Logo Leicom ITEC AG
Spiegelung Gebäudefassaden Spiegelung Gebäudefassaden

To pay or not to pay?

15.10.2024

Previous newsletter article, week 42:

<-- Attack on Kawasaki Motors Europe

The company's IT system is blocked, no backup is available, and recovery is taking too long. The damages seem immeasurable, and the ransom demand of 50,000-100,000 CHF (or more) almost appears to be a small sum given the severity of the situation. However, it is crucial that the decision is made with full awareness and without panic.

Here are some key points to consider before making a decision:

Paying does not guarantee data recovery.

The hacker receiving the payment, usually through cryptocurrencies like Monero or Bitcoin, which are anonymized via Coin Mixer or Tumbler, cannot determine WHO made the transaction.

There is no guarantee that the extortionist will honor the agreement: even if the hacker knew the payer's identity, there is no certainty that the data would be returned. Essentially, one would have to trust a criminal who is extorting them. Additionally, paying could position the company as an "ATM," attracting future attacks.

Complex legal aspects: although paying ransom is not explicitly illegal in Switzerland or other countries, the legality depends on the context and the recipient. Certain regulations may be violated, such as:

  • Anti-money laundering laws: the payment may violate anti-money laundering laws if the company cannot verify the recipient's identity (and it usually cannot).

  • International sanctions: if the payment reaches terrorist groups or sanctioned individuals, this could breach Swiss and international laws.

  • Due diligence obligations: companies may need to prove they did everything possible to prevent the attack and that payment was the last resort. Have adequate preventive measures been taken?

Reputational damage from financing criminals: regardless of legality, financing criminals could severely damage the company's reputation if it becomes public knowledge.

Given the complexity, companies should always consult legal experts before making any payments. However, it is reasonable to believe that paying could lead to more severe damage than data loss.

Since these cases are complex, consulting legal experts before taking any action is advisable. However, one should be aware that payment could result in worse consequences than the mere loss of data.

Considering the points mentioned, the best decision seems to be not to pay the ransom. Kawasaki Motors Europe, for example, made the right choice by not complying with the demand, though a more proactive strategy could have prevented the situation. The best approach is to prevent such scenarios. Adequate protection and a functional recovery plan can avoid the need to face such a difficult decision.