Should Ransomware Victims Pay Up? Experts At Black Hat Speak Out

From the availability of backups and sensitivity of exfiltrated data to the health and safety consequences of nonpayment, here’s what companies must think about before forking over a ransom.

Between A Rock And A Hard Place

Organizations have become increasingly willing to fork over ransoms in recent months, with Colonial Pipeline paying Darkside $4.3 million in May with the hope of restoring operations on its 5,500-mile pipeline sooner. And meatpacking giant JBS paid REvil $11 million to shield the company’s meat plants from further disruption and limit the potential impact to restaurants, grocery stores and farmers.

More recently, Kaseya opted not to pay a $70 million ransom yet still received a key that proved to be 100 percent effective at decrypting files that were fully encrypted during the devastating July 2 REvil ransomware attack. “Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment,” Kaseya wrote July 26.

CRN spoke with 10 C-suite executives and threat researchers during Black Hat USA 2021 about what (if any) circumstances merit the paying of a ransom. From the availability of backups and sensitivity of exfiltrated data to service restoration delays and health and safety consequences associated with non-payment, here’s what boards and CEOs need to consider when deciding if it’s worth paying the ransom.

Companies That Pay Should Have To Publicly Admit It

Mandating public disclosure of ransom payments would serve as a psychological suppressant and cause companies to think twice before forking money over to cybercriminals, said Arthur Fontaine, NetWitness’ product and solution marketing manager. Requiring that ransom payments be reported to shareholders and the government would introduce another layer of complexity for companies considering payment.

Knowing that ransom payments can’t be made under the table would incent companies to invest in proactive defenses and incur up-front costs to harden their environments against ransomware attacks, according to Fontaine. “Nobody wants to see their company on the front page of The Wall Street Journal as having paid a ransom,” Fontaine said.

Organizations should consider the financial implications associated with downtime and negative publicity before deciding whether to pay a ransom, according to Fontaine. Mandating reporting of ransom payments would also spur organizations to adopt Cybersecurity and Infrastructure Security Agency (CISA) best practices such as maintaining offline backups, Fontaine said.

Only If Human Lives Are In Jeopardy

Telling organizations to never pay a ransom is naïve if such a refusal puts human lives in jeopardy, which would often be the case for health-care and critical infrastructure companies, according to Secureworks Chief Product Officer Steve Fulton. Every hour that a hospital is unable to access its IT systems or internet-enabled medical equipment increases the likelihood of a patient death, Fulton said.

Decisions about whether or not to pay a ransom should consider the severity of the cyberattack, the industry the victim organization is in, how long it would take to mitigate with and without a decryption key, and the specifics of the company that was compromised, Fulton said. Ransom talks usually start at a very large number, but Fulton said victims are typically able to negotiate themselves a step discount.

More Likely If Sensitive Customer Data Is Captured

Businesses are more likely to pay a ransom if the adversary captures personally identifiable information (PII) such as Social Security numbers since the potential liability associated with the public release of that data is often greater than the ransom amount, according to Qualys President and CEO Sumedh Thakar.

However, if the stolen data is encrypted and of a less sensitive nature, Thakar said businesses can often work with their customers to provide visibility into what was taken and come up with a mitigation plan. Given that victims are dealing with criminal organizations, Thakar said it’s quite likely their data has already been shared with nefarious actors or is still being held by the hackers even if a ransom is paid.

As a result, Thakar said the ransomware group could leverage the victim data for another purpose a couple of months later if it finds itself strapped for cash. In addition, Thakar said ransomware attacks that successfully disable encrypted systems in industries like health care or critical infrastructure are more likely to result in payment since national security interests or human lives hang in the balance.

Pursue Alternative Methods For Recovering Data

Paying cybercriminals sets a bad precedent and provides troubling incentives to threat actors, meaning that victims should look for other ways to recover data or decrypt their operations before considering a ransom payment, according to Rob Cataldo, managing director of Kaspersky North America.

Decryptor codes exist for most common ransomware strains, and Cataldo said victims need to understand their options and work with an incident response provider to see if there’s already code in the public domain that would make it possible to decrypt their encrypted files. If not, Cataldo said ransomware victims should investigate recovering the locked down files using backups.

The victim’s industry probably factors significantly into ransom payment decisions, Cataldo said, with a large-scale restaurant franchisor being far less likely to pay up than a gasoline pipeline or nuclear power plant manager. All told, Cataldo said victims should consider all other options at their disposal before paying a ransom.

Federal Mandate Banning Payments Would Backfire

Having a federal mandate that prohibits businesses from paying ransoms would be a dogmatic and binary action that doesn’t consider the lack of good options for victims, according to Sophos CEO Kris Hagerman. A narrow U.S. government directive doesn’t reflect the dozens of different data points businesses should take into account when determining whether to pay a ransom, Hagerman said.

