Ransomware: To Pay Or Not To Pay, That Is Still A Real Question

Ransomware To Pay or Not To PayRansomware has long been a lurking threat, but it really took center stage in 2017 with the rapid spread of WannaCry and Petya/NotPetya. Like someone flipping a switch, ransomware went from a manageable annoyance to a major concern of not only security professionals but business owners and executives everywhere. While questions have been raised around whether the rate of ransomware attacks is rising or falling this year – fueled in part by the pivot to cryptojacking in lieu of relying on payment of an extortion demand – one thing is for sure, we believe that ransomware is not going away anytime soon.  

Just like a cold or the flu, preventing an infection is generally much preferred to actually getting sick. But as any security professional would say, preventing ransomware infections is much easier said than done. A quick Internet search produces no shortage of prevention tips ranging from training employees to spot suspicious emails to leveraging sophisticated security tools. One firm even goes so far as to suggest using honeypots to lure infections away from the rest of the network.

Regardless of which mitigation or prevention strategies are in place, no organization can be 100% guaranteed to be safe from a ransomware event. That’s what makes a sound recovery plan – with reliable back ups – so important. If the infection can be contained and data and systems restored from back ups, then the organization stands a fighting chance to recover from the event none the worse for wear.  

The more interesting question becomes, what to do if restoration isn’t an option? What happens if the encryption also hits the backups or spreads so fast the organization is left paralyzed and unable to function. In a horrible situation such as this, leadership is faced with few options, and none are particularly good:

  1. Accept the loss and start fresh, which is usually no option at all.
  2. Try to recover the files yourself.
  3. Outsource the issue and have a security firm help you figure it out.
  4. Pay the extortion demand yourself.

We wanted to spend some time covering the choices that an organization faces in depth, specifically whether to pay or not if faced with a ransomware situation.

Why You Shouldn’t Pay

When asked, a majority of security professionals will reply immediately that you should never pay a ransom if infected by malware demanding money to unlock your files (a.k.a. ransomware). In fact, many practitioners feel so strongly about this stance that they don’t even want to discuss the alternatives without providing much validation. Let’s look at a few reasons why people may say that, and why you shouldn’t consider payment of a demand as a viable option.

The FBI Says Don’t Do It?

Companies hit by ransomware are typically focused solely on getting their data back as quickly as possible. Even though the FBI has stated that they do not support paying a ransom – for a number of good reasons – the end result and getting your organization up and running again is all that matters, right? Depending on the infection and how fast the data must be recovered, it may actually make sense that a company is inclined to pay it. Even the FBI recognizes this fact. Their guidance does not state “do not pay under any circumstances”. Rather, in their “Ransomware Prevention and Response for CISOs” document, while not encouraging payment as it is clear they don’t prefer payment, they state:

Whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup.

So their guidance suggests a careful cost-benefit analysis on whether or not to pay. The idea that the FBI says not to pay is actually a myth, and some news organizations are trying to make that more clear:

The FBI, supported by multiple cybersecurity experts, has on multiple occasions insisted that when infected by ransomware, the best response is to not pay unless it is an absolute necessity and there is no other way to recover the hijacked files at all.

You Can Leverage Collaborative Projects For Free

There are web sites and projects that can help you beat the ransomware without paying. For example, the “No More Ransom” project is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, and two cyber security companies – Kaspersky Lab and McAfee – with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals. There are decryption tools posted for more than 85 different types of ransomware.

You Are Marked as a Sucker (Repeatable Target)

One concern with paying off criminals is that you will be known to pay, and once money is exchanged, malicious actors may continue to target your organization. This could potentially make you and other payees a frequent target in efforts to infect a machine. An article in SC Magazine covers a company that found themselves in this position:

The company, having little other option, chose to pay up: “No-one said it was a bad idea, although there was a level of feeling uncomfortable to ‘giving in’ to the thieves but by that stage we were out of ideas and it seemed to be the only decision we could make.” It took most of the night to complete the decryption, even after which roughly 10 percent of the files were unrecoverable. The saga cost the business three days of work, at least £25,000 pounds and a tenth of their data.  Their IT provider was soon replaced, and new security policies and staff training put in. The company was targeted with ransomware several times in the months after “Apparently there was an upsurge in ransomware aimed at us in the months following the attack, we think this is because we were put on a ‘Suckers List’ by the criminals and others were trying to cash in by seeing if we’d fixed our problems.”

There Is No Guarantee They Will Give Your Data Back

The people that create and distribute ransomware are criminals. By nature, they are performing unethical and illegal activities to profit off other people’s misfortune. With that in mind, if you pay the ransom, how do you know if they will actually send you the code to unlock your data? Bleeping Computer published an article that gave an interested statistic:

The survey, carried out by research and marketing firm CyberEdge Group, reveals that paying the ransom demand, even if for desperate reasons, does not guarantee that victims will regain access to their files.

[..]

Of the 38.7% who opted to pay the ransom, a little less than half (19.1%) recovered their files using the tools provided by the ransomware authors.

You Enable Ransomware Crime To Continue

The FBI and others believe that if organizations pay a ransom, it not only encourages current cyber criminals to target additional organizations, it also entices other criminals to get involved in ransomware as they will see it as a lucrative activity.  In addition, by paying a ransom, it has been noted that this money could inadvertently be funding other illicit activity.

You Won’t Learn Your Lesson

Some security professionals argue (believe it or not) that if you don’t feel the real pain: long outage, detailed recovery, and high costs, then your organization won’t properly learn your lesson. Meaning, you will not be as motivated to implement security improvements to the environment. With the ransomware incident resolved, some may end up leaving the environment as-is, with no remediation or lessons learned.

