December 8, 2019

Is paying a ransomware demand ever the right thing to do?

Conventional wisdom, not to mention Hollywood wisdom, tells us that paying the kidnapper is always a mistake (think The Big Lebowski or Fargo!). Our parents warned us to stand up to bullies right? Successful poker players know how to tough out the dead man’s hand, and even the smallest dog on the street knows to bark like hell when faced with a threat. We know all this and yet we see a distinct rise in the number of businesses willing to pay ransomware attackers. What the??

Ransomware isn't new but it is on trend. Specialist attackers deploying ransomware don't destroy our data, they hold it hostage, making it inaccessible without the intervention of the attackers complex numeric key. This key usually comes at a premium, if it comes at all. Many have paid out for nothing: no return of their data. A gratuitous, sinister abduction, just because they can.

With attacks becoming more wily, more intractable, perhaps it is not surprising that many surrender to the onslaught. Greater encryption, more duplicitous means of injection, and the capacity to launch simultaneous attacks across entire infrastructures are frightening possibilities for enterprises of anysize, particularly for the little guy. Fragile and inadequate defences, coupled with an enervated belief in the power of state/government/individual to locate and persecute culprits, has led many public and private entities to fork out the blood money. In their estimation, it is easier, cheaper, and less damaging to their reputations to cave. Restructuring and rebuilding data infrastructures and security systems is often so prohibitive to both time and budget that the unthinkable is the only course of action.  

The growing number of ransomware negotiation businesses, with lofty titles such as ‘Ransomware Recovery First Responders’, is evidence of the severity of the situation. Despite advice to the contrary from the FBI, Department of Homeland Security, the NSA, Interpol, and Europol, etc. etc., many ultimately choose the path of least resistance, and it’s easy to see why:
For the most part the attackers do their best to be helpful, which creates an odd dynamic to say the least. But at the end of the day, the criminals are running a business, and they know that if their decryption does not work, word will get out quickly.
-- CEO of ransomware negotiator, Coveware Bob SiegelIncreasingly, enterprises are choosing to pay and then claim back through their cyber-insurance policies, paying a hefty premium for the privilege. The Lake City, Florida payout is case-in-point.  Another spin-off winner from the ransomware roadshow is born! A recent sting operation by ProPublica, caught two ‘cyber-security’ firms trying to exploit an already difficult situation by offering to unlock victims’ data with their ‘advanced’ technology. In fact, they were merely paying the ransoms and charging their customers an extortionate rate for the return of their data. It is a sad fact that ransomware is a money-spinner not just for the hackers.

While advocates argue the business case for ransom payouts, the public at large is unconvinced. The majority of respondents in an IBM Security and Morning Consult survey voiced their unease with the practice. 60% of taxpayers in the survey think paying hackers is unethical. The survey also shows, however, that respondents fail to grasp the severity of the situation and are reluctant for their government and state authorities to fortify cyber-security measures. The recent attack on the city of Baltimore’s computer network is an example of the little guy getting it in the neck. With large, catch-up bills going out to taxpayers for water, the Department of Public works was unable to send any when their systems were paralyzed. Still, the public is wary of increased defences. A catch-22.

It is easy to make noble pronouncements on the ethics of meeting hacker’s demands. It is not so easy to rebuild your business or your life when they are decimated by a ransomware attack - the horns of the dilemma. There can be little doubt that any payment to ransomware attackers isn’t going into little Timmy's college fund. If businesses choose to pay, they must do so knowing they are feeding a larger crime revenue stream. In essence, they are financing organized crime. Can you make peace with that?