12 November 2024

Ransomware Payment Demands: What You Need to Know

Along with causing operational chaos, ransomware attacks often cause stress for the finance department of a business. Ransomware groups work behind the scenes, encrypting files so that you can’t access them. The climax of an attack is when they send a ransom note asking for money in exchange for the decryption key to recover your files. While it might seem like the obvious answer, you should carefully consider paying the ransom.

An alternative solution would be to contact a ransomware recovery team for assistance. Why? Because paying the ransom could leave you open to further attacks and never guarantees getting your data back.

At Solace Cyber, we have Digital Forensics & Incident Response Teams across the UK who are experts at containing an attack, eliminating the root cause and recovering your network. In most cases, this will all be done without negotiating with the attackers. Our team will do everything they can to avoid paying the ransom demand and get your business back up and operating as quickly as possible.

Below, we discuss ransom demands made by ransomware groups and explain what you need to consider when in this position.

Common Ransomware Payment Demands

By and large, ransomware groups are incentivised by money, so they encrypt your files for leverage to get you to pay the ransom.While it is common for attackers to make ransom demands, the amounts and conditions can vary significantly depending on the industry you are in, your revenue, and the perceived ability to pay. The cyber attackers will research this before they attack, looking at your business's financial capacity, public revenue data, and/or insurance coverage.

Typical amounts and demands:

  • Smaller businesses are often targeted, as attackers assume they lack advanced cybersecurity measures and may find it more economical to pay the ransom. Demands can vary from a few thousand pounds up to £50,000.

  • Medium-sized businesses are usually targeted by industry. For example, healthcare and legal businesses are often targets because of the sensitivity of the data. Typical ransom demand for mid-size businesses can range from £50,000 to £500,000.

  • Large enterprises are targeted because they are believed to be able to pay more. The attackers will often demand between £1 million and £10 million. They might request more if the data is highly sensitive or if they believe the firm can afford more.

Ransomware is an ever-changing landscape, and in recent years, it has become commonplace for these groups to practise double extortion. In doing this, they not only encrypt the data but threaten to release or sell it if their ransom demands are not met. This dual-threat strategy significantly increases the pressure on the victim organisation to comply with the ransom demands. A movement into flexible demands has also been noticed as attackers offer discounts or flexible payment terms if businesses express an inability to meet the full demand.

Payment demands

Ransomware groups have been known to ask for specific payment methods:

  • Cryptocurrency - bitcoin is a typical payment request because of its pseudonymous nature, ease of transfer, and widespread availability.

  • Privacy coins - these are particularly attractive to attackers due to their enhanced privacy features, making transactions more difficult to trace.

  • Anonymous prepaid cards or gift cards - this is slightly less frequent and usually used in smaller demands. Some attackers may request payment in the form of prepaid or gift cards.

  • Cash transfers via money mules - attackers may employ "money mules" who act as intermediaries to receive ransom payments and transfer them to offshore accounts.

phishing bait

How Ransom Demands Are Communicated

Recognising that your system is under attack isn’t always straightforward. In many cases, the first sign of an attack appears only after the attackers have gathered all the information they need and issue a ransom demand.

Attackers often use tactics designed to create a sense of panic and urgency, aiming to pressure you into paying the ransom quickly without much deliberation.

Initial notifications can come in the form of:

  • Pop-up messages on infected devices

  • Text files in encrypted folders

  • Direct emails to key employees

Along with the demand notes, they will often use escalation techniques to further add pressure.

These can include:

  • Countdown timers to the deadline

  • "Proof of Life" by partially decrypting files

  • Threats of data leak or “double extortion”

  • Emails to key stakeholders and clients

  • Increasing the ransom demand over time

  • Personalised communication and manipulation

Ransomware attackers employ a range of tactics and techniques to create a balance of intimidation and incentives to push you toward payment.

hacker

What Should You Do: Should I Pay the Ransom?

If you receive a ransom demand for encrypted files, you should take a step back and take time to consider your options. In most cases, paying the ransom isn’t the way forward.

Things to consider:

  • Risk of non-recovery even after payment - gaining access to your files after paying isn’t guaranteed. Even if the decryption key does work, files may still be corrupted or incompletely restored.

  • Risk of further extortion - if you pay, attackers might take advantage of that and demand additional payments or threaten to leak the information even after payment.

  • Fuelling cybercrime - paying a ransom can contribute to the growth of cybercrime by financially incentivising criminals to continue their operations.

  • Legal and compliance concerns - Paying the ransom may violate financial sanctions, constituting a criminal offence that could result in imprisonment or additional financial penalties.

  • Becoming a soft target - by paying the ransom once, you might be viewed as an easy target for further attacks.

  • Cost of recovery without paying - you should consider the cost and time it will take to restore your network without paying the ransom. For some, this might be more financially feasible and preferable.

  • Insurance coverage - some businesses carry cyber insurance policies that may cover ransom payments or provide funds for recovery. However, reliance on insurance alone is risky; insurers may refuse to pay if the business did not meet specific security requirements before the incident.

  • Incident response and forensics - even after paying the ransom, the cause of the attack may be still be unknown meaning your system remains compromised. You will need an incident response team and forensic investigation to review and secure the network.

  • Reputational impact - paying a ransom can harm your reputation if word gets out.

Deciding whether to pay a ransom is a complex decision often filled with panic, stress and urgency. However, it is essential to take time to think through the options so that you can make an informed decision and establish a plan of action that goes beyond paying the demand - if that is what you choose to do.

Ransomware Response Support from Solace Cyber

When in this situation, it is advisable to speak to ransomware recovery experts, such as Solace Cyber.

Our cyber security specialists can utilise their experience and a wealth of knowledge to predict outcomes of various situations and guide you towards the optimal resolution.

In most cases, we will recommend not paying the ransom demand and instead employing our Digital Forensics & Incident Response Team to assess the situation, contain it and eliminate the attack before recovering files (where possible) and restoring a safe system and network.

Part of our recovery process involves carefully handling all data so that you can use it as evidence in criminal trials or insurance cases.

Additionally, our service goes beyond dealing with the attack, as we will work with you once your system is safe to provide long-term protection strategies to reduce the risk of future attacks.

If you are under attack and have received a demand note from a ransomware group, get in touch with our expert team today by calling 01202 308818.

Request a callback

Solace Cyber, part of Solace Global, helps companies across the UK recover from ransomware attacks and data breaches.

Risk
Offshore
Cyber
Intelligence & Reports
Case Studies

Solace Cyber Limited is registered in England & Wales no. 14028838

Solace Global

Twin Sails House,
W Quay Rd,
Poole, BH15 1JF
United Kingdom

Telephone

Please note that calls may be recorded for security and training purposes.