Answers to Tough Ransomware Questions
Ransomware is pretty bad right now. After years of successfully shutting down tens of thousands of victim companies, hospitals, school systems, law enforcement offices, and even entire cities, ransomware damage got even worse starting in 2019 and accelerating through 2020 and beyond. No longer content to just encrypt files and folders, ransomware gangs now often exfiltrate confidential data (70% of the time and growing) (https://www.coveware.com/blog/ransomware-marketplace-report-q4-2020#exfil), steal employee and customer personal passwords, attack employees and customers of the original victim organization, spear phish business partners, and publicly shame victims.
If you are not familiar with the revised, increased tactics of the latest ransomware, I recommend you watch my Nuclear Ransomware (https://info.knowbe4.com/nuclear-ransomware) webinar. The days of a good backup saving a victim organization are mostly over. The percentage of victims paying the ransom and the amount of ransom paid per event are both up significantly as compared to prior years.
Answers to Tough Questions
I get asked the following questions about ransomware on a fairly regular basis. There is not a definite right or wrong answer to these questions, but I decided to provide my personal opinion to each.
Disclaimer: This article is the personal opinion of the author and not of his employer(s) and is absolutely not legal advice. All people and organizations should consult with senior management and/or legal counsel to determine how they respond to a ransomware incident for any involved decision or action. Inappropriate actions and decisions could lead to operational, financial, legal, and tax implications.
Should You Pay the Ransom?
Easily the most asked question anyone in the anti-ransomware industry gets is if a victim should pay the ransom? There are a lot of complexities that go into deciding whether a victim should or should not pay the ransom. The percentages of who pays the ransom ranges from about 40% to 80% or more, depending on the time period in question and the organization and survey involved. But in general, more victims are paying the ransom than not, most of the time, and the percentage paying the ransom is usually over 50% or higher most of the time.
From a pure theoretical point of view, the answer would always be, “No”. Paying a ransom to ransomware demands only encourages more attacks, which hurts everyone more in the aggregate. But the majority of victims are usually paying regardless of any individual decision and if the majority are paying most of the time, then your personal stance won’t change that part of the equation much.
But before the ethical question, the first critical decision point is if you must pay the ransom to get back your data. If you do not have reliable backups ready to restore and you cannot easily rebuild the systems and data, and you need the systems and data to avoid financial ruin, the answer will strongly lean in the affirmative direction. I do know of some companies that had good backups ready to restore, but for timing issues decided to pay the ransom. Turns out trying to restore dozens to hundreds of systems is a time-consuming process. Many companies initially decided not to pay the ransom, got out their backups, tried one, and found out from the time needed for the first restore alone that it would take weeks or longer to do all the data restorations.
If the attackers have exfiltrated data, intellectual property, or other content that would be ruinous to be seen by outsiders, then the answer will lean in the affirmative direction. Data exfiltration and the long-term competitive, financial, and reputational harm it could cause if shared with unauthorized others is a strong incentive to pay a ransom.
Here is what the experts say about paying the ransom: It is a business decision. If paying the ransom gets you back up and running faster and with less overall damage than the financial cost of paying the ransom, then it often makes good business sense to pay the ransom. In most cases, paying the ransom means you will be back up and running sooner. There is a lot of recovery work to do either way, but most organizations that pay the ransom get back up and running sooner than those that did not.
I know of organizations and leaders, many of whom I respect, who decided for risk and ethical reasons not to pay the ransom. Some did not even have good backups, but decided that they personally and morally (and risk-wise) would not pay the ransom. Some of them got back up and working in days. Some were not fully operational for weeks to months. I know many organizations and cities that decided not to pay the ransom and were still not up and running at 100% capacity many months (and some, over a year) later. I am not sure if I would call that a success. I am not sure all the people involved, who originally supported that decision not to pay the ransom, would still support the decision today.
On top of that, when you do not pay the ransom, you just extra incentivized the ransomware gang to hit you again. If you do not pay the ransom, you need to double down on your cybersecurity defense efforts to prevent another future attack. The world is full of thousands of organizations who did not pay the ransom, suffered the pain of the restoration process, only to be hit again by the same ransomware gang weeks to months later, and this time, the damage and the requested ransom was worse.
Note: If you have cybersecurity insurance, which I highly recommend, determine who gets to decide if the ransom is paid, you or the insurance company?
Do Ransomware Gangs Hit the Same Victim Twice?
Not if you paid the ransom, most of the time. It is to the ransomware gang’s personal advantage to honor their word and not to attack the same company that already paid the ransom once. If victims thought that the ransomware gangs would just attack them again, they would never pay the ransom. There are a lot of victims for a ransomware gang to hit, they do not need to attack the same people twice.
