Contrary to ‘popular opinion,’ in which most of the security community feels that companies should never ever pay a ransomware ransom, my perspective on ransomware is that sometimes it is the only option and companies should pay up.
Ransomware attacks exponentially increased throughout 2020, largely because of a rise in cybercrime due to the global pandemic. Ransomware operators have been advancing their tactics and repurposing exploits that allow them to compromise full networks in as little as 30 minutes. The threat landscape is always going to be in favor of ransomware operators; they are always going to be faster and able to pivot quickly. To think that anyone – even a cybersecurity company – can pivot faster than them is, in my opinion, foolish.
Ransomware victims are also constrained by a short time period in which to act – roughly 48 hours on average – before the threat actors increase the ransom and release the stolen data, etc. Unfortunately, many organizations do not have the resources available to immediately pivot and remediate the situation. Paying the ransom happens more frequently than one may think, and companies should not be faulted if they have exhausted all alternative options.
So, how do organizations know when it’s the right time to pay a ransom? This brief checklist might be a place to start.
Not being able to remediate in the time allotted
Can the organization pivot right off the bat and resolve the issue? If an organization has assessed the malware and analyzed the situation and has determined that they are not going to be able to remediate in the time that the ransom is due, then the payment amount is only going to get higher and they will end up in a negative loop where they will end up paying anyway.
Losing more money per day than the cost of the actual payment
Organizations, especially small- to mid-sized businesses, can go out of business by not being able to decrypt their data. If the organization is losing more per day because of downtime than the actual payment being demanded, it may be a good idea to just pay the ransom and let the researchers go to work to ensure it doesn’t happen again.
Operations are essential (people’s lives may be on the line)
If an organization is performing an essential service – such as hospitals or local governments – then it’s likely that they do not have time or the ability to spend weeks to remediate. In these cases, individual lives could be at risk and these organizations will want to restore their networks and resume operations immediately.
I want to be clear about one thing: the first thing any organization should do when they experience a ransomware attack is contact law enforcement. The second line of defense is to dispatch a third party organization. In ransomware situations, time is of the essence. However, organizations tend to panic and have blinders on to what’s going on around them. In these instances, the best people will not be from within your organization. By working with a third party that specializes in ransomware scenarios and communicating with threat actors, organizations will have the necessary resources to better navigate the payment process. Working with cryptocurrency can be complicated and one mistake can result in an organization being out of a lot of money with even more trouble coming their way.
In addition, organizations need to prioritize their incident response by properly identifying how the attack occurred in the first place and what they need to implement or patch to ensure this attack won’t happen again in the future. Upon completing the payment, it is imperative that organizations do not rush through the remediation process and are able to analyze and verify that their network is safe.
Basic security guidelines and good cyber-hygiene are important, but they are not the solution to preventing ransomware – suggesting otherwise only gives more power to cyber-criminals. Threat actors are able to pivot quickly, and where basic security guidelines may help for one type of attack, they won’t necessarily cover situations such as newly released exploits or when an administrator’s account is compromised.
People are going to make the wrong decisions (we are only human) and threat actors are going to find a way in, regardless of how robust an organization’s security posture may appear. The unfortunate reality is that sometimes organizations have no choice but to pay a ransomware ransom. If organizations have fully assessed the situation, brought in the appropriate law enforcement, analyzed the malware and ultimately done their due diligence but failed to remediate the ransomware without paying, then they should not be victim-shamed for paying the ransom.
For an opposing viewpoint, take a look at Brian Honan's argument that organizations should never pay a ransom here.