Pay the ransom? Corporate lawyers say meeting some hackers' demands may be worth it

[InfoSec News <alerts () infosecnews org>]

https://www.cyberscoop.com/ransomware-pay-hackers-worth-risk-lawyers/

By Jeff Stone
CyberScoop
Jan 31, 2019

Conventional wisdom says ransomware victims shouldn't pay their attackers, 
but a panel of legal experts suggested Thursday that standing firm might 
not always be the smartest play in the real world.

FBI officials, corporate bigwigs and public sector security bosses in 
recent years all have advised their colleagues to keep their wallets 
closed when ransomeware hits. There's no honor among thieves, the logic 
goes, and even if you pay hackers to buzz off, who's to say they will 
follow through on promises to unlock encrypted data? But there are 
scenarios in which small and medium-sized businesses should carefully 
consider their decision, Mark Knepshield and Matthew Todd said during a 
panel discussion at the Legalweek conference in New York.

"I would say, if it's small amount, pay it," said Knepshield, a senior 
vice president at insurer McGriff, Seibels and Williams. "It's likely just 
be the easiest way out of your situation."

In a poll surveying Legalweek attendees, 86 percent said they would not 
pay a ransom if attackers threatened to publish stolen material online 
within 24 hours. That follows the traditional legal advice, with the FBI 
encouraging hacked businesses not to pay, in part because meeting 
extortionists' demands could help thieves expand their operations.

[...]



--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_