Now, that does not mean that some small minority of ransomware gangs do not hit the same paying victim twice. It does happen. But it is a very small minority of cases by a few minor ransomware players. I know of people who have been involved in over 10,000 ransomware cases and they say they have never personally handled a case where the same ransomware gang hit the same victim after they had paid the ransom.
John McMullen, of Mullen Coughlin, LLC, is one such person. He told me, “Threat actors have hit the same victim twice, but it’s a rarity. When it does happen, it’s generally because the victim didn’t handle the first event properly.” John said that not only are rogue ransomware gangs to be blamed, but even more so, it is because of the poor handling by the incident responders. He said that he has heard of many adverse events due to people not experienced in ransomware recovery and negotiations making mistakes. This tells me that if you have a ransomware event, make sure your technological partners are very experienced in ransomware recovery. A ransomware event is not the time to allow your trusted, but inexperienced technology partner to start gaining experience.
If you have decided that you might or are going to pay the ransom, make sure you know what you are going to get for paying the ransom. Make the ransomware gang prove they have decryption keys that will unlock your data. Many times, your data and servers will be locked up by multiple encryption keys and the ransomware gang provides one of the keys as proof of their ownership of the decryption keys and as a good faith example that the decryption keys work. There are cases where when the true decryption keys are provided, they do not work or do not work so well. And that should impact your negotiations and whether you pay at all. It is a minority of cases, but you want to get proof that the ransomware gang you are dealing with has your decryption keys and that decryption process is useful to you. Nothing would be worse than paying the ransom, getting the “legitimate” decryption keys, but finding out that they were useless and you had to do a recovery as if you did not pay the ransom.
I have heard of many organizations that paid the ransom to one ransomware gang that ended up getting hit by another ransomware gang. Ransomware gangs never honor commitments from other ransomware gangs. So, make sure you close all the holes that could allow ransomware into your organization.
Doesn’t the FBI Say Not To Pay the Ransom?
Yes, officially the FBI discourages paying the ransom. It is the official advice of the FBI on their website and most of their ransomware-related documents. I have heard many FBI agents, in public talks, also say the FBI does not support paying the ransom. I would expect no less.
But when I have been privy to FBI involvement on actual cases, individual agents become a lot less theoretical and far more practical. They always say it is up to the victim to decide. I have never heard an actual involved FBI agent say otherwise, even if they first lead with the “FBI does not support paying the ransom.” The FBI understands the reality of what is going on, how hard it is to prevent it from happening, and they do not want to be legally liable for causing higher incurred damages and downtime.
Is It Illegal To Pay the Ransom?
It can be, but as far as I know, no victim has ever been charged with a crime, much less convicted, for paying a ransomware ransom, anywhere in the world. But paying a ransom can be a serious, legal risk (at least in the US if not elsewhere). The US government recently warned about the legality of paying ransomware ransoms. You must consider the risk any time you pay a ransom. Your senior management and legal counsel will need to decide if your ransomware payment creates a potential illegal event. I used to be more flippant in my response to this question, but after talking to more lawyers, all of whom don’t agree with my previous flippant, more liberal, responses, tell me that anyone paying a ransom needs to do so with full legal guidance for their particular situation. I now agree. They have convinced me that it needs to be taken serious.
This particular question started coming up a lot after the end 0f 2020 because the U.S. Department of Treasury published an October 2020 statement (https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf) saying paying the ransom could be illegal. If you want to see scary legal language, read this document. If you work in the U.S., regardless of whether you want to be scared or not, you should read this document.
This is a serious U.S. government document stating your U.S. organization can have serious civil and criminal liability for involvement in paying a ransom. One of the keys to determine legality is if the ransomware payment will benefit someone sanctioned by U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). The OFAC has sanctioned several people who have profited from ransomware payments, including the developer of the Cryptolocker ransomware program, as an example. If your ransomware payment goes to a sanctioned individual, you can be liable.
Note: The U.S. government regularly negotiates and pays ransoms to terrorists and others on the sanction list, but they have the legal authority to pay a ransom to whoever it wants without incurring legal risk.
Importantly, the Treasury memo listed above lists some key ways to avoid being at risk for criminal prosecution. They recommend making sure that any ransomware response program strongly considers the legal implications of paying a ransom. They even have a framework (https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf) for OFAC compliance commitments. Incorporating OFAC compliance considerations into your ransomware response plan will likely go a long way to avoiding criminal and civil prosecution.
