We’ve all read about ransomware attacks. When it happens to someone else, it’s easy to advise the victim not to pay up. After all, you don’t want to encourage the ransomware business model. 

However, there’s a lot of debate about whether small and medium-sized businesses (SMBs) that fall victim to ransomware should pay it. We all know it’s wrong to pay data terrorists, but it can be hard to stick to that when it’s your data that’s being held hostage. 

Should you pay ransomware? 

Out of the many types of malware out there, ransomware is among the most feared. When a device is infected with ransomware, its data is encrypted and locked away by someone who demands you pay a ransom to get it back. 

Like many cyberattacks, ransomware often comes to your inbox disguised as legitimate-looking attachments or website links. Sometimes, cybercriminals exploit unpatched software to gain access to your data.

Once your device is compromised, ransomware starts by infecting a local machine, spreading across files and folders before gaining access to the network. Then it spreads to other computers on that network. 

Users learn they’ve been infected when they can no longer access their data, or when they start seeing onscreen messages demanding payment for the return of their data. The culprits usually demand their ransoms in Bitcoin, an untraceable internet currency that preserves their anonymity. 

While a ransomware attack may take different forms in different companies, one thing is always the same: bad things happen when you’re hit with ransomware.

  1. You can lose access to (and control of) sensitive information.
  2. Your business operations can get interrupted.
  3. You can lose money, whether you pay the ransom or not.
  4. Your organization may suffer damage to its reputation.

What does the FBI say?

The FBI doesn’t support paying ransomware. However, when it’s your data and business on the line, the decision becomes much more complicated. So, why shouldn’t SMBs pay ransomware?

  1. There’s no guarantee you’ll get your data back. Sure, cybercriminals say they’ll return your data if you pay, but these are criminals, after all—you can’t just assume they will keep their word.
  2. Paying the ransom encourages more attacks. You may get your data back, but you are encouraging the culprits, and others like them, to do it again. You might even be added to a list of “easy targets.”  
  3. Cyber-criminals rarely limit themselves to one type of crime. If you pay the ransom, you may be funding other types of criminal activity.

Ransomware and small businesses: how to avoid infection

What happens if, despite your best efforts, a ransomware infection finds its way into your systems, crippling your organization? When all of your data has been hijacked and encrypted, you need to make some decisions. You can:

  1. Cut your losses and start over. You’ll have your money and your principles, but you won’t have your data. While this may seem like a moral victory, you could lose much more money and business in the long run by doing this. For most businesses, it just isn’t a viable option.
  2. Try to get your data back and keep your money. If you’re technically inclined, you may try to beat the hacker at their own game and recover your data on your own. This is a high-risk, resource-intensive option with no guarantee of success. 
  3. Pay someone else to recover your data. Whether or not you hire the right person, this too is a high-risk and high-cost option that has no guarantee of success. 
  4. Pay the ransom. Paying the ransom is an option, even though it is morally and financially problematic. If you pay, you’ll be supporting the ransomware industry and, on top of all that, you might not even get your data back. 

The best option? Prevention

Victims of ransomware attacks quickly find that their options for getting their data back are far from perfect. The best option is to proactively take steps that are designed to prevent these infections in the first place, or contain them if they do happen. The best way to combat ransomware is to step up your prevention efforts, both by implementing actual computer controls and by educating yourself and your employees. These measures can include: 

  1. Training employees on what ransomware is and how to avoid it
  2. Keeping antivirus solutions up-to-date
  3. Patching all operating systems, software, and firmware as needed
  4. Reviewing user permissions frequently to keep unnecessary data access to a minimum 
  5. Disabling macro scripts from files that are shared via email
  6. Establishing a schedule to back up your data and ensure that all backups are secure
  7. Implementing software restriction policies so programs won’t execute from locations where ransomware might live on your computer, such as temporary folders
  8. Developing and regularly testing a disaster recovery and business continuity plan

Ransomware and small businesses: combating the fear

Ransomware is a business interruption that we all fear. As mentioned, the best way to combat it is to take preventative measures. However, it’s a good idea to have a plan to follow in case you do fall victim to an attack. 

Even disregarding ethical considerations, paying the ransom is rarely the right move—primarily because there’s no guarantee you’ll actually get your data back. This is why, above all, you need to make sure that your important files are backed up in a secure location.

We never know how we’ll react to a situation until we’re in it. However, with some well-conceived preventative and reactive controls, you’ll rest easier at night knowing that you’ve considered the risk that cybercriminals present, and have developed a plan in case they attack.