Paying a ransom
As a topic for a cybersecurity panel, the question “To Pay or Not To Pay” in the context of ransomware often becomes a hotly contested discussion on points of idealogical principle1. Certainly, when there is an incident occupying the news cycles, whether the victim chose to pay becomes a critical interest point - as evidenced in a recent Times article in response to the compromise of UK outsourcing and professional services firm Capita (with comments from me).
Paying the ransom has, in many cases, become the default response, with observers often citing Cyber Insurance as the leading proponent2. Essentially, an attempt by providers to limit their losses by taking any feasible steps to reduce business impact. We also have the explicit admission by ransomware groups that state they will deliberately target insurance providers and their customer base, presumably because of the higher likelihood of payout.
In my opinion, it’s a fairly defeatist view - basically a “you’re screwed anyway, what else could go wrong?”. If you’re paying 10million dollars for the benefit (or worse), I imagine most organisations would want to at least pause and think first.
A frequent response by those particularly in Government and Law Enforcement circles has been to challenge the questionable morality of it, and the impact on the propagation of ransomware as a successful business model. Whilst true, it is often more a macro strategic concern, rather than that of the individual CEO who just wants to get their business up and running again. It’s not a criticism of CEO’s, but being realistic.
The NCSC recently published a great post attempting to dispel some of the myths associated to responding to an incident - and in honour of Myth #3: “Paying a ransom doesn’t make the incident go away”, here are some of my own thoughts on why I strongly believe that to be the case with ransomware.
You can’t put the genie back in the bottle
One of the things I hear from ransomware victims is that the decision to pay the ransom is nothing to do with the encrypted files, but instead as a result of a Double Extortion tactic by the cyber criminals, where stolen data is threatened for sale online unless a payment is made. In these cases, the victim pays to avoid a more public data breach.
But the challenge is that it doesn’t “avoid” anything - the breach has already happened, the criminals have already stolen the data. At least one interpretation I’ve seen, and actually preyed upon by the attackers themselves, is that by paying the ransom to prevent onward sale, they can somehow appease a data regulator, and avoid a fine associated to a breach of GDPR.
In fact, this isn’t the case - and the UK’s Information Commissioner’s Office (ICO) is fairly clear (From the ICO’s guide to Ransomware and Data Protection Compliance):
“… The ICO does not consider the payment of a ransom as an “appropriate measure” to restore personal data … If attackers have exfiltrated the personal data, then you have effectively lost control over that data … If you do decide to pay the ransom to avoid the data being published, you should still presume that the data is compromised and take actions accordingly …”
And, from an open letter from the ICO and the NCSC to the legal profession:
“… For the avoidance of doubt the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action …”
So if you’re hoping that by paying you’re going to get a discount on your GDPR fine, think again. You can’t somehow undo a data breach by paying someone off.
There’s no legal protection, no NDA, no certificate of destruction
The business world lives via contracts and formal agreements, packed full of requirements and Service Level Agreements (SLA) that define expectations - and if a supplier fails to meet those requirements or SLAs, you’ve got the power of the legal system to extract a penalty. If a business deal amounted to over $1.5million, the average (mean) ransom payment in 2023 (so far), you’d probably expect some form of contractual protection. But no - at best, you have a pinky promise.
I’ve previously suggested that it is in the interest of a ransomware gang to honour their promise, as failure to do so would discourage future victims from paying. As a point of principle, I still stand by that view, however there are is another factor to consider.
Many of the more prolific ransomware gangs around at the moment are actually “Ransomware-as-a-Service”, a sort of franchise model where the actual operational work is done by an extended network of criminal gangs. Whilst we expect there are some guiding principles and rules they operate by, there are examples of when an affiliate (the Franchisee) goes rogue from the main group - including an example of a LockBit affiliate targeting a Children’s Hospital, which the main group later apologised for. Would an affiliate break ranks if they thought they could make a bit of extra cash, and to hell with the consequences? Of course they would.
Ultimately, all you can do is “trust” the group not to renege on their promise. A group that has already shown they’re content with breaking the law in the first place and operate behind a veneer of anonymity, which would certainly make it tricky for any litigation around a “breach of contract”.