The Treasury strongly encourages and sees as a good faith effort any organization that quickly contacts law enforcement when they get hit by ransomware. They especially recommend contacting OFAC if you have any questions or are being asked for a ransomware payment. Organizations outside the U.S. should contact their relevant government agencies to ensure they are not held legally liable for paying a ransom.
I don’t know of any victim who has been charged with a crime for paying ransomware ransom, but one ransomware expert I talked to thinks that eventually some inexperienced, ill-advised victim organization, responding without appropriate due care, may eventually get charged by the OFAC for paying a ransom. But he said that would be more because the incident responder did so poorly at handling the response and did not consider the OFAC risks at all. Do not be that organization. Consider the OFAC risks and consult with your lawyers ahead of time.
Note: There have been people arrested for being involved in paying ransomware, although they were not the original victims. See https://www.tampabay.com/news/business/bitcoin-ransomware-fraudster-anthony-murgio-of-tampa-sentenced-to-prison/2328703/, as an example. But if anyone knows of a victim who was charged for paying a ransomware ransom, please pass along to me so I can update this posting.
Can You Trust the Ransomware Gangs To Honor Their Word?
Yes, most of the time. Victims will not pay if word gets out that ransomware gangs do not keep their promises. It is not an “honor among thieves” situation. It is self-preservation and greed. Ransomware gangs want to maximize their potential profits and that means keeping their commitments.
You will hear about the odd ransomware gang not doing what they promised, but they are few and far between. But it does happen. For example, I have heard of ransomware gangs that permanently wiped someone’s data instead of just encrypting it. They claim to have encrypted it, but they wiped it instead. Or when the decryption key is provided, if provided, it does not work. Some ransomware gangs take the money and run.
It is very important that you understand the history of the ransomware gang you are dealing with. Every ransomware gang has a reputation (good, bad, or otherwise) and experienced ransomware negotiators are familiar with those reputations. Before you negotiate or pay a ransom, make sure the ransomware gang you are dealing with is “trustworthy” and not in the minority of hackers who do not keep their words.
Do Ransomware Gangs Delete the Exfiltrated Data Liked They Promised?
This is a tricky one. As discussed above, over 70% of ransomware now exfiltrates confidential data from the victim and threatens to release the data to the public, to competitors, or to hackers, if the ransom is not paid. This threat is largely responsible for the increasing ransomware payments and increasing percentages of ransoms being paid. Most ransomware gangs do not publish the stolen data publicly or to other hackers when the ransom is paid. And conversely, many do follow through with their threat to post it when the ransom is not paid.
I have heard many stories of stolen data being copied outside the victim company, and while it was not “published” in the traditional sense, oftentimes, the now paid ransomware gangs carelessly leave the data wherever they copied it to, which may or may not be available to others. They did not intentionally publish or leak the data. They were just lazy. But either way, the stolen data remains available to other unauthorized others.
It is key to discuss with ransomware gangs about how they will assure you that the data is deleted and no longer available to others. Do not just assume it will happen. Discuss with the hackers how important it is to you and your interests that the data be deleted and that you have proof of that deletion. Let them know this assurance is important to you and is a big part of the reason why you are paying. They know this, but by reinforcing the point, they should make sure they take the time to delete it. Again, if they do not abide by their promise and word comes out that ransomware gangs are not deleting the data even after promising to do it, it is going to cause problems with their business model.
Are You Saying Just To Pay the Ransom?
No. But I am saying that every organization needs to consider ahead of time whether they will or will not be open to paying a ransom, especially after knowing all the potential damage. Ransomware is no longer only about encrypted data and data restores. It is one thing to say you will never pay the ransom when you know a good backup should save you and another decision when they have you and your customer’s data out there on the Internet, promising to cause great reputational harm. Like all complex issues, whether you pay or not depends on a lot of considerations, including financial, operational, and legal. With that said, if you pay the ransom, you are far from alone.
Final Advice
Everyone should have a ransomware response plan in place that covers what your organization has decided to do in the event of a ransomware attack. What do you do to limit damage? Who do you get involved? Will you pay the ransom if forced, and so on? All of these decisions should be decided and documented ahead of time. Making decisions in the heat of battle is not the time to be making them. A good beginning resource for any ransomware response plan is KnowBe4’s Ransomware Hostage Rescue Guide (https://info.knowbe4.com/ransomware-hostage-rescue-manual-0), which I helped write. Of course, preventing a ransomware attack from happening in the first place is the best defense. Stop social engineering, however you do that, and patch your software. Those two root causes are the top root causes for ransomware attacks. Stop them and you likely stop ransomware.