The United States and the 50-member International Counter Ransomware Initiative (CRI) are taking a unified stance against ransomware. The White House hosted the third annual CRI summit on Oct. 311, during which members focused on measures such as improving defensive capabilities and information sharing—while endorsing a joint policy against making payments.
A unified international effort confronting the scourge of ransomware is laudable and necessary. The global cost of ransomware, which totaled $20 billion in 2021, is projected to hit $71.5 billion by 2026, according to White House sources. But a blanket statement opposing ransomware payments is shortsighted and could restrict businesses and other organizations from doing what’s best for them when under attack.
The circumstances surrounding a ransomware attack are often too complicated for a one-response-fits-all policy. Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies, argued against making payments because it funds ransomware operators and perpetuates the cycle. That may be true, but it ignores other critical factors facing organizations under attack. Choosing whether to pay ransom isn’t a moral or ethical decision. It is always a business decision based on risk reduction and protecting the interests of an organization’s customers, employees and key stakeholders.
Paying ransom isn’t always a simple decision
Ransomware attacks can have more implications than simply whether to pay to unlock data and get back to business. Here is a key example of this based on my experience helping a Sygnia client through this challenging dilemma.
My client experienced a ransomware attack but was in good shape, with the ability to fully recover without paying the ransom. However, through negotiations with the attackers, the client realized that the threat actor had access to the personal information of employees. Company leaders also were informed that, by the standards of ransomware operations, they were dealing with a “reputable” threat actor, who would likely not publish stolen information if paid.
So, despite the company’s prospects for recovery, the CEO decided to pay the ransom to protect his employees. That’s just one example, but other instances illustrate how deciding whether to pay a ransom is not always a simple question. In the Colonial Pipeline attack, the operators likely would have been able to recover operations in due time, but as a component of critical infrastructure with so many customers depending on it for gas, Colonial paid almost immediately. Healthcare is another sector where the risks to patient health—and life—can outweigh the costs of paying.
Deciding whether to pay can be a multi-faceted process, involving not just money and the ability to operate but reputational damage and legal issues, so companies must enlist good help in navigating the various factors that go into the decision.
In responding to an attack, an organization needs to answer five key questions:
- Can the business recover if we pay the ransom?
- Which decision best protects the interests of customers, employees and other stakeholders?
- If a threat actor manages to exfiltrate or encrypt data, what’s the sensitivity of that data?
- How reputable is the threat actor?
- Can we negotiate with confidence?
The answers to these questions can help organizations determine the best course of action given their specific situation.
Negotiating after an attack
Some companies might be reluctant to open lines of communication during an attack, holding to the principle that ransomware attackers, like hostage-takers or terrorists, shouldn’t be negotiated with. But the target of an attack should almost always negotiate.
Even if a business has no intention of paying, initiating communication early – with the help of incident response experts who are trained to remediate crises – is vital. You can negotiate for additional time or for intelligence to learn about the situation. In some cases, opening negotiations can result in threat actors reducing the amount of the ransom. And if nothing else, we’ve found that threat actors are less likely to do more damage, which might harm their chances of getting paid.
Enlisting the help of an expert also can help a ransomware victim learn something about an attacker, particularly about how they operate. As in the case of the CEO whose company was attacked, the reputation of the attacker can come into play.
In addition to legal, PR and forensics on an attack, an expert can also provide a profile of the threat actor. There are cases involving threat actors who don’t negotiate in good faith, perhaps providing a key that doesn’t unlock the data or publishing information after a ransom has been paid. But for many ransomware operations, including those in the top tier, ransomware is a business. They operate according to a well-articulated business model designed to ensure payment, but also to protect their reputation.
Knowing who you are dealing with, and whether they will keep their part of an agreement, can help companies in deciding how to respond to an attack. For many ransomware operators, reputation is just as important to them as it is to a business because if they become known as someone who doesn’t negotiate in good faith, that makes it harder for them to get paid in the future.
Risk reduction is the goal
An expert consultant won’t tell a company to pay or not to pay a ransom. That’s up to client executive team and they must make an informed decision ultimately based on risk reduction.
For example, an attack is causing a business to hemorrhage millions of dollars a day and paying the ransom will mitigate that, a company might decide to pay or determine that it’s willing to lose that money to resist paying. If a company can recover its data and resume operations without paying ransom, it needs to consider what else is at stake and prepare.
Ransomware operators, for instance, have increasingly been employing double extortion tactics, in which they not only freeze systems but also steal sensitive data and threaten to publish it if they are not paid. Some threat actors don’t even bother with encrypting data but just steal it to hold it hostage. Some actors also employ a triple extortion tactic that involves making threats and ransom demands to the first victim’s third-party suppliers, clients or other stakeholders.
If a company decides not to pay, it must move quickly, working within the processes of forensic investigation, monitoring and mitigation to shore up defenses as fast as possible to fend off retaliatory attacks. The response of a ransomware operator whose payment is spurned can get ugly.
Conclusion
Ransomware has proliferated because it has proved to be an effective business model for cybercriminals, enabled by the rise of cryptocurrencies, which changed the risk/reward equation for attackers. Increasing defensive capabilities and information sharing to deter ransomware are important steps. But a policy of simply refusing to pay ransoms ignores the realities that ransomware victims face. It’s not always a simple decision. As long as ransomware remains a common attack, responses need to be based on whatever individual risks a company is facing.
