Incident & Breach Response , Next-Generation Technologies & Secure Development , Security Operations
Ransomware: Is It Ever OK to Pay?Payoffs Create 'Perverse Incentive' for Attacks to Continue
Ethical question: Is it ever acceptable for ransomware victims to pay a ransom to obtain the decryption key required to restore access to their data?
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Many security experts urge organizations to prepare defenses against ransomware infections, as well as backup recovery strategies, so they don't have to answer that question (see Ransomware Epidemic Prompts FBI Guidance). At the same time, however, a string of recent high-profile ransomware infections has demonstrated just how ill-prepared many organizations appear to be. Furthermore, by paying a ransom, victims invite further attacks from their previous attacker, experts warn.
"It is difficult to say as an observer whether or not a company should pay the ransom," says Dublin-based cybersecurity consultant Brian Honan, who advises the EU law enforcement intelligence agency Europol. But as a general rule, he says, "while we appreciate the difficulties many companies face when falling victim to a ransomware attack, we recommend to clients who have been the victim of such an attack to not pay the ransom."
Of course, that's a decision that each individual ransomware victim must make. "Collectively and over time, 'Paying doesn't pay.' However, sometimes individually and at a point in time, it may be the cheapest option," says information assurance consultant William Murray, who's an associate professor at the U.S. Naval Postgraduate School (see Town Faces Ransomware Infection, Blinks). "Moreover, not paying is not free. Even for those organizations that have good backup, using it is not free." That's a reference to the inevitable downtime that even well-prepared organizations will face as they take infected systems offline, scrub them, then restore the systems using offline backups.
For many, the disruption caused by any ransomware infection - even at well-prepared organizations - complicates related discussions of what, ethically speaking, is the "right" response to ransomware. "I can understand paying once. I also understand that, as with all extortion payments, paying even once paints a target on one's back," Murray says.
On the flipside, however, preparedness is relatively cheap, provided organizations are smart enough to plan ahead. "Computers do few things as well as they create cheap, dense [and] portable copies. Moreover, we have great connectivity and cheap cloud storage," Murray says. "Backup is generally efficient and cheaper than paying 'protection.'"
FBI: It's Up to Victims
Of course, not all organizations plan ahead. In October 2015, Joseph Bonavolonta, assistant special agent in charge of the cyber and counterintelligence program in the FBI's Boston office, kicked off a ruckus after he reportedly told a cybersecurity conference that when it comes to ransomware, for anyone who wasn't prepared, "the easiest thing may be to just pay the ransom," and that the "overwhelming majority of institutions just pay the ransom" (see CryptoWall Ransomware Gang Extorts $330,000).
But the bureau's official line, delivered in a February 8 intelligence memo to Sen. Ron Wyden, D-Ore., that his office recently released, is the following: "The FBI does not advise victims on whether or not to pay the ransom." Instead, the FBI says it engages in extensive outreach, advising individuals and organizations to prepare, in part, by maintaining offline backups. "If all individuals and businesses backed up their files, ransomware would not be a profitable business for cybercriminal actors," it says.
Barring proper preparation, victims are left with few options. "If none of these precautions have been taken and the individual or business still wants to recover their files, the victim's remaining alternative is to pay the ransom," the FBI says in the memo, which was sent to Sen. Wyden after he queried the bureau in December 2015 about how it was responding to the ransomware threat.
Summarizing the bureau's guidance, Sean Sullivan, a security adviser at Helsinki-based security firm F-Secure, notes in a blog post: "The official answer is the FBI does not advise on whether or not people should pay. But if victims haven't taken precautions ... then paying is the only remaining alternative to recover files."
Payoffs Incentivize Attackers
That dilemma has been demonstrated in recent weeks by a string of high-profile incidents in which multiple hospitals have been infected by ransomware. In February, Hollywood Presbyterian Medical Center paid almost $17,000 to attackers to obtain a decryption key after it suffered a ransomware attack (see Ransomware Attacks: A Call to Action).
In the wake of multiple reported ransom payoffs, Sen. Barbara Boxer, D-Calif., wrote in an April 8 letter to FBI Director James Comey: "I am concerned that by ... paying these ransoms, we are creating a perverse incentive for hackers to continue these dangerous attacks." She also asked what the FBI was doing to combat the problem.
Given that Wyden posed similar questions in December, and received detailed answers in February, "it seems that [Senator Boxer] is playing catch up," F-Secure's Sullivan says via Twitter.
On the other hand, the problem hasn't been going away in either the private or public sector. On the latter front, the ranking member of the Senate Homeland Security and Governmental Affairs Committee - Sen. Tom Carper, D-Del. - recently queried the readiness of the Department of Homeland Security to fight off ransomware. DHS subsequently told him that 29 federal agencies were targeted with ransomware 321 times between June and early December of 2015, although many questions - including the total number of systems compromised and the extent of the damage or disruption - remain unanswered (see Are Federal Agencies Prepared to Stop Ransomware?). In no case did any agencies pay a ransom, DHS reported.
When Does it Pay to Pay?
Following the Money
The reason ransomware persists is simple: attackers are making oodles of money. One recent campaign earned attackers at least $325 million in profits, while U.S. victims tell the FBI they paid $24 million in ransoms in 2015. Cisco's Talos security group says that just one type of ransomware, Locky, reportedly infects about 90,000 users daily, after which it demands an average ransom of between 0.5 and 1 bitcoin ($213 to $426). It notes that an estimated 2.9 percent of ransomware victims pay ransoms.
"We are seeing a huge increase in ransomware attacks simply because they are successful and profitable for the criminals," says Honan, who also heads Ireland's computer emergency response team, IRISS-CERT. "Ransomware is crude but effective, and will continue to thrive so long as people pay, or until those behind the attacks are identified, arrested and convicted."
When it comes to stopping ransomware, however, one difficulty is that "most of the top cybercriminal actors that we are aware of are located outside of the United States" and often in Eastern Europe, the FBI says, thus making extradition difficult (see How Do We Catch Cybercrime Kingpins?). Likewise, since the 2014 disruption of CryptoLocker ransomware, attackers have shifted to demanding ransom payments in tough-to-trace bitcoins.
But the FBI tells Wyden that it's playing a long game. "The FBI is committed to following the money in investigating all crimes with a financial component; ransomware is no exception," it says. "Even where payments are collected in cryptocurrencies such as bitcoin, the FBI analyzes the public blockchain transaction ledger to trace payments. Ransomware perpetrators, however, often use sophisticated techniques to obfuscate their transactions on the blockchain and also gravitate toward complicit exchanges that collect little-to-no information on their customers and operate out of hard-to-reach jurisdictions."
If many attackers today appear to be operating with impunity, security experts say it's nevertheless critical for victims to keep reporting individual attacks to law enforcement agencies. "Remember to report it, no matter what action you decide to take," Murray says. Even if law enforcement agencies don't solve every individual ransomware case, reporting the attack helps authorities track the severity of the problem, identify and track cybercrime rings, request appropriate funds - for example from Congress - and focus their budgets and resources accordingly.