Ransomware: To Pay or Not to Pay

If you pay attention to cybersecurity headlines, you’ve probably seen the cautionary tale of Riviera Beach, Florida, which was the victim of a cyberattack that held its systems hostage and locked down its network. It’s the latest in a string of similar stories that have popped up over the last couple of years — Atlanta and Baltimore are perhaps the two best known. Riviera Beach, though, is notable not because of the attack, but because the city paid the ransom. Why? While other factors may have come into play, there is no denying that the ransom was cheaper than the cost of rebuilding its systems. Riviera Beach’s City Council agreed to have its insurance carrier pay 65 Bitcoin (about $592,000), while cities that opted not to pay ransoms have spent millions of dollars rebuilding. It makes financial sense, sure — but is it wise?

When it comes to traditional ransom situations involving human kidnappings, every movie, TV show and crime novel ever created has taught us “the U.S. doesn’t pay ransoms.” But of course it’s more complex than that — people’s loved ones’ lives are at stake, and so we’ve seen the movies and, more compellingly, heard the real-life stories where the ransom is paid. Why is it U.S. policy not to do so? This line from an ABC News story pretty much sums up the argument: “Terror groups collected approximately $165 million in ransom payments between 2008 and 2014, according to estimates released by the Treasury Department, with ISIS earning $45 million in 2014 alone.”

HP advertisementAdvertisement

The argument against funding criminals still holds true when what’s “kidnapped” is data. Paying the ransom in a cyberattack funds the group doing the attacking — criminals at best, and in some cases worse. Verizon’s 2018 Data Breach Investigations Report notes “Members of organized criminal groups were behind half of all breaches, with nation-state or state-affiliated actors involved in 12%.” Some better-known examples include Orangeworm, the group behind the series of attacks focused primarily on healthcare in 2018, and Lazarus, the North Korean group behind, among others, the Sony Pictures hack. “[B]y paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals,” says the FBI’s official statement on cybercrime.

The FBI is very clear in its stance on the matter: it does not support paying a ransom in response to a ransomware attack, stating: “Paying a ransom doesn’t guarantee an organization that it will get its data back — there have been cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cybercriminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity.”

So were Riviera Beach and other cities and municipalities that have paid the ransom wrong to do so? Rewarding bad behavior aside, sometimes practicalities come into play that supersede the “right” thing — lack of backup being the primary.  According to a Palm Beach Post report, Riviera Beach was using an outdated security system — one that was “susceptible to security concerns and ransomware viruses,” according to what the city’s IT manager told the city council during a February meeting, after which a new $800,000 system was approved for purchase — and never installed.

At the risk of mixing metaphors, it’s easy to point fingers from inside a glass house — but what were Riviera Beach’s options? The price tag for Atlanta’s attack, reported at about $2.6 million in the initial aftermath, could hit $17 million, with almost $6 million going toward security services and software upgrades, and more than $1 million for new desktops, laptops, smartphones and tablets. Baltimore’s costs are expected to reach $18.2 million when adding lost or delayed revenue to the direct costs to restore systems.

Also worth noting is that, in Riviera Beach’s case, it is insurance that is paying the ransom. Cybersecurity insurance is quickly becoming a common price of doing business, but it’s easy to see how fast costs could spiral out of control.

For one thing, there is an argument to be made that not shouldering the full financial burden of an attack may lessen the sense of urgency in being prepared for one — Lake City, Florida, which was attacked around the same time as Riviera Beach, also paid the ransom and issued a press release noting it is “responsible only for the $10,000 deductible to the League of Cities, thanks to a comprehensive insurance plan the City already has in place.” Is $10,000 enough incentive to ensure, at any cost, that such an attack doesn’t happen again? It’s a lot less than the $800,000 Riviera Beach spent on those (uninstalled) upgraded backup systems.

And what does an increase in claims do to premiums for everyone involved? Just as homeowners see their costs go up after a widespread disaster and a rash of claims, those paying for cybersecurity insurance will bear the burden of increased attacks — which will happen, in part, because insurance is paying cybercriminals’ demands, leading to more attacks. Lather, rinse, repeat.

Regardless of the reasons why, there is no question that attacks are increasing. Security firm AppRiver recently released its Midyear Security Report with data on what it calls “Cities Under Siege,” noting that “2019 has already been a record year for some very disruptive attacks, which appear to be affecting municipalities at an alarming rate.”

And here is the final catch: There’s no guarantee that paying the ransom will ensure the systems come back up — we’re talking about criminals, after all. Do you really want to take the word of an international crime syndicate that, cross its heart, you’ll get all your data back once you pay?

There is no shortage of articles, resources and information on protecting yourself from cyberattacks — I personally write about it at least once a year and both of our publications dedicate entire issues and a wealth of resources to the subject of security. But it’s a constantly evolving subject, and the most important thing to do is stay vigilant. Preparation and prevention are the most critical steps to take, and that includes having a complete backup. Once you’re already compromised, someone else is in control of your data — if you haven’t prepared, then you’re at the whim of the attackers, and the decision to pay or not to pay is, unfortunately, the only one you have.