This year has been marked by an upsurge in ransomware attacks like Ryuk or Robinhood hitting private and public companies. Often understaffed and under-resources, they face a dilemma: whether to pay or not? A choice involving technical, ethical, legal, security and financial issues.
Is It Illegal To Pay A Ransom Demand To Stop A Ransomware-Type Computer Attack?
Strange as it may seem, there is nothing illegal to pay the ransom demanded by ransomware, even if the encryption of a third party’s data without his consent and the demand for ransom are criminal offenses. Perhaps the best way to curb this epidemic of ransomware attacks would be to prohibit companies from paying the required ransoms. If this compensation technique was simply legislated, cybercriminals, who are only interested in profits, would probably turn to other more lucrative activities.
Prohibiting the payment of ransoms required for ransomware attacks is a principle that may seem interesting at first glance, but the problem is its implementation. Listed companies have legal obligations to their shareholders, as do public utilities. A law that would sentence companies to fines or even imprisonment of staff would be questionable and probably difficult to enforce.
Is It Safe To Pay A Ransom Demand?
Even if we have some control over the legal ins and outs, this question “Should we pay or not?” Raises other issues. Because it exerts real and tangible pressure, pushing the company or the public service to make a choice that could save him several million euros, or spare him the unavailability of an essential service for several weeks.
However, nothing says that cybercriminals will respect their market share and must consider this factor in any decision. Sometimes, there are not even keys for decryption, or ransomware authors do not give any sign of life once they pay the ransom. That’s what happened more or less with a WannaCry. In the panic caused by the spread of this virus, if some victims have received decryption keys for funds paid for many of them, or they have never heard of their take’s hostages, or the key pairs between the victim and the server were incompatible, making it impossible for the user to decrypt.
Another element of reflection is to determine to what extent the fact of complying with the requirements of cybercriminals will penalize or not a company beyond the attack in question. Will the payment of the ransomed price damage his reputation? Will other hackers – or even the same ones – now consider it an easy target and will they try to reiterate their attacks? Will new attacks be directed against companies or public services having a professional link with the victim? Will give in to blackmail generate long-term effects even more damaging than the immediate consequences that this action is supposed to remedy?
No Payment And Then?
If a company decides not to pay the ransom, it ends up with all of its encrypted files. Depending on the ransomware infection, it is possible that a decrepit already exists for the strain in question; it is much less likely, but not impossible, that a team of analysis experts can find the way to decrypt the files. The amount of ransomware is poorly programmed and poorly implemented, and sometimes the data is not entirely lost as it may seem at first glance. These are the points to consider in assessing the course of action to deal with a ransomware attacks.
It is also necessary to consider whether all backup and restoration. The example of the Danish shipping and logistics giant Maersk, targeted by the NotPetya attack, highlights how important it is to restore quickly the entire infrastructure from a backup. The most instructive for Maersk (and for the industry) is that it owes its recovery to a happy coincidence: the only domain controller spared by the attack had been hit by a power failure on the local network where it was installed. Without this coincidental coincidence, it would have taken much longer to rebuild its entire infrastructure after the simultaneous destruction of 50,000 devices and several thousand applications.
While some point to the prowess achieved to safeguard, others point out that this incident cost Maersk more than half a billion dollars six months after the fact. While backup and recovery tools are essential, they cannot under any circumstances serve as a foundation for a strategy to eradicate ransomware attacks.
If a company does not have backups or disaster recovery software, it will have to fend for itself and rebuild its data, services, and perhaps reputation from scratch. In this kind of scenario, it is advisable to play the card of transparency, admit its negligence, draw the right lessons, and keep your head up by refusing to pay for criminal acts.
What Will Happen With Payment?
There may be more uncertainty to pay than the opposite. When a company chooses not to respond to a ransom request, it keeps control over the sequence of events. While giving the cybercriminal the required amount, regardless of its amount, the company depends on his goodwill until he provides a usable decryption key.
Some tactics – such as asking for “proof of life” to decrypt part of the environment before payment, or negotiating terms of payment (50% immediately and 50% once the environment decrypts, for example) – can sometimes work.
Pay ransoms in bitcoins in a cryptocurrency far from being anonymous or untraceable. Make a complaint to the police and give them the references for the wallet and all the details of the payment. International law enforcement agencies will trace remittances back to their beneficiaries.
But What Is The Procedure Then?
A sensible company will understand that investing is urgently needed to identify not only the vector of this attack, but all other vulnerabilities, and deploy a very comprehensive cybersecurity solution that can block future ransomware attacks. Given all the costs to bear, whether pay the ransom, it is tempting to prefer the easy way to rigorous management of the problem, the risk of leaving flaws other hackers could exploit that. It is balancing a necessary rapid recovery of the activity and the multiple risks incurred:
- The back doors left on the systems by the attackers without the users’ knowledge.
- Partial data recovery (knowing that on some systems, no restoration will be possible).
- The non-recovery of data after payment (sometimes, rare it is true, the decryption key provided is useless, worse, even it’s never sent).
Finally, it should be noted that, some companies, which have been repeatedly victimized by the same actors, have probably only been targeted once, but deciphering payloads may have been triggered in waves. Experience is a remarkable asset in such scenarios, and “knowing the enemy” can make all the difference.
In conclusion, we choose whatever option – whether to pay or not; it is essential to inform the competent law enforcement authorities.