RANSOMWARE: TO
PAY OR NOT TO PAY?
The topic of ransomware is something we’d all like to
avoid thinking about but is something we undoubtedly
must consider. Tamer Odeh, Regional Director at
SentinelOne Middle East, explores the ethics and
implications behind paying a ransom.
ast year saw
L
an escalation
in the number
of ransomware
attacks striking
organisations,
with both private
and public sector agencies like local
government and education firmly in
the firing line of threats such as Ryuk
and Robinhood ransomware. Often
understaffed and under resourced,
those responsible for delivering critical
public services are at the sharp end of
the dilemma: to pay or not to pay? It’s
a quandary that has technical, ethical,
legal, safety and of course, financial
dimensions. In this article, I explore
the arguments both for and against.
My aim is to describe the implications
and rationale from both angles across
several different considerations.
Is paying a ransom to stop a
ransomware attack illegal?
It may seem odd to some, but it isn’t
illegal to pay a ransomware demand,
even though the forced encryption of
someone else’s data and demand for
payment is itself a federal crime under
the UAE Cyber Crimes Law.
One might argue that the best way to
solve the ransomware epidemic would
be to make it illegal for organisations
to pay. Criminals are naturally only
interested in the pay off and if that route
to the payday was simply prescribed
by law, it would very quickly lead to
companies exploring other options to
deal with ransomware and, at least in
theory, criminals moving towards some
other endeavour with an easier payout.
The idea of outlawing the payment
of ransomware demands might seem
appealing at first, until you unpack
the idea to think how it would work in
practice. A law that threatened to fine
organisations, or perhaps imprison
staff, would be hugely controversial in
principle and likely difficult to enforce in
practice, quite aside from the ethics of
criminalising the victim of a crime whose
sole intent is to coerce that victim into
making a payment.
Is it ethical to pay a
ransomware demand?
If it’s not illegal to pay a ransomware
demand, that still leaves the separate
question unanswered in regard to
whether it’s ethical. One might argue
Tamer Odeh, Regional Director at
SentinelOne Middle East
One might argue that
the best way to solve
the ransomware
epidemic would be
to make it illegal for
organisations to pay.
that paying a ransomware demand that
restores some vital service or unlocks
some irreplaceable data outweighs the
‘harm’ of rewarding and encouraging
those engaged in criminal behaviour.
Is it prudent to pay a
ransomware demand?
Even if we might have a clear idea of the
legal situation and a particular take on
our own ethical stance, the question of
whether to pay or not to pay raises other
issues. We are not entirely done with the
pragmatics of the ransomware dilemma.
74 Issue 24 | www.intelligentciso.com