The Ransomeware Dilemma
Ransomware has been top of mind a lot lately. For many cybersecurity professionals working in corporate enterprise, the fear of dealing with ransomware is ever-present. The past 2 to 3 months have been especially brutal as the conversation has swung to making it illegal to pay a ransom.
There are problems on both sides of the ransomware payment debate, and when you sit down for a minute and take away the hype, it’s actually a difficult decision.
First, let’s look at the reasons you would pay the ransom.
- Sometimes you just don’t have another choice. Your Cybersecurity strategy has failed you, attackers have gotten in and ransomed your critical data. What do you do? If you haven’t prepared for this moment and have backups and strategy ready to go — you probably have a choice of paying or closing the doors. I know which option I’d choose if I had to.
There isn’t really a second reason. You pay because you have no other alternative that’s viable. You are out of options, you do what you have to for business continuity. The end.
Next, let’s discuss why you shouldn’t.
- Most importantly, here, is that paying a ransom provides funding to attack the next victim and fuel the attacker(s). The surest way to end ransomware is to make sure nobody pays the ransom. Then the business model dies, and attackers move on to something else, presumably. Alright, easy to say but is that realistic? I dare say, no. There will always be cases — in the real world — where a company will have to pay. Whether through their own negligence, or sheer accidental oversight — they will be stuck with no other alternative than paying the ransom or facing some catastrophic end. When you pay a ransom you’re funding terrorism. While that may seem harsh — it’s fairly accurate.
- Equally obvious, but maybe not as prominent is that there’s no guarantee that you’ll get your data back or that the extortionists won’t publish your secrets anyway. Then you’re screwed, and out a lot of money. In recent times ransomware operators have become adept at providing customer service and making sure you get your data back. This may make you hopeful, but it’s not a guarantee and every group is completely different in their reputation and dealings. Some gangs are out for just the money, some are out for espionage, and some are out for something else. But there’s one sure thing, and that is that there is no guarantee.
Alright, so what’s this mess with making it illegal to pay a ransom?
If you want to squash the marketplace for ransomware, make it illegal to pay a ransom. For companies that do so anyway, you create a negative incentive and hope that this doesn't drive ransomware payments underground. It likely will, though.
Here’s the problem, though. Saying “We’ll make it illegal starting next year” means that there’s going to likely be an insane rush by ransomware operators to capitalize on their business model before the payouts drop off. You’re literally going to create a rush to get paid while it’s still possible. If you’re going to make it illegal, do it starting Monday. I know, it pulls the rug out from under companies that are under-prepared with sufficient cybersecurity measures — but we’re halfway through 2021 and frankly, if you’re not protecting yourself at this point, is anyone else to blame?
OK, you’re saying, we’re going to do this. If you’re not doing good enough security, that’s your problem. Right?
Except that there’s a massive amount of companies that are still going to get ransomed. Even those who think they have good security measures in place. Even those who spend millions on security and have reasonable security operations in place. So what about them?
I’m not saying I have an answer here, but it’s something we absolutely need to think about before we make decisions that could quite literally put a company out of business. Security is difficult, and it’s not absolute, so this is a much more complicated topic than many of us would like to admit.