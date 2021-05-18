That would mark a considerable change from the status quo, which a class of professional data hostage negotiators advise their clients that they have little choice but to pay the ransom — and buy silence alongside their stolen data.

My guide to the issue, Seth Berman, a cyber lawyer with decades of experience in the field, points out that the costs go beyond a public data breach. Frozen data can shut down a company’s operations and kill revenue. These costs are almost inevitably more expensive than the price set by the pirates. And the costs are rising as pirates get bolder: One estimate found that the total costs of an attack rose from $761,106 in 2020 to $1.8 million in 2021.

According to Berman, pirates are increasingly aware of the damage they can inflict. Logically, they will always try to set the ransom below the company’s estimate of the costs of going offline or having its data exposed. And rationally, it makes sense to go after large companies, where the average ransom was $170,404 last year, as opposed to individuals; most people don’t bother to pay the ransom (they just buy a new computer) and even when they do pay, the average ransom demanded is just $504.