FBI Acknowledges Some Businesses Might Pay in Ransomware Attacks

While the FBI steps up its fight against ransomware, new guidelines leave a bit more room for companies that choose to pay, although the bureau says it’s still essential to notify authorities as soon as an attack takes place.

Ransomware attacks are becoming more surgical, specifically targeting businesses and government institutions. Healthcare organizations are among the most vulnerable, but the ransomware threat extends much further than that.

Using complex ransomware tools, criminals encrypt victims’ computers, asking for money in exchange for a decryption key. As a possible side business, hackers can even steal sensitive data as well, as part of the same operation.

The FBI’s new guidelines are meant to let companies know what they should do in the event of a ransomware attack. The first item on the list is to notify authorities, but the more sensitive topic is the actual ransom. The FBI has always said firmly that ransoms must not be paid, but the bureau now acknowledges that companies might choose to pay.

“Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals,” says the FBI in a Public Service Announcement (PSA) as an update and companion to Ransomware PSA I-091516-PSA. “However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”

“Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement.”

To be clear, the FBI doesn’t say it’s OK to pay the ransom, just that it’s understandable, in urgent situations. The recent ransomware attack in Alabama, against three hospitals, is the perfect example of a critical scenario.

Safeguards against any cyber-attacks include regular backups, up-to-date operating systems, software, and firmware, and the adoption of a security solution that can cover even unpatched endpoints.