Although it's clear that cyberattacks of all kinds are on the rise in the U.S. and around the world, one threat in particular has shown a massive uptick: ransomware. Trouble is, ransomware is a particularly dangerous take on an age-old criminal tactic — taking something extremely valuable from someone and asking money in exchange for its safe return.
In practice, ransomware attacks are similar to old-school ransoms or kidnappings, except that they take place exclusively digitally, and usually target corporations or government agencies. What's worse, 2021 was a landmark year for ransomware, with incidence of such attacks climbing 105% during the year.1
Ransomware attacks carefully infiltrate an organization's systems until they have full control of a number of networks or servers that the hackers believe the organization cannot live without. Then, the attackers contact the victim and demand payment for the safe return of their files or access to their systems.
Just like a physical ransom, these situations can go many different ways. Sometimes the criminals actually intend to return the material to the organization unharmed, as long as you pay the price. Other times, companies pay the ransom, only to find themselves double or even triple extorted. Deciding whether to make these payments can be incredibly stressful for executives, especially because the impersonal nature of encrypted internet communication makes it nigh impossible for the companies to verify whether the ransomers actually intend to hand over their stolen goods.
But there's more that goes into paying a ransom than that. Most experts recommend not paying a ransom at all and resorting to other measures entirely. However, if your company does intend to pay out a ransom, it can get complicated. Quickly.
As ransomware events continue to garner headlines, organizations have made more deliberate efforts to steel themselves from the effects. We believe the insurance community has played a pivotal role in moving the needle for organizations to take their information security defenses more seriously. If they want cyber insurance coverage, they have to comply with minimum standards — which are far more in-depth than before.
Deciding Whether to Pay a Ransomware Demand
There are multiple factors to consider before paying a ransom. The first and most important question is often whether the stolen material is absolutely critical to your day-to-day operations.
If it is, your organization has likely made a few mistakes already, even before cyber thieves hacked into your servers. To avoid situations like this altogether, it's critical to have off-site backup servers for all the critical data that your organization cannot run without. Having a backup makes it far harder for attackers to put you in this position.
Of course, there are plenty of examples of situations where the company did everything right and still ended up over a barrel. If the hackers were clever enough to take over a fundamentally irreplaceable system that can't be switched out in the timeframe necessary to keep the business running, then you'll be faced with the same issues.
The other question to consider when deciding whether to pay a ransom is the ethical viability of what you're doing. Experts and government officials strongly contend that paying ransoms funds further criminal activity and actively encourages future ransomware attacks on the global community. Paying out to hackers "creates a collective action problem," said Betsy Cooper, director of Aspen Tech Policy Hub at the Aspen Institute.2 "The bad guys win so they'll go out and hit someone else."
But there's even one further problem to keep in mind when considering paying out a ransom: the legality of doing so.
The days of denial of service ransomware involving botnets and hundreds or thousands of dollars demands are long gone. Today’s ransomware attacker is more targeted and sophisticated. It’s no longer someone sitting in their basement waiting to see how many random companies will respond to their threat.
Can the Government Stop You from Paying a Ransom Demand?
Different government agencies have had different things to say about paying ransoms.
The U.S. Cybersecurity and Infrastructure Security Agency strongly recommends against paying ransoms to hackers, but doesn't seem to prohibit them. However, in September of 2021, the Treasury Department's Office of Foreign Assets Control (OFAC) updated its official policy on sanctioning companies that paying ransoms. Their new policy forbids paying ransoms to "... individuals or entities ("persons") on OFAC's Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria)."3
The agency has also made it clear that being ignorant of the identity of the party your organization is paying doesn't give you immunity from sanctioning or prosecution. Which makes things a little tricky. While it's unlikely that the party attacking you will offer up their identity, some larger hacking groups do claim responsibility for attacks. If you find yourself in this situation, it's worth a look at the list.4
If the identity of the hackers isn't revealed to you, and you're still seriously considering paying the ransom, it's worth noting that it might be just as difficult for the government to discover the hacker group's identity as it is for you. But if you're this deep in a ransomware situation, you should have a good cybersecurity attorney who can help you make these difficult decisions.
Paying the Ransom
While there are plenty of good reasons not to, some companies still end up deciding to attempt paying the ransom. If you do, keep a few things in mind.
Most ransomware payments are requested in Bitcoin, as it's relatively easy to make cryptocurrency transfers untraceable, and they're always non-refundable. However, buying and transferring large amounts of Bitcoin can be trickier than you might think.
Many casual crypto trading websites limit the amount of Bitcoin that you can buy at one time, so don't assume that you can simply log on and press a button. While it's possible to buy large amounts of the currency quickly, it takes a little time and research.
When actually transferring the currency, it's a good idea to have a trained cybersecurity team on your side, helping you be sure that you're trading a requisite amount of currency bit by bit, to ascertain whether the hackers intend to give back the data. It's hard to imagine a situation where you would agree to handing over the entire ransom amount in a single transaction. Take it slowly and use any methods that you can to determine that both parties are acting in good faith.
The bottom line is that paying a ransom is extremely risky and doesn't guarantee you get your data back. Even if you do get it all back, the hackers have probably had plenty of opportunities to play all sorts of other nasty tricks on you. There are plenty of well-documented cases of hackers slipping bugs or viruses into the encryption keys for which the organization pays thousands of dollars. These bugs can easily slip into your system, allowing the hackers even greater access, and the opportunity to run the whole strategy again.
Only pay a ransom if your organization has professional legal and technological counsel on deck to direct the process every step of the way. Take great care and try to avoid getting into this situation at all costs.
Sources
1"2022 SonicWall Cyber Threat Report Mid-Year Update," SonicWall, accessed 6 Sept 2022.
2Hart, Kim. "The New Digital Extortion," Axios, 17 May 2022.
3U.S. Department of the Treasury's Office of Foreign Assets Control, "Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments ," The Department of the Treasury, 21 Sept 2021. PDF file.
4U.S. Department of the Treasury's Office of Foreign Assets Control, "Sanctions List Search," The Department of the Treasury, accessed 6 Sept 2022.
