In yet another sign that business is booming in the underworld of ransomware, Trend Micro has reported that the number of new ransomware families it observed in the first half of 2016 has already surpassed the total number observed in 2015 by 172 percent.
Such explosive growth shows that infected individuals and organisations continue to pay up, not only making these schemes profitable, but also encouraging more criminal activity.
As ransomware's extended family of malicious code continues to multiply, experts are once again debating if victimised organisations have an ethical responsibility to refuse cybercriminals' demands.
“Our stance on this is simple and clear: don't pay the ransom. Ever,” said Christopher Budd, global threat communications manager at Trend Micro.
“There is no situation where it is acceptable to pay the ransom. If you do, there's no guarantee you'll get your data back. There's no guarantee that you won't face additional demands or attacks. Finally, paying the ransom harms not only yourself but everyone because it makes crime pay and gives attackers incentives to carry out additional attacks in the future.”
Keith Price, director of Australian security consulting firm Black Swan, was less decisive on the matter.
"It's a tough one. It really depends on whether the company has sufficient backups to go back to," he told CRN. "It's a risk-based decision... If you're in a corner with no backups to go back to and you really need that data, then you have to take a chance on paying."
However, Price did point out that there is no guarantee data would be retrieved after payment. "This is even though it's in the interests of the criminals to give you the correct decryption key after payment - because that keeps the market going."
Telstra security practice director Neil Campbell told CRN that no organisation or individual should end up having to make a decision to pay or not pay a ransom.
"Because it can be avoided with a good backup regime. Whether you're a consumer, a small business or a large enterprise, always assume an outage will come at the least convenient time - and be prepared," he said.
"Like spam emails, paying the ransom funds criminals' activities. And everyone should be taking steps to shut down such practices."
Maxim Weinstein, security advisor at Sophos, took a less hardline approach.
“In theory, paying the ransom is a bad idea…With that said, theory and practice are not the same thing,” Weinstein said in an email interview with SCMagazine.com.
“There will be times where the value of getting the data back exceeds the cost of the ransom and the risk of a repeat attack. Obvious examples are a small company that would have to go out of business if it doesn't get its data back, or a hospital that would have to shut down for weeks to bring its records back online.”
Next: Some victims have backups, but still pay ransom