Premium prices, non-premium product
I’ve worked with enough ransomware victims over the years, to know that even those that chose to pay the ransom and get a decryptor tool, still don’t always get their files back. In many cases, the encryption and decryption process is simply so poorly put together, that it can permanently corrupt the files altogether.
I’ve seen examples where the encryption process has failed, or sometimes even encrypted a file that had already been encrypted by the same attack, resulting in an, almost irrecoverable, double encryption. There’s even the example of a ransomware strain from late last year that was irrecoverable from the start.
The tool you do get is very rarely “enterprise-grade”, often little more than a command-line script or executable, that you need to run manually on every single file separately. On an enterprise-level file server, that’s a lot of manual button clicks by the IR teams to get your files back, or at best they’re going to have to write their own deployment script to automate it as much as they can.
And I’ve definitely been involved in one non-public case, where the recently paid-for decryption tool was swallowed up by an over-active AntiVirus engine, which had been turned up to the max following the missed detection of the original ransomware tool in the first place.
Are you breaking the law by paying a ransom?
Firstly, a disclaimer - I am not a lawyer and nor should this serve as legal advice, but you should definitely consider what your obligations are here and not just dismiss it!
Whilst future legislation may well make it illegal to pay a ransom (which in itself is a contentious approach), you may well end up in breach of other pre-existing legislation, including breaching sanctions levied either directly on named criminal groups or more broadly as a result of the invasion of Ukraine by Russia.
What can you do instead?
Avoid it in the first place
This is obviously the ideal scenario, and whilst the likes of Law Enforcement, National Authorities such as the NCSC, and the wider Intelligence community will take action at a strategic level; this doesn’t absolve you of responsibility. Take genuine steps to make your organisation a hard target, follow best practices around basic security hygiene and put measures in place to catch any intrusion early.
Backups do help
Whilst they’re not a 100% fix they absolutely do help, and normally give you enough to get back on your feet again. Yes, they can be slow to recover from and will miss more recent data that wasn’t included in the last backup cycle - but if you accept a little bit of pain, it will give you a reason not to pay up. My main bit of advice here though - make sure you know how to back-up and what your coverage is like. Run an exercise to try to recover a few devices or failover to some DR capability. You don’t want the first time you have to do it to be for an actual incident!
Communicate clearly
One of the drivers for paying is about trying to minimise reputation damage - avoid that from the beginning by taking control of the narrative. Be open and transparent and the attacker will have no bargaining chips. If nothing else, the legal proceedings against the ex-CISO of Uber shows that trying to pay “hush money” to a cyber criminal and then try and disguise the payment as something else, will actually get you into more grief, than had you not made the payment to begin with! Personally, I still remember the incredible transparency provided by Norsk Hydro following their ransomware incident in 2019, and with it their YouTube videos outlining how they were responding:
Decide ahead of time
A cybersecurity incident is an emotional period and in the era of ransomware, it’s no longer something for just the IT and Security teams to worry about. Something that damages the whole of the business’ ability to operate is going to be an emotionally charged conversation, full of knee-jerk reactions. Better is to have a pre-agreed line ahead of time, something that has the Board’s endorsement and allows you to define your incident response plans in the full knowledge of the route you’ll plan to take.
Ransomware is only a profitable business model if attackers can make it in your best interests to pay the ransom. But paying the ransom is a short-cut with dangers and pitfalls that you might not be thinking about at the time. Better yet is a scenario where paying a ransom is not even on the table.
For example, this was the subject of an interesting debate hosted by colleague, Dougie Grant, now European MD at Nihon Cyber Defence, at a fringe event during the NCSC’s 2023 CyberUK conference in Belfast: https://www.irishnews.com/business/2023/03/28/news/to_pay_or_not_to_pay_-_that_s_the_question_as_ransomware_attacks_rise-3161090/
An interesting discussion on the impact of the Cyber Insurance industry is presented here:
https://www.usenix.org/system/files/sec23fall-prepub-292-woods.pdf