Ransomware: Why 'To Pay or Not to Pay' is Not the Right Question

Many Western nations maintain hard and fast policies of not negotiating with terrorist organizations, especially regarding ransom payments. Experts in the field will tell you this is due to a policy of deterrence: if we eliminate or reduce the incentive, then, in theory, the threat actors have little reason to risk carrying out the operation.  

In the wake of gas pipelines, national health services and global food supplies having recently been disrupted or entirely shut down, a simple cost-benefit analysis demonstrates why a deterrence approach isn’t always feasible. Nations need fuel to drive economic activity, people need life-saving procedures and everyone needs food and other supplies to survive. 

Unfortunately, when organizations fall victim to ransomware, they often feel they have no option but to pay. Yet, ‘to pay or not to pay’ sets up a false dichotomy. Rather than ask if people should pay the ransom, we should be asking how we can prevent organizations from becoming victims in the first place. And so, organizations need to ask themselves what they can do to detect these threats as early as possible. 

Cyber Warfare: A Cat and Mouse Game 

Following the attacks against the Colonial Pipeline and Irish health services, we’ve seen another form of critical infrastructure hit by ransomware: the global food supply chain, with food processing giant JBS disclosing that it had paid $11m in ransom. 

Worryingly, it is not a question of if, but when, we will see more major attacks on critical infrastructure and services nationally and internationally. 

A recent, never-before-seen event, however, throws a wrench in the works of the attacker-victim dynamic. The FBI and DOJ recently managed to recapture a portion of the bitcoin ransom paid by Colonial Pipeline to the (now defunct) DarkSide cyber-criminal gang. While we do not know for certain what precedent this sets for attackers and victims, it certainly demonstrates that there may be a way to recover ransom funds — possibly removing the main incentive for attackers.

But does this actually remove the incentive or simply shift the goalposts? It is important to keep in mind that many cyber-criminal groups operate much like corporate organizations. They are agile, adaptive and innovative, and often use partner models that bring in more profit. Upon hearing the news that the FBI recaptured some of the ransom, attackers will certainly have pivoted almost instantly. The result will likely be a shift to a more anonymous form of payment like Monero, and a quick phasing out of the use of Bitcoin to receive ransoms. 

This ‘cat and mouse game’ between attackers and defenders has long been at play. For example, when businesses started to back up their data as a proactive measure against ransomware, attackers began making copies of victims’ data so they could threaten to release it online — a process known as ‘double extortion ransomware’. This ensures a firm hold on the victim, and in many cases applies enough pressure to guarantee a payment.

To Pay or Not to Pay: That is Not the Question 

While the recent recovery of some of Colonial Pipeline’s ransom is the first officially confirmed case of its kind by the FBI and DOJ’s new ransomware task force, many are likely asking whether it is reasonable to expect this process to continue in the future. Yet, we must not lose sight of the greater problem, which is detecting and responding as early as possible (and in some cases as fast as possible) to reduce the incentive for criminal organizations to strike.

"This 'cat and mouse game' between attackers and defenders has long been at play"

To pay or not to pay is not the question. First, paying the ransom will not always lead to the restoration of the systems. In a minority of cases, paying the ransom leads to partial or full restoration of an organization’s data and systems. This can be because the attackers are sloppy and accidentally break things as they lock them down or that they really have no incentive to help an organization once they seize the funds. Second, even when systems are restored in part or full, the financial cost of operational downtime while the files and systems are still locked down will often be far higher than the minute cost of the ransom demanded. Especially in organizations like critical infrastructure, which often oversee industrial operations such as manufacturing or energy production, the cost of even an hour of downtime can be in the hundreds of thousands and millions by the day. 

These financial costs are further compounded by the reputational damage to an organization that typically follows ransomware. There are also social costs when critical infrastructure organizations like Colonial Pipeline are shut down for a duration of time, as we saw with the panic-buying of gas and long lines at the pump. Cyber-criminals know this, and they want these costs to radically eclipse the funds forfeited in the ransom so as to extort victims with maximal pressure. The amount of money in the ransoms being requested is not arbitrary. In certain industries, it’s often more cost-effective to take the risk and pay the ransom. 

Given these factors, the focus needs to shift from reactive to proactive ransomware prevention and response approaches. The Biden Administration certainly has made great strides with preventative policies, such as executive orders and numerous warnings and calls to action for the private sector. However, given that ransomware is now classified as a national security threat, legislation alone is not enough. 

Attacks are getting smarter and faster, and, unfortunately, we know that most governments move slowly. This is the new war on cyber-terror. Nation-states are watching, and we no longer have the luxury of being merely reactive. We will need a concerted effort across the entire US government. This is not just a foreign or domestic intelligence agency problem but a challenge that can be overcome with technology. 

With sophisticated technologies, such as artificial intelligence, ransomware threats can be identified and neutralized at their earliest stages before the files are encrypted, stolen data is leaked online and national economies and global supply chains are disrupted. Against the rising tide of ransomware, using innovative technologies to strengthen defensive capabilities provides the best path forward in the present. 

Ultimately, by stopping attackers from carrying out their missions even once they have gained a foothold, we cut off their last remaining chance of success. We’ve already seen that we cannot achieve this with humans alone. So, rather than ask whether we should pay the ransom, both businesses and those in power need to implement and rely on sophisticated technologies that can stay one step ahead of attackers — that is, before the damage is inflicted. Let’s stop asking whether to pay or not to pay and instead ask what we can do to prevent tomorrow’s threats today.

What’s Hot on Infosecurity Magazine?