How Boards Really Decide During a Ransomware Attack
Most technical professionals view ransomware as a technical problem (restore from backup, patch the CVE). But to the Board, it is purely a…
Most technical professionals view ransomware as a technical problem (restore from backup, patch the CVE). But to the Board, it is purely a business survival calculation.
The question hanging in the air “Do we pay the ransom or do we shut down?” is the single most dangerous query a Board of Directors can entertain in the heat of a crisis. It suggests a binary outcome where one doesn’t exist.
It implies that there is a clean exit door if we just swipe the corporate credit card, or conversely, a noble path of resistance that won’t result in catastrophic financial bleeding. Both assumptions are lies.
Here is the TL;DR breakdown:
The Trap of Paying (Door #1)
The instinct is to pay to stop the pain. It feels like a transaction. Criminal tech support is terrible. Decryptors are often buggy or corrupt large databases. You might pay $15M and still have to rebuild manually. If the attacker is on a sanctions list, paying them is a federal crime. You are trading a technical crisis for a DOJ investigation. Additionally, paying doesn’t stop them from leaking your data. It just funds their next R&D cycle.
The Brutal Reality of Not Paying (Door #2)
The moral high ground is expensive. Look at Norsk Hydro (2019). They refused to pay. They were heroes. But they also had to switch massive aluminum plants to manual operations (pencil and paper).
Can your business survive 6 weeks of zero revenue? For SaaS or FinTech, you can’t switch to manual. “Not paying” without immutable backups isn’t a pause; it’s an amputation of the business.
The Real Solution: Parallel Tracks
The decision isn’t binary. In a real crisis, we run two tracks simultaneously immediately after the breach is confirmed:
- Track A (Negotiation): Hire pros to stall the attackers. Negotiate the price down. Get “proof of life” on files. Buy time.
- Track B (Restoration Feasibility): Verify the actual viability of backups. (Not just “do we have them?” but “can we re-hydrate 5PB of data before we go bankrupt?”).
We usually make the final decision on Day 3 or 4 based on which track wins.
I recorded a full breakdown of this simulation, including how to present this to your Board before the attack happens.
If you like these expert insights and breakdowns, check out my weekly expert insights membership below