Why You Should Consider Paying

Paying a ransom is still largely a very unpopular method to recover from a ransomware event and understandably so. However, when push comes to shoved-against-a-very-hard-wall, we do see some organizations choose this approach. Let’s look at a few reasons why paying to recover might be an acceptable decision.

You Get Your Files Back Quickly

No matter the industry, for most organizations getting quick answers and solutions for customers, partners, and shareholders is required.  Most businesses simply cannot be interrupted for any significant length of time without a massive impact and for some, such as hospitals, potentially life-impacting. Paying what is usually a relatively small amount of money to get past the ransomware incident is extremely appealing as it lets the company get back to business immediately.

ROI: Yes, It Can Be Cheaper! Much Cheaper!

Remember the ransomware attack on the City of Atlanta? It wasn’t that long ago, just this past Spring, that the city’s government was left paralyzed by a SamSam infection. On March 22nd, the malware raced through the city’s IT operations, forcing staff to resort to old fashioned pen and paper for more than a week after the attack and leaving the busy Municipal Court crippled for months.

City officials decided not to pay the ransom only to find themselves paying millions of dollars trying to recover from the attack, rather than paying the ~$50,000 asking price from the criminals. The city’s Department of Procurements initially published their emergency response cost details, which Wired magazine nicely summarized back in April:

THE CITY OF Atlanta spent more than $2.6 million on emergency efforts to respond to a ransomware attack that destabilized municipal operations last month. Attackers, who infected the city’s systems with the pernicious SamSam malware, asked for a ransom of roughly $50,000 worth of bitcoin. (The exact value has fluctuated due to bitcoin’s volatility.)

The emergency contracts include:

Cisco Security Incident Response Services CDW-G $60,000
Surge Support Staff Augmentation Mosaic451 $60,000
Emergency Incident Response Services Secureworks $650,000
Advisory Services for Cyber Incident Response Ernst & Young, LLC $600,000
Microsoft Cloud, Client Stack Design and Build, and Pro Services for Azure Active Directory, System Center, and Windows 10 Fyrsoft $730,000
Crisis Communications Services Edelman $50,000
Development and Deployment of Benchmark Pioneer Technology Group $124,000
Microsoft Azure Cloud Engineering, Development, and Migration Professional Services Airnet Gorup, Inc. $393,328

 

As eye-popping as those figures might seem, it appears they were just the tip of the recovery iceberg. In August, the Atlanta-Constitution Journal obtained a report that estimated the recovery costs could be as high as $17 million. An argument could be made that figure represents a lot of catch-up spending from years of deferred IT investment instead of actual recovery costs. Regardless, it does highlight that major events like this often force organizations to come to terms with years of accumulated technical debt.

While this incident represented a chain of events that snowballed out of control quickly, it’s a good reminder that a quick cost-benefit analysis may point your organization down a different path.

Cyber Insurance Policies Cover Ransomware

It is no secret that we at RBS believe that cyber insurance policies can be an important part of a comprehensive risk management program.  Hopefully it comes as no surprise to our normal readers that organizations can transfer some of the financial burden arising out of ransomware events! It is important that we emphasize again that not all cyber polices are the same, and it is critical to make sure you actually read the fine print!  “Cyber Extortion” coverage can be built into a policy and is also routinely made available as an add-on to cyber policies, although it may not be as routinely purchased. Of all the coverages found in cyber policies, deciphering its value to the buyer can be the trickiest to understand. This is one area where major differences can be found from one policy to the next. Some forms may be limited to recovery costs incurred after a waiting period while others may kick in recovery assistance as soon as the event is uncovered. Most will actually cover the cost of the extortion payment (bitcoin ransom payment), although buyer beware as certain policies may be subject to limitations such as payments made “only at the direction of law enforcement.”  If you have a cyber policy that covers a ransomware event, and it will handle the payment, then why not report the event and let the claims department figure out the best way to recover (even if that includes making a payment).

Invest the Saved Money Into Security Improvements

As mentioned previously, recovering from a ransomware event unfortunately can be very costly, and for the most part ransom demands continue to be quite small.  With a ransomware event being a massive wakeup call for an organization, it could be argued that by saving a substantial amount of money it then could be invested in improving an organization’s security posture. Investments such as training employees, improving technical controls including backups and reducing other technical IT debt that has accumulated.

It Might Be The Only Option

At the end of the day, paying a ransom might not be the preferred solution, but it just might be the only solution to get an organization back up and running properly.  If this is the case, it should be considered without hesitation.

Conclusion

Each ransomware event is unique, so it’s impossible to say there is only one ‘right’ way to handle such an event. If you find yourself facing a ransomware incident and aren’t sure what to do, ask for help. Consult with colleagues, bring in an incident response firm, and search the Internet for others that have suffered the same ransomware variant. If someone tells you there is only one option to consider, then we highly recommend that you find another firm immediately to help you!  

 Additionally, while it is hard to think about the future during a fire-fighting situation, remember just as with any other incident you face, attempt to look past the current moment and use it as a learning exercise. Ensure you establish a policy for dealing with a future ransomware attack, should it happen. Finally, make sure you look into a cyber insurance policy (if you have one, verify you have coverage!) and how it may help protect your organization financially.

 No matter what option you decide, please do report the ransomware event. Yes, we know that chances are low that anything will come of it, but it does help investigators, and at RBS we are all about using data and statistics to help us improve cyber security.