Those who follow security news may have noticed a disturbing trend. Late last year, we learned that Uber paid attackers US$100,000 to keep under wraps their stealth of the personal information of 50 million Uber riders. More recently, we learned that Hancock Health paid approximately $55,000 in bitcoin to bring hospital systems back online.
While these headlines certainly are attention-grabbing, the payment of ransoms is potentially even more common than it might appear on the surface. We know, for example — from watching the transactions occurring in the bitcoin wallet used as a payment repository for WannaCry — that the attackers behind that event made about $140,000 in total from their attacks.
We've seen surveys, such as a
2016 survey from IBM that found that 70 percent of businesses impacted by ransomware paid the criminals.
We've seen articles in the trade press about organizations stockpiling cryptocurrency in the event of ransomware — and, in some cases, explicit instructions from some in the security community about how to do so.
From this, a nascent trend is apparent: Organizations are paying attackers. They are paying them in high-dollar one-off transactions to keep quiet or recover from individual attacks — and they are paying them in "low and slow" smaller amounts from multiple sources that add up in aggregate.
There are a few reasons why this is undesirable, both for the industry generally and for the organizations doing the paying. However, these downsides can be hard to see when the pressure is on to recover from a specific event.
It's human nature to want to pay and just have the problem go away (as someone might perceive it) — but in this case, giving in to human nature may not be in the organization's long-term best interest.
With this in mind, it is important for practitioners to know the downsides to paying an attacker in this way, and what they can do now to steer the conversation the way they want it to go when faced with an actual attack scenario.
Why Not Just Pay It?
It is a natural reaction to be tempted to pay. It is, in fact, human nature. After all, consider that a ransomware event or breach can have dire ramifications in a few different ways (financial and otherwise).
For a hospital or health system, for example, accessing clinical applications can be a matter of literal life and death, as inability to access certain clinical systems or patient data can compromise patient care (and thereby potentially patient health and safety.)
Even when life or death isn't directly at stake, though, the idea that "if we just pay, the problem will just go away" can be compelling when weighed against months — or in some cases, years — of negative press coverage, heightened regulatory scrutiny, public breach disclosure, possible lawsuits, and dozens of other negative outcomes.
There are a few things you should consider, however, if you're thinking payment is the easy way out.
First, law enforcement agencies generally recommend against it. Their logic is sound, since there's no guarantee that the attacker will follow through, and you will set yourself up for future attacks. In other words, it's possible that after paying the attacker, you'll get nothing in return. Further, by paying the ransom, you'll make yourself known as a soft target — one that is profitable to exploit — so when the attackers go looking for a firm to target in their next campaign, chances are good you'll be at the top of the list.
Beyond these reasons, there are other potential long-term impacts associated with payment of a ransom or payment to hide attacker activity — such as the potential negative marketing and bad press associated with the public learning about it.
Both Uber and Hancock (the examples cited above) have been covered in the press (in unflattering terms) based on such payments.
Likewise, there are many security-minded folks out there who likely will use public knowledge of payment to an attacker as part of their decision-making about the services they use (that is, they might look to your competitors if they feel you're not a responsible steward of their data). So, while it is human nature to find payment compelling (this is a main reason underlying attackers' methods), it is almost never the optimal path.
Closing the Door
Many practitioners will tell you to apply the "just say no" principle to the question of payment vs. nonpayment. This a bit shortsighted, however, and it doesn't account either for nuance or human nature.
Believe it or not, not paying — or maybe better stated "closing the door on the possibility of payment" — takes some planning.
For example, consider the hospital example cited earlier. If patients' lives are on the line because of inability to access a given system, is arguing that "nonpayment is the way to go" the responsible path? It isn't. Safety in that case (i.e., saving a life) trumps all else. In a situation like that, "just say no" is as ineffective as it is trite.
Instead, the most effective way to approach this is to do the planning, discussion and arguing now, so that you are prepared if an actual event should occur. The specifics of what you'll cover likely will vary from one organization to the next. At a minimum, though, they should cover two distinct areas.
First, you should prepare for the discussions about payment vs. non-payment. An effective way to defuse controversy in advance of an actual attack scenario is to conduct a table-top planning exercise that involves all the personnel (including management) that will participate during an actual event.
Invariably, in the course of tabletop planning or a dry run, someone will suggest payment; if they don't, deliberately introduce it. This lets you introduce the concept of payment vs. nonpayment, butt heads about it now (the discussion is often contentious), and come to a resolution about the response path prior to the actual event occurring.
Second, you should look for and plan around pressure points that might occur. For example, in the context of a hospital or health system, you might wish to bolster business continuity and resumption efforts now so that you won't be in the position where payment to an attacker is the only way to ensure patient safety. The point is, you'll want to think these areas through carefully now to head the issue off at the pass.
None of this is exactly rocket science. However, judging by the trends that we're seeing in the behavior of organizations paying attackers, these are useful questions and strategies for security pros to revisit with their teams and with their organizations.
Ed Moyle is Director of Thought Leadership and Research for
ISACA. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.