For instance, Hagerman said a hospital that’s had 10 life-supporting systems knocked offline during a ransomware attack might decide it’s worth paying the ransom. Organizations must consider how well-positioned they are to get their systems back online without a decryptor key as well as the likelihood of re-infection, and the private sector must get better at detecting and defending against ransomware.

Organizations hit with ransomware should report as many details of the incident as possible to law enforcement and government officials to prevent the hackers from compromising other companies in a similar manner, Hagerman said. Sharing more information quickly through proper channels will reduce fragmentation in the victim landscape and improve the quality and timeliness of the victim’s response.

Only If Ransomed Data Cannot Be Recovered

Businesses that have a proper recovery strategy in place and maintain continuous backups to the minute can ensure that hackers aren’t able to hold them hostage, according to Sri Mukkamala, Ivanti’s senior vice president of cyber products. In the absence of such a strategy, Mukkamala said paying the ransom provides a razor-thin hope that the victim will be able to get its data back.

If an organization is unable to recover its data on its own, Mukkamala said the company’s security leader should recommend to the board of directors that the organization pay the ransom. From there, Mukkamala said the board must decide if it’s worth millions of dollars to possibly get a decryptor key or if there’s an alternate path the company can take to stay afloat.

Companies can most likely avoid paying a ransom if they have incident response, incident recovery and business continuity plans in place prior to a security incident, Mukkamala said. Those plans should detail how the company plans to transparently communicate with law enforcement, key stakeholders and employees while an attack is taking place even if the facts of the campaign aren’t fully known, he said.

Companies At Risk Of Going Under Have No Other Option

Small businesses that have had to shut down their systems due to a ransomware attack can end up losing tens of thousands of dollars each day, which isn’t sustainable, according to John Maddison, Fortinet’s chief marketing officer and executive vice president of products. It’s easy to crusade against making ransom payments, but if the survival of the victim’s business is at stake, companies will end up paying.

Victims also must scope out the extent of the damage and can likely avoid making ransom payments if only a portion of their infrastructure is broken, Maddison said. But if customer or intellectual property data has gone missing, Maddison said businesses face a very different calculation when deciding to engage in negotiations with cybercriminals.

Ransomware actors have gone from trying to lock down thousands of businesses in spray-and-pray campaigns to pursuing specific large enterprises in highly targeted operations, Maddison said. Organizations also need to be in contact with authorities if they have reason to believe a ransomware attack has taken place, according to Maddison.

Should Be Avoided Outside Critical Infrastructure

Critical infrastructure vendors stricken with ransomware might need to pay up if the restoration of their service matters to the rest of society, according to Barracuda Chief Technology Officer Fleming Shi. Shi, however, said companies hit with ransomware should initially take the stance of refusing to pay and force the conditions on the ground to convince them otherwise.

Attacks on critical infrastructure vendors with exorbitant ransom demand have caught the attention of authorities, with the U.S. government, FBI and ransom negotiators demanding ransomware groups prove they’ve actually captured the victim’s data. Authorities have also focused on finding ways to trace cryptocurrency so that any Bitcoin payments made to cybercriminals can potentially be recovered.

Adversaries have waves of experience tearing down victim environments and restoring their systems if a ransom payment is made, Shi said. In response, Shi said organizations must invest more heavily to improve their defensive posture.

Assess Risk Associated With Captured Data

Large enterprises and companies selling to consumers typically have a scoring methodology for how sensitive different pieces of data in their possession are as well as the risk associated with exfiltration of that data, said Netksope CEO Sanjay Beri. By leveraging their existing infrastructure, Beri said businesses can easily assess the potential impact of a ransomware attack.

Businesses will typically know what data has been taken during a ransomware attack since it’s inaccessible and hackers like to brag about their bounty, he said. Businesses have committed to protecting the data of their customers and therefore might end up needing to pay a ransom if there’s no other way to keep their customers’ data safe, Beri said.

This is particularly true if the stolen data is sensitive and its public dissemination is likely to harm customers, Beri said. Still, Beri said paying ransoms does incent criminal behavior and gives the wrong signal to those propagating harm and chaos.

Only If The Business Has No Recovery Plan

Ransomware payment decisions often come down to how well an organization has prepared for such a scenario as well as how confident the victim is that it would get the key needed to restore operations upon payment, said Marcus Fowler, Darktrace’s director of strategic threat. Most importantly, Fowler said the decisions comes down to the soundness of the victim’s damage control and recovery plans.

Well-prepared boards have thought about how they can recover and restore operations without paying in the event of a ransomware attack, Fowler said. The company’s leadership also needs to assess how long it’ll take to get back online in both a payment and nonpayment scenario, as well as how significant an impact the restoration delay associated with nonpayment would be for the business, Fowler said.

Ransomware groups with a track record of restoring victims that pay should be approached differently than groups that have never produced a decryptor key that actually works, according to Fowler. “I can guarantee you none of them [the ransomware victims] wanted to pay and none of them wanted to be in that position,” Fowler said.