Whether paying ransom for data held hostage makes sense depends on many variables. Experts define the variables and why they’re important.
Whether to pay ransom in order to unlock hijacked data or stop a Distributed Denial of Service attack is a hot topic right now. Like many other issues, on the surface it appears to be a simple yes or no decision. However, if you take in the whole picture, making that decision is anything but simple.
SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)
“On the one hand, I am sympathetic with the calls to ban such payments outright,” said Richard Hummel, threat-intelligence lead at Netscout. “The transnational nature of cyber-extortion makes it very hard to use traditional law enforcement techniques. On the other hand, the damage of not paying could sometimes be too harmful for sensitive sectors. I’m thinking of healthcare in particular. If a hospital isn’t able to access records, which in turn jeopardizes patients’ lives, it’s hard to justify not paying up.”
What to consider when deciding whether to pay
As mentioned earlier, the big picture must be considered. “The decision to pay a ransomware demand must be made carefully, with acknowledgement and acceptance of risks and in concert with various stakeholders: Legal counsel, law enforcement, cyberinsurance carrier, and security experts,” wrote Kris Lovejoy, global advisory cybersecurity leader at Ernst & Young Global Limited, in her EY.com article Ransomware: To pay or not to pay. “Furthermore, paying of ransom by either the organization or insurer could trigger questions as to whether payment constitutes funding criminal groups, terrorism, rogue states, and/or violating anti-money laundering laws.”
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
Lovejoy is a firm believer in being prepared beyond the usual IT infrastructure protections. Here is her list of what should be in place to minimize damage from a ransomware attack:
- Consider obtaining cybersecurity and business-interruption insurance.
- Retain a cybersecurity response team with expertise in responding to ransomware events.
- Create corporate policies for paying ransom. Lovejoy suggested internal and external counsel and cyberinsurance carriers be consulted.
- Determine who should be notified in the event of a ransomware attack, including law enforcement, external counsel, insurance carrier, and regulators. Lovejoy added, “This should be part of your incident response playbook, which should be exercised, reviewed, and refreshed often.” Note: In her article, Lovejoy discussed disclosure requirements related to payment of ransom. Unfortunately, governments, regulatory agencies, and states are not marching in step about disclosure. There is help though, for example, compiled resources like the report Ransomware & Data Security Laws: A Guide to Complying with US & EU Breach Notification Rules offered by Varonis Systems and IT Governance, which lists data-breach notification laws by state. (Please visit state-specific sites to get the latest data.)
- Decide when, how, and under what conditions the decision to pay or not pay would be made. Lovejoy suggested using exercises that simulate potential ransomware incidents, and testing whether decisions made during the exercise would work if an actual ransomware event occurs.
- Gain knowledge of how cryptocurrency works, as ransom payments are normally made using Bitcoin. In her article, Lovejoy advised, “This (Bitcoin transaction) is typically done by a third party. External IR and counsel will have their preferences, as will insurers who may require the use of a particular party.” Note: Hummel urges caution when it comes to transferring the funds: “Because cyber-extortion has been tremendously lucrative for criminals over the past few years, a cottage industry of firms has arisen to ease the process of making extortion payments, and this has made extortions that much easier.”
- Test the ability to recover from backup at scale. Lovejoy said, “It is best to assume your last known good backups are also compromised.”
The process is not instant. Whether you decide to pay or not, it will take time to return to normal business operations. Lovejoy pointed out the importance of maintaining the company’s essential functions as per the business-continuity portion of the incident-response playbook.
Why it’s important to be prepared for ransomware
There is no one right answer when deciding whether to pay cyber extortionists. Lovejoy and Hummel urge caution when making the decision. In particular, what amount of risk is acceptable?
“The time to figure out the policy toward ransomware payment is not during the event,” Lovejoy said. “This is all the more critical as it appears ransomware attackers recognize the limitations of their business model, and are beginning to not simply encrypt data, but exfiltrate it.”