Good article, thank you Ren.

With regard to paying ransoms, I personally oppose it.

Many companies don't have a comprehensive incident response plan, one that goes beyond IT to include Legal, Public Relations, other internal stakeholders, and external stakeholders like business partners and law enforcement. In these events, companies are learning as they go. Often those lessons are quite a bit more painful without a plan.

I don't know about the victim in this case, but if we suppose for the sake of the argument that they had an excellent plan including all relevant stakeholders, I imagine their thinking could have gone like this:

  • We're losing $BIGNUM per hour
  • The ransom will save us way more money than it will cost
  • We're obligated to our shareholders to stop the losses

Barring a Board of Directors policy forbidding the payment of ransom, the executive leadership of the victim company may very well feel legally compelled to pay it to preserve shareholder value.