DISCLAIMER: This case study depicts a fictional cyber incident based on real-life scenarios described by expert interviewees, media reports, and other publicly available resources. While the details surrounding the characters, company, and ransomware attack are imagined, the business concerns and legal issues raised are plausible and based on actual cases.

If Vulnerable Electric (VE) refuses to pay the $5 million ransom, the company will have to reprovision more than 100 devices, including one server. Plus, the threat actors could publish employees’ personal information on the dark web. It would be awful. The company would be forced to notify employees of the outcome and open itself up to endless litigation and reputational damage. It might be smarter just to pay now and at least try to save the company from potential lawsuits and revenue loss, plus future costs of continued downtime.

If VE does pay the $5 million, which the chief financial officer says the company could sustain, the adversary could provide a decryption key—or they could not. They could also just demand more money. Or dox the data anyway. By law, the company must notify impacted parties of the personal data breach no matter what. VE could wind up facing the same legal and reputational fallout as if it did not pay but still be out $5 million (or more) while also making it a soft target for another attack, bankrolling a criminal enterprise, and contributing to the continuance of the ransomware epidemic in the United States.

Which path do you take?