- Ransomware criminals are holding computer systems hostage regularly, demanding large payments from victims to restore order
- Calls for governments to ban ransom payments to hackers were reignited following a cybercrime spree wreaking havoc around the world
- Organizations across the globe need to develop a ransomware payment policy, anticipating a potential future attack
Colonial Pipeline, America’s largest pipeline was hit by a ransomware attack in early May, and the operators recently confirmed that they paid a US$4.4 million ransom to the cybercriminal gang responsible for the intrusion. However, when it comes to ransomware attacks, paying bad actors isn’t the right thing to do – in fact, some observers with experience reckon it should be illegal to pay off hackers.
Law-enforcement agencies around the world are increasingly urging victims not to pay. It may seem odd to some, but it isn’t illegal to pay a ransomware demand, even though the forced encryption of someone else’s data and demand for payment is itself a federal crime under at least the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act, as well as many laws passed by State legislatures.
If there’s one thing any cop show teaches us though, it is that paying off a blackmailer in no way guarantees to get your assets back. If anything, it proves to the offender that you are willing to shell out funds for your data – and as the one controlling access to the said data, cyber opportunists might see the chance to repeatedly tap the same till. Hence, there is no guarantee that hackers will return sensitive data. Second, there are no guarantee cybercriminals won’t leverage and monetize the data anyway, returned or otherwise.
One might argue that the best way to solve the ransomware epidemic would be to make it illegal for organizations to pay. Criminals are naturally only interested in the payoff, and if that route to the payday was simply prescribed by law, it would very quickly lead both to companies exploring other options to deal with ransomware and, at least in theory, criminals moving toward some other endeavor with an easier payout. In summary, one could argue that it is the ease with which criminals can be paid and the perceived anonymity of crypto payment that helps foster the continuance of the ransomware threat.
The idea of outlawing the payment of ransomware demands might seem appealing at first until you unpack the idea to think how it would work in practice. Publicly traded companies have a legal duty to shareholders; public service companies have legally binding commitments to serve their communities. A law that threatened to fine organizations, or perhaps imprison staff, would be hugely controversial in principle and likely difficult to enforce in practice, quite aside from the ethics of criminalizing the victim of a crime whose sole intent is to coerce that victim into making a payment.
Imagine a prosecutor attempting to convince a court that an employee – whose actions, say, restored a critical public service and saved the taxpayer millions of dollars after authorizing a five-figure ransomware payment – should be jailed. How would that, in principle, be different from prosecuting a parent for securing the safety of a child by paying off kidnappers? It doesn’t look like an easy case to win, particularly when the employee (or organization) might cite legitimate extenuating circumstances such as preserving life or other legal obligations.
Is It Ethical To Pay a Ransomware Demand?
If it’s not illegal to pay a ransomware demand, that still leaves open the separate question as to whether it’s ethical. There’s a couple of different angles that can be taken on this one. According to some interpretations of ethics, something is a “good” or “right” decision if it leads to an overall benefit for the community.
On this pragmatic conception of ethics, one might argue that paying a ransomware demand that restores some vital service or unlocks some irreplaceable data outweighs the ‘harm’ of rewarding and encouraging those engaged in criminal behavior.
On the other hand, it could be argued that what is right, or ethical, is distinct from what is a pragmatic or merely expedient solution. Indulging in a fantastical thought experiment for a moment, would we consider it ethical if a ransomware author demanded the life of a person, instead of money, to release data that would save the lives of thousands of others? Many would have a strong intuition that it would always be unethical to murder one innocent to protect the lives of others. And that suggests that what is “right” and “wrong” might not revolve around a simple calculation of perceived benefits.
The real problem with the pragmatic approach, however, is that there’s no agreement on how to objectively calculate the outcome of different ethical choices. More often than not, the weight we give to different ethical choices merely reflects our bias for the choice that we are naturally predisposed to. If pragmatism can’t help inform us of whether it’s ethical or not to pay ransomware, we could look to a different view of ethics that suggest we should consider actions as “right” or “wrong” insofar as they reflect the values of the kind of society we want to live in. This view is sometimes expressed more simply as a version of the “do unto others as you would have them do unto you” maxim. A more accurate way to parse it might be to ask: Do we want to live in a society where we think it’s right (ethical) to pay those who engage in criminal behavior? Is this a maxim that we would want to teach our children? Put in those terms, many would perhaps say not.
Is It Prudent To Pay a Ransomware Demand?
Even if we might have a clear idea of the legal situation and a particular take on our ethical stance, the question of whether to pay or not to pay raises other issues. We are not entirely done with the pragmatics of the ransomware dilemma. We may still feel inclined to make an unethical choice in light of other, seemingly more pressing concerns.
