Paying any ransom incentives cybercriminals — it keeps their market going. But at the same time, refusing one extortion is not enough to break the system.
"If we say 'don't pay,' have we done anything to even scratch the surface of the bucket of that industry? The answer is just plain no … you're not big enough," said Matthew Toussain, founder of Open Security, during a SANS webcast Thursday.
The decision to pay a ransom is a polarizing topic. Some experts agree that it's the best choice — high-level ransomware operators have a reputation to maintain and they'll provide decryption keys in exchange for payment. Other experts warn the more industry pays into cybercrime, the worse it will get, not to mention the cascading implications of funding criminals.
"If we say 'don't pay,' you've done nothing to make society better," said Toussain. "The only way that that works is if everyone doesn't pay." Given the current climate and a lack of a unified approach, businesses decide whether "to pay or to suffer."
In May, Colonial Pipeline paid DarkSide operators $4.5 million the same day it was attacked, in what CEO Joe Blount called "probably the hardest decision I've ever made in my career," in an NPR interview.
While Blount recognized the payment could contribute to more ransomware, "when you know that you have 100 million gallons of gasoline and diesel fuels and jet fuels that are going to go across the Southeastern and Eastern seaboard of the United States, it's a very critical decision to make," he said. "It was the right decision to make for the country" to get the decryption keys as quickly as possible.
Company costs are not the only motivating factor for paying a ransom — it's people.
The JBS ransomware attack caused the meat producer to shut down plants where employees are likely working paycheck to paycheck, "and that resonates with me," said Jake Williams, SANS analyst and senior SANS instructor, during the webcast.
"When you're talking about sending 150 employees or 250 employees home, and maybe not coming back … that's a big, big deal. So there's a human cost to this," said Williams. He encourages paying the ransom in some cases.
The human component sometimes hurries companies into responding to an attack like Colonial did. The human aspect is one of the variables government and companies have to consider for a utilitarian approach to ransomware and that is difficult.
"We don't have the full view of all the variables," said Ryan Chapman, principal incident response consultant for the BlackBerry Security Services Team, during the webcast.
Chapman does not want organizations to pay a ransom, and would ultimately like to reach a point where attacks have the least impact on humans and emotions. In April, Babuk ransomware actors threatened to expose informants of the Washington, D.C. Metropolitan Police Department. "When data is leaked, you have loss of privacy, and you have loss of people and who they who they have their digital lives really are," Chapman said.
White House takes on ransomware
Ransomware led to more than $29 million in adjusted losses in 2020, the FBI found. That amount does not reflect the losses related to business, time, wages, files, technologies or third-party incident response costs. And because some victims do not report a ransomware incident, the FBI's adjusted loss estimation is "artificially low," the agency said.
The White House acknowledged ransomware attacks have surpassed data theft and reached a core business operations threat. "To understand your risk, business executives should immediately convene their leadership" to review security posture and continuity plans, Deputy National Security Advisor Anne Neuberger wrote in a memo to the private sector Wednesday.
The Justice Department's decision to escalate cyberattack investigations to the same priority level as terrorist attacks, reported Reuters. "We’ve used this model around terrorism before but never with ransomware," said John Carlin, acting deputy attorney general at the DOJ. The internal guidance calls for centrally located ransomware investigations with the Ransomware Task Force.
The task force discourages paying ransoms yet recognizes "the challenges inherent in barring payments," including the costs of rebuilding infected networks, the report said.
Before an organization has to confront a ransom note, the task force wants to see the government implement policy and agencies combine capabilities.
"It's also about shoring up documentation and the availability of frameworks and response models," said James Shank, senior security evangelist and chief architect at Team Cymru, and member of the task force, during the webcast. When these defensive layers are combined, it will hopefully bolster the confidence of a company and their decision to refrain from paying.
"Most of it is about not wanting to shortchange the possibility of your business staying open the next day or the next week. And that's the wrong focus," said Shank.
The Biden administration's ransomware strategies involve:
- Disrupting ransomware infrastructure in partnership with the private sector
- Developing an international coalition to handle cybercriminals in safe haven countries
- Expanding cryptocurrency analysis to trace ransom-related transactions
- Reviewing the government's ransomware policies
Part of the international coalition will have to address safe havens, where cybercriminal groups do not fear prosecution either because the country cannot track them or their activity is considered legal, said Shank. Safe havens are challenging to reconcile, but he argues "you can remove the award … you're ripping off that motivation from underneath them."
Trust or customer service?
Paying a ransom is seldom a business's first choice. Yet proponents of either side — to pay or not to pay — agree there are nuances in the decision.
With the added threat of stealing the encrypted data, ransomware operators can hold encryption and breaches over the heads of their victims. Last month insurance company CNA was targeted by Phoenix, a ransomware group with ties to Hades (run by Evil Corp.).
"CNA is to be taken at face value," said Williams. The insurance company restored operations before paying the ransom but still paid $40 million. "What else is there? Must be the data."
Based on his experience in ransom negotiations, companies often get their data back after paying, said Williams. But Chapman argues there is a good chance a company does not even grasp what data they have, so how can they know they got it all back?
"Determining what percentage of your data you're getting back is so ridiculously difficult to calculate," so start with the critical systems needed to be operational, said Chapman. He has "never seen" an organization get back "all of its data. Expect at least some percentage of loss, though the company may not even know how much that is, Chapman said.
Williams' experience in data return is different; the clients he advises to pay retrieve their decryptor. However, in ransomware incidents where there is insufficient intelligence on the threat actor and their penchant for keeping their word, he does not advise them to pay.
Because ransomware gangs tend to rebrand to evade law enforcement, it's less of a matter of trust between victim and criminal, and more customer service, said Shank.