Whether to Pay Ransomware Demands is Foremost a Business Decision
By Christopher “Tophs” Elisan
For the better part of a month, the city government of Baltimore has been in the grip of a ransomware infection. Many essential services are in limbo and officials are holding firm against paying the attacker’s $100,000 ransom demand.
This is a decision that business leaders whose organizations are victims of ransomware crash into headfirst every day: to pay or not to pay. And make no mistake, that is a business decision rather than an IT or IT security decision.
Paying a ransom can drift toward becoming a viable option when weighed against unacceptable losses that system and service unavailability may bring to an enterprise or federal or civilian agency. This flies in the face of stern recommendations from law enforcement and the security community, both of which are adamant against paying for fear of propping up a criminal ecosystem, and without a steadfast guarantee that encrypted files and locked down systems will be returned intact.
Paying Ransom is a Balancing Act
The immediate and future financial viability of a company and fiduciary responsibility to stakeholders could heavily sway such a conversation toward meeting an attacker’s demands. Even so, organizations must tread carefully should they choose to pay; there are no guarantees that a decryption key will be delivered, nor would there be an assurance that files haven’t been corrupted, or that internal staff has the wherewithal to handle the keys properly and decrypt every file and unlock every system.
Nonetheless, research and advisory firm Forrester Research says it has been tracking a notable increase in ransomware payouts, according to a report released this week called “Forrester’s Guide to Paying Ransomware.” Its analysts now recommend that paying ransomware should at least considered a viable option in order to offset potentially catastrophic business interruption. The firm does remind potential victims that paying a ransom isn’t an automatic path to recovery, which is complicated in any extortion scam.
Backup is a victim’s best friend. A recent, reliable, and secure backup can have an organization up and running relatively quickly and with minimal downtime. They’ll also be spared the potentially risky task of engaging directly with a threat actor, as well as procuring and transferring cryptocurrency to meet the attacker’s ransom demand. These tasks aren’t covered in traditional incident response plans where system cleanup and reimaging is self-contained and can be accomplished in relatively short order.
Instead, incident response in a ransomware event requires an entirely new dynamic, one that involves a crucial step of either reaching out directly to an attacker or through a professional negotiation specialist. Such an expert can help with not only communication with a threat actor, but also verify that the attacker indeed has accessed systems, explore the validity and integrity of the attacker’s history with other victims, as well as the wallet accepting payments, among other considerations.
Delicate Ransomware Negotiations Ahead
Much of this happens to support the decision to pay a ransom, even as recovery efforts may continue in the meantime. The driving factor behind this difficult decision is most often dollars and cents. Should operations face a long-term interruption, organizations can decide it could be cheaper to pay even a hefty ransom rather than face days or weeks of downtime where the costs would exceed the total ransom demand; Forrester says the average ransomware incident lasts 7.3 days.
The kind of expertise provided by a negotiation specialist becomes especially important as ransomware attacks become more and more targeted. By targeting specific organizations, threat actors can intensify reconnaissance and perhaps gain an understanding of how much an enterprise stands to lose and perhaps what they may be motivated to pay in ransom.
Forrester recommends running two recovery activities—conventional incident response, and communication and negotiation with the attacker—in parallel. IR teams should still run forensics, and validate the possibility of recovering from backup, while at the same time begin communications with the attacker that could also include negotiations for a discount, and finally validation of the decryption key by asking for a decrypted file. At that point, organizations can decide whether recovery from backup is possible and viable, or whether they need to pay for and recover from the attacker’s decryption key.
A negotiation specialist brings expertise in particular ransomware strains as well as the threat actors. That type of intelligence can help an organization make its final decision and understand whether successful recovery is even possible. There’s also a skill to negotiation and professionalism required from someone marginally detached from the incident. Forrester also recommends that organizations consider paying only for a few critical systems in order to keep costs down, especially if the likelihood of recovery via backup is possible for some files and systems under attack.
In the end, decision-makers must make the call as to whether to pay in a ransomware incident, and only after all options have been considered and all recovery options exhausted.
Ultimately, paying a ransom demand is a business decision and one that organizations must prepare for in advance by contracting with a negotiations specialist and consider procuring cryptocurrency in the event of an infection.
Many times that type of expertise isn’t in the wheelhouse of an enterprise’s incident response team; ransomware requires a new paradigm of contingencies related to response.
Few organizations today know how to best interact with an adversary, acquire cryptocurrency, and successfully and safely move that money to an attacker’s wallet without putting the organization at further risk.Click here to access Forrester’s Guide To Paying Ransomware, Q2 2019.
Christopher “Tophs” Elisan
Director of Intelligence
Christopher “Tophs” Elisan is a seasoned reverse engineer, malware researcher, and published author. He speaks at conferences around the world and frequently provides expert opinion about malware, botnets and advanced persistent threats for leading industry and mainstream publications. Elisan’s published works include Hacking Exposed: Malware and Rootkits, 2nd ed.