Like many CyberSecurity researchers yesterday, I received press inquiries about the massive NHS ransomware attack in Europe. A Washington Post reporter asked me if victims should pay the ransom, and I gave a long and somewhat nuanced answer. The reporter clearly did not have enough space for my full response, so she summarized it in her story stating that I do not think the ransom should be paid, giving two of my reasons. First and foremost, you are funding the bad guys and "legitimizing" their approach from a business perspective. Second, there is no guarantee that the attackers will actually restore your files or that they won't demand more money the next day.
While I hold these opinions, I think the real-life answer is more complicated. It is easy for me, sitting in my office, logged into my computer with access to all of my important data, to say that you should not pay. However, if I were in an emergency room, and a patient came in with a serious situation that required me to log into a hospital system in order to enable proper treatment of this person, and a ransomware screen said that if I paid $300 in bitcoin the system would unlock, it is hard to imagine that I would not do everything within my power to help this individual.
Ransomware attacks are a particularly nasty form of extortion and blackmail. Whenever you succumb to these threats in any context, you risk further abuse. My general philosophy is to take the immediate loss and figure out how to move forward without paying any ransom. Of course, there are circumstances I can conceive of where even a infinitesimally small chance of recovering from a situation would be worth everything material that I have. So clearly ransomware hostages need to consider each occurrence on a case by case basis.
The best way to deal with ransomware, obviously, is to avoid it in the first place. Keep meticulous backups on a regular schedule. For some ransomware, such as the one in the recent attack that locks people out of their systems rather than just encrypting file, backups may not be sufficient. Strong security is the best antidote to ransomware and other forms of attack. But at the end of the day, if you are faced with a "should I pay" decision, you will have to weigh all the factors and make the best decision based on your circumstances.