There's nothing worse than paying criminals. And paying a ransom for data is just that—paying criminals for a criminal act. All you get out of the payment is access to your data. It doesn't fix the vulnerability or the root problem. Let the record reflect that the FBI does not recommend paying ransoms to cyber criminals.
It is being reported that companies are paying ransom at a faster rate than ever before. Part of the reason for the payments is a response to the experiences of others, including the City of Baltimore, which expended far more resources in recovering from its ransomware attack than the amount requested by the criminals. However, if you look at what the City of Baltimore bought in response to the ransomware attack—although it was more than the ransom requested—it was an investment in its future security, because it upgraded its systems and equipment to protect against future cyberattacks. The investment was for the future—not a payment to line the criminals' pockets and leave the system in a state of vulnerability for another attack. When determining whether to pay a ransom, companies may wish to consider whether it is an extortion payment that only buys back access to their own data and doesn't fix the vulnerability, or an investment in appropriate equipment and protection for the future.
It used to be that companies would consider paying a ransom if they did not have appropriate data back-up systems to migrate to following a ransomware attack. Everyone now knows that the response to a ransomware incident is to have a robust and tested back-up system so you can shut off the infected system and get the company back up and running on the backup if it was not also infected. Companies that did not have a back-up system had to consider whether or not to pay the ransom. Recently, companies with a back-up system have told attackers to go pound sand, migrated to the backup system, and killed the old system.
Unfortunately, as companies implement more robust incident response plans, and are able to recover from ransomware attacks without paying ransom, cyber criminals are getting more sophisticated and figuring out how to stay ahead of that "go pound sand" response from victims.
The consideration of whether or not to pay a ransom is very complicated and each scenario, risk analysis and business decision is different. The operative word is complicated. It is also wise for companies to determine whether they have insurance coverage for a ransom payment.
Three recent events are noteworthy when considering whether to pay or not to pay ransomware following an attack.
The first event is that the U.S. Department of the Treasury's Office of Foreign Assets Control issued an advisory on Oct. 1, "to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities." The advisory warns that if a company or a vendor facilitates the payment of a ransom to criminals or adversaries "with a sanctions nexus," the funds could be used "to fund activities adverse to the national security and foreign policy objectives of the United States." Therefore, companies or vendors acting on their behalf who pay a ransom to a sanctioned individual or governments are at risk for sanctions under the Financial Crimes Enforcement Network regulations.
The advisory is a very important consideration to weigh in determining whether or not to pay a ransom for encryption keys or destruction of data.
The second event was a recent thoughtful analysis on this subject matter by KrebsonSecurity, titled "Why Paying to Delete Stolen Data is Bonkers." Referring to a Coveware report, which states that almost half of all ransomware cases include the release of exfiltrated data, Krebs quotes from the report: "Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end."
Krebs further notes that ransomware victims who pay for the decryption key are relying on hope that the keys will work, which is not always the case.
The final event is that there is growing anecdotal evidence that ransomware-as-a-service operators, usually less sophisticated than the big boys, are engaging in double extortion scams against their victims. This means that if you have made the business decision to pay the ransomware for either the decryption keys or the destruction of data, these operators are refusing, after you have agreed to pay a negotiated amount, and they have initially agreed to hold up their part of the bargain, to give you the key or the confirmation of destruction until you pay more ransom. This behavior is certainly inconsistent with the general business plan of ransomware that the attackers will return what has been ransomed after payment, so future victims can be assured that if they pay the ransom, they will get their keys or the data back. This new phenomenon provides a strong argument (in addition to the ones above) to refrain from paying the ransom. They are criminals, after all, and some are more credible and smarter than others. These attackers who engage in double extortion will rapidly get a bad reputation and are shooting themselves in the foot. However, while in the midst of the attack, you just don't know who you are dealing with, so weighing these risks is challenging at best.
Linn Foster Freedman is a partner in the Providence, R.I., office of law firm Robinson & Cole LLP (Robinson+Cole). © 2020 Robinson & Cole LLP. All rights reserved. Republished from the Data Privacy + Cybersecurity Insider blog with permission.