To Pay Or Not To Pay? That’s The Ransomware Question

We’ve seen it far too often: an organization is being held for ransom by hackers. They’re demanding payment in bitcoin to decrypt sensitive files – often ones that make the business operate.

The City of Atlanta was affected by such a scheme last month, where threat actors demanded $51,000 in bitcoin in return for encryption keys to unlock seized systems. Hackers likely used the SamSam malware strain – which has been on practitioners’ radar since 2015. The attack was detected in late March, but affected systems for weeks, as officials were forced to work on old laptops and law enforcement resorted to written case notes. Most reporting suggested that Atlanta did not pay the ransom.

In fact, according to WSB-TV 2, the cyber-attack now comes with a $2.7 million price tag for the city. Despite this financial burden, officials have been mostly reticent about the attack.

Nonetheless, municipal governments are not the only ones feeling the ransomware pinch. The question of “to pay, or not to pay” is actually reflective of a number of factors: organizational structure, business model/philosophy, affected files, etc.

In recent years, a gap has emerged between both camps – each of which has valid reasoning behind it. Today, we take a look at this question of ransomware payment. What’s smarter – paying or keeping your purse strings closed?

See Related: Industry Roundup: Addressing The Hybrid Cloud Security Readiness Gap

Some organizations, in accordance with policy or in evaluations amid incident response, opt to pay the ransom. In this method, which Thomas Koulopoulos, Founder of Delphi Group, called “the short view” in an Inc.com column, the business views the transaction as that, a transaction that will help remedy workflow. Of course, on the other end of the payment there lies a hacker, or hackers, who can, feasibly, crawl right back into the network and encrypt other files – or go on a encryption warpath elsewhere (now with the resources to continue their quest). This question resorts back to ethics and short-term solutions. In some occasions, ransomware payments are made to hackers.

The flip side of the coin is what Koulopoulos called the “long view,” which suggests that ransomware payments may only heighten activity, encourage harsher attacks and promote the behavior.

Whichever answer an enterprise opts for is also relative to its environment and circumstances. However, the most effective defense mechanism is frequent and comprehensive training and awareness campaigns. Whether a company subscribes to payment or non-payment, it’s in an optimal position when trying to head off an attack at the pass, before it strikes the network.

To do so requires proactive sessions within the organization – including typical IT security functions like “drills” on phishing, password rotations and simulations (white hat activity). What’s more, awareness can be built from the ground up – grassroots – and included at the academic level. That means pen-testing and red-teaming activities could be honed early on so that cyber practitioners are equipped to ward off malware strains that could lead to ransom demands.

See Related: 'Security Is A People Problem': Q&A With Awake's Gary Golomb

It’s clear where the FBI stands on this debate. On its website, FBI guidance reads, “There are serious risks to consider before paying the ransom. (The) USG does not encourage paying a ransom to criminal actors. However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers.”

It continues: “Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup.”

The guidance reminds readers that “paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom.”

It also suggests victims could be retargeted, or asked to pay more (after an initial crypto fee). Lastly, it says that the payment could condone the criminal behavior.

However, for some, timely payment is the only option – a way to regain composure and recover essential files. Ransomware efficacy is growing by the day, but so should policy and governance around it.

At the upcoming Cyber Security Digital Summit, held May 8-10, 2018 (free and online), IT security practitioners will focus in part on the highly visible topic of ransomware. On Tuesday, May 8, Nazmul Islam, CIO, UAB Department of Medicine, will be leading a panel discussion entitled “Ransomware: Lessons Learned from the Biggest Attacks.” Find out more about the Summit by visiting register.cshub.com/-cyber-security-digital-summit/.

Be Sure To Check Out: GDPR, Cryptocurrency Take Center Stage At RSA