One of the most frequently asked questions I get when presenting to boards of directors and executives is “if we are the victim of ransomware, should we pay the ransom?”
Before I share my answer with you, I want to remind you that this is just an article and I am just a guy. I am not providing you legal advice, nor am I familiar with your organization’s circumstances. What I do suggest is that you use the information in this article to foster education and dialogue in your organization so that if you are the target of ransomware, you will understand your response beforehand.
To answer the question of whether you should pay or not pay, you need to understand that ultimately this is a decision based on ego and principle. The reality is that if you pay, in pretty much every case of ransomware, the attacker provides the decryption keys and life goes on. It is also essential to know that the costs of the attack are dramatically less, often hundreds of times less overall than if you don’t pay the ransom. If you research any ransomware attack where the target didn’t pay the payment and held their ground, the ultimate costs ran into multiple millions of dollars in damages and dramatic losses of revenue.
If you take all of that into account, the only reason not to pay ransomware is simply that your organization believes that morally and ethically, they should not give in to the attackers. There is nothing wrong with that stance, and if that is your choice, you should implement plans to address the consequences of that choice. In a moment, we will discuss some of those plans.
Before we go on, the most important take away from this article is for you to decide what you will do today not after a ransomware attack occurs. Based on that decision you can design a very effective ransomware attack protocol that will streamline your engaged response. With critical importance, along with essential benefits, it's paramount to be prepared for these events. In the remainder of this article, I will provide you with some suggestions on what you should consider if you decide to pay the ransom and what to do if you choose not to pay.
Let’s begin by considering the action items to complete regardless if you choose to pay or not. First, you should perform a ransomware simulation. This is not a tabletop exercise, but a real simulation of the harm that ransomware would do during an attack. There are two ways to do this; one is using a tool like Sensato's Ransomware Simulator or by conducting a penetration test of your internal environment that focuses on traversal attacks. This will reveal what would happen if you were hit by ransomware and it may influence your decision. It's perplexing to me that people decide to pay or not pay without first understanding the extent of damage they would sustain. This exercise also allows you to develop a plan for addressing and reducing the exposure to ransomware before an attack, it may also allow you to change your decision to placate or resist the demands made over time.
While performing a simulation, you need to administer the Immediate Action Drills (IAD) related to your ransomware protocol. IAD, a practice we originated in 2016 and is part of our incident response training. These are the steps you would take without requiring additional authority or consideration. The IAD is singularly drive by cause and effect. One of the steps required in your IAD is to check with NJCCIC and discover if a ransomware decryption key exists for the attack you have experienced. You can learn more about NJCCIC and what they offer at http://cyber.nj.gov. If there is a known decryption key, then your protocol should include attempting to decrypt the impacted assets and avoid consenting to the ransom should decryption efforts prevail.
At this point, you have simulated an attack to determine your real exposure and defined your new ransomware protocol procedure. Now you need to determine if you will agree to the ransom terms, with the assumption there are no available decryption keys. If you decide to pay, there are things to consider before acting.
· What is the limit you are willing to pay? Most ransomware attacks demand an approximate payment of $50,000. But what if the attackers coerce you to remit $150,000 or $1,000,000? Establish your limits during your initial planning process.
· Should you hedge? Since all ransomware attacks use bitcoin, should you purchase $50,000 in bitcoin to hedge your expense and perhaps even make a profit? We have clients who have purchased $50,000 in bitcoin and have since seen a profitable return.
· Do you negotiate? Attackers see this as a business and may even have a heart. Telling them you are a non-profit, have a religious affiliation, serving disadvantaged groups, or offering similar reasons for not being able to afford their ransom may work in your favor. In most cases, the attackers have no idea who you are or what you do. It isn’t personal—you’re just part of a massive extortion campaign. By opening a dialogue with the attackers, you may be able to negotiate the payment amount. How do you negotiate? Most ransomware has chat windows or e-mail support really!
Now, let’s assume you don’t pay the ransom, here are a few things you need to consider. Most of this you should probably be doing already, but if you are going to take a stand, then you better be up to the task. It’s easy to make a moral decision until you are faced with the reality of your choice.
· Superior Backup Capability. You need to have backup-capability that is robust. You should simulate a ransomware attack against your backups and have your vendors demonstrate response and recovery. Be mindful that ransomware attacks do not discriminate. They will go after every file and system on your network—including HR files, payroll, financials, contracts, employee data, databases, configuration files, Active Directory—everything. The point is that everything must be backed up. We have responded to attacks in which the organizations had excellent backup capability for clinical data, but their employee and Active Directory systems were not safeguarded with similar levels of backup protection. That misstep didn’t go well for them when they needed to explain to the board that “yes, our patient data can be recreated, but it will take weeks before anyone can log in and use the systems and all employee data is locked up.”
· Don’t Just Failover. Automated failover is crucial in maintaining high availability of systems. Unfortunately, systems that dynamically failover can allow a ransomware attack to spread to standby systems. You need to reflect if such failover is worth the risk. By having a manual failover, you may inconvenience users and operations, but you also may have the chance to stop the spread of an attack and lower your recovery costs.
· How long are you in for? If you refuse to pay the ransom, then decide how long you are willing to hold your ground. What costs are too much? Is the impact on revenue too much? We often take company boards through this exercise and find that their appetite to stand their ground diminishes within 48 hours.
The reality is that no one wants to pay the ransom after being victimized. The other fact is that most people do pay. We have seen law enforcement agencies, who get hit by ransomware more often than hospitals comply with the demands because the disruption to operations is more damaging. However, does this mean I am advocating placating all ransomware demands? The reality is that this is not about me—it's about you.
The only goal in this article was to provide you with a platform to raise this issue in your organization. To outline items, you may wish to consider dispelling some myths. The decision to pay a ransom is not a natural choice under the best of circumstances. It often requires education of organizational leadership, legal oversight, possible considerations of human safety and respect for the emotions of all involved in that decision. Attempting to adopt a plan of action following an attach is considered in the day and age to be an unprofessional response to a crisis.