:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/X3HLHMGQOBC25JWFDUPM3TWYTI.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/HHRBDQ6VGFHNHAAKT2QN4KI6PE.png)
To pay or not to pay, that’s the question every ransomware victim has to ask themselves. And they’ve been asking it for a very long time. Ransomware, the malicious software that locks people out of their computer systems and data, has been around for longer than the worldwide web. The first recorded instance was the PC Cyborg trojan horse attack, and it dates back to 1989.
The first thing to address is the ethical issue. Is it right in any circumstances to negotiate with cybercriminals and pay a ransom. The short, trite answer is no. Then again, how many times have we heard governments proclaim that they will never negotiate with terrorists only to find that they have been negotiating with them all along.
But there is a moral issue facing organisations who choose to pay a ransom. What happens to the money after they hand it over?
“What are the cybercriminals using the money for?” asks David McNamara, chief executive of cybersecurity specialist firm Commsec. “Is it to finance terrorism? Is it to fund other criminal activity. There are implications down the line. You could be putting people’s lives at risk by paying a ransom.”
There is also the not so small matter of legality to take into account. A ruling by the US Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) declared it illegal to pay a ransom in the majority of cases. And OFAC made it clear that the logic behind the ruling was that by paying ransoms, organisations are enabling criminals to continue their attacks and other activities.
And just last month, the UK’s National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) warned lawyers not to advise clients to pay a ransom to cybercriminals. In a letter to UK lawyers the two regulators reminded lawyers that they do not condone in any way the payment of ransoms. The letter also highlighted the legal hazards which organisations may encounter if ransom payments end up in the hands of individuals or groups located in Russia or other sanctioned regimes.
“The starting position is that the answer should be no,” advises Puneet Kukreja partner and head of cyber security with EY Ireland. “Ransoms should not be paid, and law enforcement should be involved early on. Organisations should ask for assistance from law enforcement and there are many agencies who can help.”
Of course, executives faced with a catastrophic loss of data and possibly the total loss of their business can be forgiven for putting moral questions to one side, at least momentarily. Their priority is to get the business up and running again as quickly as possible.
That’s where the more practical issues come into play. Ireland’s National Cyber Security Centre (NCSC) advises organisations not to pay a ransom for those practical reasons as well as for ethical considerations.
The first is the fact that there is no guarantee that the payment of the ransom will actually result in the systems or data being unlocked.
McNamara agrees. “There is no guarantee that you will get your data back. And if you do get it back it might be corrupted or infected with other malware.”
The second is the very real risk that by paying a ransom once, an organisation will earn itself a reputation for being willing to pay and will open itself to further attacks.
“There is no guarantee that you will be left alone,” says Kukreja. “In the majority of instances, the research shows that organisations continue to get hit. If you pay once, why won’t you pay the next time.”
“The criminals might also put the price up and keep pushing on that door once you start negotiating,” McNamara adds.
And then there is the threat of the double ransom. A feature of many ransomware attacks is the exfiltration of data. The criminals start by demanding a ransom to unlock the system and once paid, then demand a further payment to return the data they have stolen. And there are no guarantees that the criminals haven’t made a copy of the data for sale on to other malevolent actors.
Those are all the reasons why you shouldn’t negotiate or pay a ransom, but what happens in the instance where the organisation feels it simply has no alternative. The general advice from consultants in the space is for organisations to involve their insurance company. They may well have experience of dealing with such situations or have contracts with other who do and can handle the matter on behalf of clients.
Preparation is key to avoiding such situations, according to Kukreja. “There are multiple playbooks but it’s a fairly simple scenario from where I’m sitting. It breaks down to very simple things. People make out that cyber is complex, it’s not complex. It’s about awareness and being prepared. What do you need to be aware of and what do you need to be prepared for? I would argue that cyber awareness and cyber war games should be as important as an organisation’s CSR agenda. It’s about safeguarding employees and customers.”
That means having secure backups for data and having detailed incident response plans to put into action when a breach occurs.
“Our strong advice is do not negotiate and do not pay a ransom,” says McNamara. “If you have cyber insurance, contact the insurance company. They have deals with companies like Commsec who can carry out a forensic examination of what has happened and help the company with its response.”