To pay or not a ransomware demand?
Baltimore Mayor Jack Young has announced that the US Conference of Mayors (UCSM) passed a resolution calling on mayors to oppose the payment of ransomware attackers. The resolution states that “at least 170 county, city or state government systems have experienced a ransomware attack since 2013” with 22 of those occurring in 2019 so far.
One of those cities is Young’s own Baltimore, which was crippled by a Robbinhood ransomware attack on May 7, causing well more than a month’s worth of turmoil and city service outages that brought down real estate sales in the city and ultimately cost $18 million (€16 million) and counting in recovery costs and lost revenues. Baltimore applied for federal disaster funds, and the city’s IT chief publicly apologized for doing a “poor job” of communicating in the wake of the attack. Mayor Young and IT experts say it will still be months before Baltimore’s systems are fully functional.
Baltimore’s ransomware disaster could have theoretically been minimized if the city had paid the hacker’s initial ransom demand of what was then about $76,000 (€68,000) in bitcoin, less than 1% of the ultimate cost of the attack. At least two other cities recently hit by ransomware made their own calculations and decided to do just that.
The city of Riviera Beach, Florida, with a population of 35,000, was infected on May 29 by what is likely Ryuk ransomware. The city agreed to pay the attackers 65 bitcoins, worth around $600,000 (€534,000) at the time, to restore their network, although insurance picked up most of the tab, leaving Riviera Beach with a $25,000 (€22,000) deductible.
On June 10, the city of Lake City, Florida, with a population of only 12,000, was hit by so-called Triple Threat ransomware, an attack that combines the Emotet and TrickBot banking Trojans to deliver Ryuk ransomware. As was the case with Riviera Beach, Lake City concluded it was just easier to pay the hackers and agreed to pay 42 Bitcoin, worth about $460,000 (€409,000), to get its paralyzed systems up and running again, although insurance covered all but $10,000 (€9,000) of that expense.
Riviera Beach and Lake City are not alone in deciding to bite the bullet and pay attackers rather than slog through weeks or months of perhaps prohibitively costly remediation and system rebuilds often needed in the wake of ransomware attacks. Research by Sentinel One shows that about 45% of organisations pay at least one ransom when hit by ransomware attacks, and stories abound of some major organizations making room in their annual budgets to buy bitcoin to pay off attackers.
When to pay ransomware? Never, says FBI
Given what appears to be a schism not only among cities but also apparently organizations of all stripes, the question arises: when does it make sense to pay the ransom? According to the FBI and most cybersecurity experts, no one should ever pay ransomware attackers. Giving in to the attackers’ demands only rewards them for their malicious deeds and breeds more attacks, they say.
“The FBI encourages victims to not pay a hacker’s extortion demands,” the FBI says in an email to CSO. “The payment of extortion demands encourages continued criminal activity, leads to other victimisations, and can be used to facilitate additional serious crimes.”
Jim Trainor, who formerly led the Cyber Division at FBI Headquarters and is now a senior vice president in the Cyber Solutions Group at risk management and insurance brokerage firm Aon, agrees. Trainor, who spent a fair amount of time dealing with ransomware attacks while he was in the Bureau, said his position has not changed. “I would recommend that people not pay the ransom. It’s extremely problematic,” he tells CSO.
Proper backups diminish need to pay ransom
He conceded that making the determination to pay or not pay the attackers is ultimately a business decision, one that almost always hinges on whether the victim has access to adequate backups. “The principle reason why people pay the ransom is that they do not have a safe and secure separate backup, meaning that they have no alternatives. I think one of the bigger problems that companies have is that they haven’t really tested this type of scenario.”
The lack of adequate backups was the case with Lake City. Although Lake City had backups, they were on the same system that the ransomware infected and were therefore inaccessible.
Ransomware victims should work with authorities
Regardless of the decision, “I would highly encourage a victim of a ransomware attack to work with the FBI and report the incident,” Trainor said. “They’re a victim of a crime and there are resources the FBI can provide in support of that.” With their knowledge of the threat actor, the FBI can provide “tools that facilitate the remediation of an event. It’s not like the FBI is going to charge them. It’s free labour.”
Moreover, “there’s intelligence that can be gathered about who’s conducting these activities and ultimately it’s in every company’s best interest to share that intelligence with the Bureau so they can ultimately apprehend the individuals that are responsible for conducting those activities.”
The FBI agrees. “The FBI strongly encourages businesses to contact their local FBI field office upon discovery of a ransomware infection and to file a detailed complaint at www.ic3.gov,” they tell CSO in a statement.
Good cyber hygiene practices
The real solution to the “pay versus not pay” dilemma is to maintain good security hygiene and system health practices in the first place so that the consequences of an attack aren’t so high and remediation is far easier. “Ultimately I use healthcare as kind of an analogy. You can eat well, go to the doctor regularly, exercise and all that stuff,” Trainor said. It all comes down to “how healthy do you want to be?”
Maintaining good security habits is the best way to deal with ransomware attacks, according to the FBI. “The best approach is to focus on defense in depth and have several layers of security as there is no single method to prevent compromise or exploitation,” they tell CSO. “The main thrust of the FBI’s ransomware outreach program is to inform the public that most ransomware can be prevented by taking steps such as updating your operating system to the latest version and shortening your patch cycles, using multi-factor authentication and complex unique passwords for each login, and disabling any unnecessary network services. Similarly, the cost imposed by ransomware can be abated by maintaining offline backups of any critical data.”
In the meantime, organisations of all stripes, whether governments or private businesses, can take steps to prepare their responses before ransomware attacks hit. “You should have a prior existing relationship with the bureau as well as with cybersecurity firms. You should know the local offices in the FBI,” Trainor said. “And then when an event does happen, you’re going to need your internal teams” to be prepped for just such an event.
Even when organisations do pay the ransom, there’s no guarantee they will get their encrypted data back. “Paying a ransom does not guarantee the victim will regain access to their data,” according to the FBI.
“There’s been a handful of ransomware attacks where the coding was so bad that the [encryption] key still didn’t work,” Trainor says. “In most instances they do, but there is an absolute risk.”