When do you pay the ransom?

Despite having many posts in draft at the moment, I've had writer's block (an inability to write) for a while.  This post was inspired by a comment in an (ISC)² talk I watched online earlier.  The comment was "there's no moral reason to ever pay the ransom", and I don't think it's as clear cut as that.  I'll discuss the reasons why in this post.

For clarity, my frame of reference is a citizen of the United Kingdom (UK).  There's no law here that prevents individuals or companies from paying ransom demands, although you would want to be careful that you're not funding terrorism.

What's ransomware?

Ransomware is malicious software (malware) with the goal of denying the end user access to their files unless a fee is paid.  A common technique to achieve this is to encrypt the files, meaning they can only be retrieved with a decryption key.  Once files are encrypted the attacker requests payment, often in BitCoin or some other crypto currency.

"No moral reason"

Part of the speaker's reason for asserting there was "no moral reason" to pay the ransom was that you are merely paying a criminal enabling them to attack someone else.  Let's unpack that first of all.  Their first victim likely wouldn't have been paid for by someone else, the attacker probably just spent some money in the hope of getting a return (speculated to accumulate).  Given the way the ransomware marketplace works, essentially being able to purchase ransomware and use it multiple times, there's potentially a high return on investment.  Ergo, the suggestion that paying means the attacker can target someone else doesn't work for me.

What if you have a moral reason to pay?

Consider the scenario where a small business, perhaps employing three people, suffers a ransomware attack.  This is a business without any dedicated IT staff, no cybersecurity team, and without any backups.  Since falling victim the business has struggled to operate - there's no access to client data, no details of appointments.  If the business doesn't gain access to its data quickly then it will fail, putting three people out of work.

Now, we could all sit here and say how the business should have had backups, and better planning, but that's not actually helpful.  Our job as security professionals is to help the business to achieve its goals.  Our job is not to mock the victims of attacks.  As much as it goes against principles, it may be best for the business to pay the ransom to get its data back.  I accept that puts money in the hands of criminals, but at least getting the data back means the employees still have a job.

There's no guarantee

I wouldn't be able to recommend a business pay the ransom, not unless there was no other option.  That's partly because the ransom goes to criminals, but also because there's no guarantee the data will come back.  Paying the ransom is a risk and there's no hiding that fact.

Newer ransom demands are twofold - a price to give your data back, and a price to not reveal your data to other people.  This second angle is extortion, and is another way to extract money from the victim.  Again, even if you pay the ransom there's no guarantee your data won't be given to a third party.

A need for change in the law

I mentioned there's no law preventing organisations in the UK from paying a ransom demand, yet I and some of my colleagues are of the opinion that needs to change.  In my current (May 2022) role I work in the public sector for a local council.  If the law said it was illegal for us to pay the ransom, and this was well known, there'd be no point in targeting us intentionally with ransomware.  We'd be taken off the board, so to speak.

Obviously that wouldn't make any difference if we were "collateral damage", an accidental victim, but it would reduce the likelihood of a targeted attack.

Backup in order to recover

Backup, backup, backup - it's all about the backups.  Once hit by ransomware your only course of action, besides paying the ransom, is to restore your files from backup.  Attackers are smart, and they don't necessarily just go for your primary data store - sometimes they'll destroy or encrypt your backups too.

In order to be a useful backup in this scenario the backup storage (e.g. an external USB drive) needs to be disconnected from the original data.  Leaving the drive connected all the time merely means the ransomware can attack the backup files too.  Ideally you'll want multiple backups, allowing you a choice of restore points.

In conclusion

While I've only given one example of why there might be a moral reason to pay up, I do think it's a compelling one.  Paying a ransom isn't a clear cut decision to me, and while it wouldn't be my preferred choice it could be the only choice.  Sadly I don't think this problem is going to go away any time soon.

Stay well backed up folks!

Banner image: Ransom Sign by liftarn on OpenClipart.