in exchange worked too slowly to be meaningful. Their $4.4-million ransom bought them nothing, in the end—but it almost certainly funded more ransomware attacks.

In a way, the massive rise of ransomware may also contribute to its downfall. The hugely negative optics of some major ransomware attacks have even pushed the attackers to clarify that while they're in it for the money, they really don't want to cause problems. The bad actors want ransomware to stay shameful and secret, not planned for, and the public alarm is helping. Being public and honest about this threat and not enabling its proliferation with ransom money will protect individuals and industry.

Strategies for Protection

While the weirdly personal and frantic nature of ransomware makes it unique, the standard advice for protecting yourself from ransomware remains the same.

Use antivirus software, and be on the lookout for phishing attacks that could carry a ransomware payload. Frequent backups can make it far easier to recover from any kind of malware, although some ransomware has found ways to worm into backup systems. Maintaining cloud backups (secured by two-factor authentication) and offline backups may help. As a side note, security companies should also stop paying ransoms.

The pressure on corporations as cogs in the global supply chain to capitulate and get back to normal is enormous. Those companies should consider that they will still lose money recovering from the attack and investing in protection against the next attack. Ransom money just makes that price higher.

A successful ransomware attack isn't one that encrypts your files, but one where the attacker gets paid. That means the best thing you as an individual, but especially big corporations, can do to stem the spread of ransomware is keep your wallets closed. It will be painful, but we cannot trust crooks to return access to our systems and data, nor can we keep rewarding them for their crimes.

Like What You're Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.


Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

Sign up for other newsletters
Newsletter Pointer

About Max Eddy

Lead Security Analyst

Since my start in 2008, I've covered a wide variety of topics from space missions to fax service reviews. At PCMag, much of my work has been focused on security and privacy services, as well as a video game or two. I also write the occasional security columns, focused on making information security practical for normal people. I helped organize the Ziff Davis Creators Guild union and currently serve as its Unit Chair.

Read Max's full bio

Read the latest from Max Eddy