Caught between a rock and a hard place, many ransomware victims cave in to extortion demands. Here’s what might change the calculus.
The recent spate of ransomware payments cannot be the best use of cybersecurity budgets or shareholder capital, nor is it the best use of insurance industry funds. So, why are companies paying and what will it take for them to stop?
Why are so many victims paying ransomware demands?
In simple terms, it may just be, or at least initially seem, more cost effective to pay than not to pay. The current precedent to pay likely dates back to the ethically brave organizations who refused to pay. When WannaCryptor (a.k.a. WannaCry) inflicted its malicious payload on the world in 2017, the United Kingdom’s National Health Service bore a significant hit on its infrastructure. The reasons why they were hit so hard are well documented, as are the costs of rebuilding: an estimated US$120 million. This is without considering the human costs due to the 19,000+ cancelled appointments, including oncology.
Then in 2018 the city of Atlanta suffered an attack of SamSam ransomware on its smart city server infrastructure, with the cybercriminal demanding what then seemed like a huge ransom of US$51,000. Several years on and the reported cost of rebuilding systems is placed anywhere between US$11 million and US$17 million; the range takes into account that some of the rebuild was enhancement and improvement. I am sure many taxpayers in the city of Atlanta would have rather the city had paid the ransom.
With examples of publicly recorded incidents showing the cost to rebuild is significantly more than the ransom, then the dilemma of whether to pay or not may be one of cost rather than ethics. As both examples above are either local or central government, these victims’ moral compasses probably pointed them at not funding the next cybercriminal incident. Alas just one year later the municipalities of Lake City and Riviera Beach in Florida handed over US$500,000 and US$600,000, respectively, to pay ransomware demands.
There is no guarantee that a decryptor will be forthcoming or that, if provided, it will even work. Indeed, a recent survey by Cybereason found that almost half of businesses that paid ransoms didn’t regain access to all of their critical data after receiving their decryption keys. Why pay the demand, then? Well, the business of ransomware became more commercialized and sophisticated on both sides: the cybercriminals understood the value of the data involved in their crime, due to the rebuild costs being disclosed publicly, and a whole new industry segment of ransomware negotiators and cyber-insurance emerged on the other. A new business segment was born: companies and individuals began profiting from facilitating the payment of extortion demands.
It’s also important to remember the devastating effects that ransomware can have on a smaller business that is less likely to have access to expert resources. Paying the demand may be the difference between the business surviving to fight another day and closing the doors for good, as happened to The Heritage Company, causing 300 people to lose their jobs. In countries with privacy legislation, paying may also remove the need to inform the regulator; however, I suspect that the regulator should always be informed of the breach regardless of whether payment was on the condition of deleting exfiltrated data.
Paying is often not illegal
In October 2020, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) declared it illegal to pay a ransomware demand in some instances. To clarify, it’s illegal to facilitate the payment to individuals, organizations, regimes and in some instances entire countries that are on the sanctions list. Of significance here is that some cybercrime groups are on the…