There is real tangible pressure on making a choice that could save your organization or your city millions of dollars, or which might spare weeks of downtime of a critical service. Even if they believe it would be technically unethical to do so, sometimes, some people may judge that today’s hard reality just takes imminent precedence over loftier principles.
A case in point: recently, three Alabama hospitals paid a ransom to resume operations. The hospitals’ spokesperson said:
“We worked with law enforcement and IT security experts to assess all options in executing the solution we felt was in the best interests of our patients and alignment with our health system’s mission. This included purchasing a decryption key from the attackers to expedite system recovery and help ensure patient safety.”
This “hard reality” perspective is reflected in recent changes made to the FBI’s official guidance on ransomware threats.
“…the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
However, the possibility that the criminals will not hold up their side of the bargain must be factored into any decision about paying a ransomware demand. In some cases, decryption keys are not even available, and in others, the ransomware authors simply didn’t respond once they were paid. A further point to consider when weighing up the prudence of acquiescing to the demand for payment is how this will affect your organization beyond the present attack itself. Will paying to harm your reputation or earn you plaudits? Will other – or even the same – attackers now see you as a soft target and look to strike you again? Will your financial support for the criminals’ enterprise lead to further attacks against other companies, or services, that you rely on? In other words, will give in to the ransomware demand produce worse long-term effects than the immediate ones it seems – if the attackers deliver on their promise – to solve?
What Happens If I Don’t Pay A Ransom for Ransomware Attacks?
If you choose not to pay the ransom, then of course you are in the very same position the ransomware attacker first put you in by encrypting all your files to “twist your arm” into paying. Depending on what kind of ransomware infection you have, there is some possibility that a decryptor already exists for that strain; less likely, but not unheard of, is the possibility that an expert analysis team may discover a way to decrypt your files. A lot of ransomware is poorly written and poorly implemented, and it may be that all is not lost as it might at first seem.
The NoMoreRansom Project is the culmination of effort from global law enforcement agencies and private security industry partners. They host a large repository of stand-alone decryption tools which are constantly updated by industry partners.
This can be a very valuable resource when evaluating your course of action when facing a ransomware attack. Also, consider whether you have inventoried all possible backup and recovery options. Finally, there is the worst-case scenario, where you have no backups and no recovery software, and you will have to dig yourself out by re-building data, services, and, perhaps your reputation, from the ground up. Transparency is undoubtedly your best bet in that kind of scenario. Admit to past mistakes, commit to learning those lessons, and stand tall on your ethical decision not to reward criminal behavior.
What Happens If I Pay A Ransom for Ransomware Attacks?
There is perhaps more uncertainty in paying than there is in not paying. At least when you choose not to pay a ransomware demand, what happens next is in your hands. In handing over whatever sum the ransomware attacker demands, you remain in their clutches until or unless they provide a working decryption key. Before going down the road of paying, look for experienced advisors and consultants to help negotiate with extortionists. Despite the often taunting ransomware notes, some ransomware groups will engage in negotiating terms if they think it will improve their chances of a payday.
Tactics like asking for ‘proof of life’ to decrypt a portion of the environment upfront before payment, or to negotiate payment terms like 50% upfront, and 50% only after the environment has been decrypted, can work with some groups, albeit not with others. The vast majority of ransom is still being paid in bitcoin, which is not an anonymous or untraceable currency. If you do feel forced to pay, you can work with the FBI and share wallet and payment details. Global Law Enforcement is keen to track where the money moves.
And where do you go beyond that? Any sensible organization must realize the need for urgent investment in determining not only the vector of that attack but all other vulnerabilities, as well as rolling out a complete cybersecurity solution that can block and roll back ransomware attacks in the future. While these are all costs that need to be borne regardless of whether you pay or do not pay, the temptation to take the quick, easy way out rather than working through the entire problem risks leaving holes that may be exploited in the future. Balance the need for speed of recovery against several risks:
- Unknown back doors the attackers leave on systems
- Partial data recovery (note some systems will not be recovered at all)
- Zero recoveries after payment (it is rare, but in some cases, the decryption key provided is 100% useless, or worse, one is never sent)
Finally, note that some organizations that get hit successively by the same actors might have only been hit once, but encryption payloads may have been triggered in subsequent waves. Experience pays off tremendously in all of these scenarios, and ‘knowing thy enemy’ can make all the difference.
Conclusion
Regardless of whether you or your organization have decided to pay the ransom, it is appropriate for you to inform the proper Law Enforcement Agency. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable, and prevent future attacks.
