Hard Choices in a Ransomware Attack

Ransomware attacks started as a novelty but have now become a clear and present danger to entities of every size and function. The number of ransomware attacks and the price of demanded ransoms have escalated steeply since 2018. Legislation and policy have not kept up. Policymakers have sought to shape the incentive structure for victims to incentivize defense and disincentivize ransom payments. While they are sympathetic to businesses who fall victim to these attacks, which can sometimes be existentially threatening, few policymakers (or their staff) have ever experienced the shock of an attack firsthand and, as a result, are searching with incomplete information for the right combination of carrots and sticks that will help victims and hurt attackers.

This report aims to put the reader in the shoes of the victim—the shocking, powerless moment of realization of a ransomware attack. It walks through a set of decisions that victim must make on their worst day and in the weeks to follow. How well an entity succeeds in navigating that peril depends on decisions made well before an attack, so the report also makes recommendations for both government and industry on how to encourage preparation and simple defensive steps.

This report is made possible by the generous support of Microsoft Inc.

Emily Harding
Deputy Director and Senior Fellow, International Security Program