I have experience with ransom demands. Part of my early career related to kidnappings in Iraq following the 2003 invasion.
It was gruesome, but there was one unwavering policy: We do not negotiate. A policy, which I recently found, was set by a seemingly off-the-cuff reply from Nixon in 1973.
While this policy has a moral component, it is based mainly on the idea that negotiating creates a feedback loop leading to more kidnapping and ransom demands. In fact, papers like Why concessions should not be made to terrorist kidnappers prove this to be the case... which we'll return to later.
In the ransomware context - the data I'd seen suggested the same thing. Reports on The State of Ransomware report by Sophos correctly states 92-96% "of organizations don't get all their data back".
Even the ICO and NCSC had written to the Law Society saying,
"we are aware that legal advisers are often retained to advise clients who have fallen victim to ransomware on how to respond and whether to pay. It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case."
That makes everything clear...
So why are insurers telling the UK government they "must avoid a ban on ransomware payments"?
The Sophos stats above are reported accurately. In the most recent survey, 96% of companies failed to recover all their data. However, this paints a very selective, one-sided view and doesn't convey the complete picture.
An equally valid statistic is 61% of data was restored after paying the ransom. 🤷♂️
There's a much more complex picture here...
Returning to Why concessions should not be made to terrorist kidnappers - a key conclusion is that negotiating leads to 82% more kidnappings. However, the study didn't consider the larger number of UK/US citizens "in harm's way" compared to EU citizens.
This leaves the opportunity for the same topic to be investigated by New America - which found "Citizens of countries that make concessions such as ransom payments do not appear to be kidnapped at disproportionately high rates."
This change in analysis appears to have fostered a change of direction in the late 2010s - with more papers investigating the benefits of paying ransoms.
However, you must accept questionable assumptions like "If the victim anticipates that the criminal will not return the files, then he has no incentive to pay any ransom. But if the victim will not pay any ransom, there is no incentive for the criminal to infect the computer in the first place."
This leads to guides from noted commentators like Lisa Forte at Red Goat covering Preparing for a ransomware attack: Payment. Which asks the central question, "Do we pay?" - after dodging the question of morality. Followed by - if yes... this is what you need to do.
In conclusion, it seems the idea of ransomware as a business is reaching its logical conclusion. And a ransom demand is no more than a business negotiation - albeit under duress.
In fact, Preparing for a ransomware attack: Payment describes running due diligence on your attackers to confirm they will keep their word. Oddly - it appears they may do so.
But - with all this said - it is essential to remember, having anti-malware and backups in place will always be less disruptive and costly than negotiating and paying a ransom.