Is it wrong to pay ransom?
In May 2021, German chemical distribution company Brenntag was hit by a massive ransomware attack that disrupted its operations in North America. To retrieve some 150 GB of encrypted data, the company ultimately paid a ransom worth $4.4 million at the time. The event made headlines as perhaps the biggest ransomware attack ever.
On July 7, 2021, software vendor Kaseya was hit with a ransomware demand for $70 million in bitcoin in order to resume services for some 1,500 Kaseya clients and businesses further downstream. The event made headlines as perhaps the biggest ransomware attack ever.
You can see where this is going.
Ransomware has long been on a trajectory from bad to worse, with security experts sounding the alarm, decrying the tactic as one of the most nefarious threats that organizations face today.
The statistics are indeed frightening. In the 12 months leading up to April 2021, security company Sophos says that 37 percent of the 5,400 businesses it surveyed were hit by ransomware attacks. The average bill for remediating a ransomware attack, Including downtime, lost business, and the cost of the ransom itself, was $1.85 million.
Given the potential for a severe negative impact to business, it's hard to blame those who pay up. Doing so may well be in the best interests of the organization, employees, and customers. Whether it is in the best interests of society is a less clear and more fraught question.
The downsides of paying ransom
Ransomware has become such a problem that it has generated a popular debate around a singular question: Should a business ever pay a ransom?
The conventional wisdom typically holds that no, ransoms shouldn't be paid, under the "never negotiate with terrorists" mantra. Companies that pay ransoms often face a loss of customer trust and reputation in the aftermath, akin to admitting weakness in the eyes of the consumer. As well, there's no guarantee that paying a ransom will result in the attacker handing over the encryption keys or, if that happens, that data will be recovered successfully without corruption. Sophos notes that in cases where a ransom was paid, only 65 percent of encrypted data was ultimately restored, on average.
Paying a ransom may also peg the company as an easy target for follow-up ransom demands. Cybereason's 2021 Ransomware Report found that 80 percent of businesses that paid a ransom were later hit by a subsequent demand.
Such was the situation with Archery Topic, an online platform for bow sports. Founder Robert Gate says the website was attacked a few years ago, and since he felt unable to afford the downtime, he paid the "bearable" ransom demand and got his data back. The site was promptly attacked again, but, says Gate, "they asked for a huge amount which I couldn't afford anymore." He ended up having to restore his site from a recent backup—a lesson learned in the aftermath of the first attack.
And yet, despite all the downsides, businesses continue to pay ransoms. Chainalysis notes that in 2020, nearly $350 million in ransoms were successfully collected by attackers, an increase of more than 300 percent over 2019. For the time being, ransomware, for lack of a better word, works.
Few of the victims are willing to talk about it for fear of marring their reputation, but some of the worst cases get plenty of attention. Some of the largest ransoms known to have been paid to cybercriminals reached well into the millions of dollars.
Why do organizations pay? Simple, because they feel like they have no other choice. Impacted companies have faced situations where attackers have disabled thousands of computers and absconded with multiple terabytes of sensitive data. These companies often have annual revenues of well over $1 billion, making the cost of a $4 million or $5 million ransom roughly equivalent to a single day of work. Fundamentally, ransoms are sometimes treated as a cost of doing business. Pay the bill, then get back to work and pretend as if nothing happened.
Please read: Why healthcare is such a juicy ransomware target
"The decision to pay a ransom could mean deciding whether or not the business can open its doors, access trade secrets, or retrieve patient records," says Victor Congionti, CEO of Proven Data, a company that assists victims of ransomware attacks. "Choosing whether or not to pay ransomware is incredibly complicated and not as black and white as it might seem."
Is banning ransoms the way out?
"Make no mistake: When you pay a ransom, you're funding a terrorist organization," says Jim McGann, vice president of business development at Index Engines, which develops data integrity software. "That said, I don't think not paying them is going to stop the attacks."
To be sure, the terrorism analogy is a common one, and it's widely perceived that every time a ransom is successfully collected, the situation invariably gets worse for everyone else.
The hunt for solutions has hit a fever pitch of late, with multiple states, including New York and Texas, suggesting a legal ban on ransomware payments. The U.S. Department of the Treasury has also publicly stated that paying a ransom may be a federal crime, depending on who's making the ransom demand. The idea with all of these rules is that if it's illegal for a business to pay a ransom, then attackers will be forced to look elsewhere for victims, knowing they're trying to pick an empty pocket.
It's not quite that simple. The FBI, which has taken a leadership position on ransomware investigation and remediation, has publicly stated that it opposes such legislation. "If we ban ransom payments now, you're putting U.S. companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities," said Bryan Vorndran, assistant director of the FBI's cybercrime division, at a recent Senate Judiciary Committee hearing on the matter.
"If a kidnapper stole your child and the law says don't pay them, you're in a tight spot," says McGann, agreeing with the FBI position. "You're going to do what it takes to get the child back. Companies just don't have a choice in some cases but to pay it." If you ban payouts through legislation, McGann believes those payments will largely go underground—and unreported.
High-quality backups are the best defense
What then to do about ransomware?
Cybersecurity insurance was long touted as a stopgap, but many are saying that it contributes to the problem more than it helps, because such coverage encourages sloppy security habits if organizations know they have an easy way out. Also, cyber insurance policies may not actually cover ransom payments, and as the ransomware crisis gets worse, many companies, like AXA, have been getting out of the business altogether.
If governmental regulation is on the table, a better solution than banning ransom payments may be to mandate that corporations adhere to minimum security guidelines, a model akin to the way airline safety is regulated. Theoretically, companies that don't follow stated cybersecurity guidelines may be fined or suspended from certain activities until they are back in compliance.
Of course, none of that is of any help if you are the victim of a successful attack, at which point you can choose to pay the ransom—or fight. Fighting, says McGann, largely comes down to investigating old backups to find intact data (presuming the backed up data wasn't also infected with ransomware) and evaluating whether the business can afford to go without the data that was lost. But this too can be catastrophic if backups are not high quality and regularly tested to ensure fidelity. McGann points to a case involving the city of Tulsa, which was hit with a ransomware attack in May 2021. The mayor refused to pay and instead chose to cobble things back together from apparently incomplete backup data, a process the city expects won't be complete until September.
"That's just too long, and it really hurts the viability of the business," says McGann. "If this case involved a financial services company, they wouldn't have survived."
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.