Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
Ransomware: To Pay or Not to Pay?
Ransomware attacks against high-profile corporate, educational, and governmental entities continue to make the news. What the media often overlook, however, are the continuing attacks against consumers' home networks and devices. Imagine your panic when you turn on your personal computer and you get a message demanding $500 in cybercurrency or gift cards for your tax, banking, investment management, family photo, and other important files that a criminal has encrypted. Do you pay or not?
Law enforcement and cybersecurity professionals almost all say "no.” A March 2021 report from a cybersecurity firm described a study of 15,000 consumer ransomware attacks in 2020 worldwide. In more than half of these attacks (56 percent), the victims paid the ransom—but only 17 percent of those making payment regained full access to their files. Adults 55 and older were the age group least likely to pay a ransom (11 percent), while the 35–44 age group, at 65 percent, were most likely to pay.
Arguments against payment are threefold:
- It encourages further attacks because the victim has already shown willingness to pay.
- It rewards criminal behavior and provides funds for additional attacks.
- It may not result in 100 percent recovery of files.
Those consumers making a ransomware payment do it because they hope the payment will restore their files faster and they'll soon resume normal use of their computer.
As this type of cybersecurity attack against consumers and business continues to increase, education about its process and the defenses that should be undertaken are critical. What is the best way to provide that? Let us know what you think.