Thales Blog

Ransomware – To Pay, or Not to Pay?

June 14, 2022

Bob Burns Bob Burns | Chief Product Security Officer More About This Author >

When we speak of “disruptive technologies”, we often think of it in the positive sense, relating to the development of a technology that changes our lives for the better. Of course, one must recognize that the word “disruptive” can also have a negative connotation, as any student who has disrupted a class has painfully understood. And when thinking about criminal innovation, ransomware attacks clearly fall into that definition of “disruptive”, especially for any business on the receiving end of that “innovation”.

One of the biggest challenges that ransomware brings about is the fact that many organizations are faced with the tough decision of whether to pay, or not to pay the ransom. In the past, this might have been a straightforward decision for companies with good backups and the ability to recover quickly. However, with many cyber-gangs pivoting to the theft of the data and extorting the victim with threat of release of that sensitive data, paying a ransom no longer minimizes the risk of future extortion. Furthermore, evolving government policy and financial regulations are beginning to weigh in on the legality of the payment of ransoms, making it even more perilous when deciding what makes sense for a business under attack.

I recently joined the Director of Operations of the UK National Cyber Security Centre (NCSC), Paul Chichester on the Thales Security Sessions podcast, to discuss the scale of the ransomware problem. We looked at look at who is carrying these attacks out and discussed some best practice strategies for improving organizational preparedness.

Tipping the Scales

While ransomware attacks are not new, they remained largely underreported in the mainstream media for many years. However, the Colonial Pipeline attack tangibly changed the public interest on this topic. In part because this attack not only the affected the company, but it also many in the US who relied on the petroleum products that flowed to the consumer level, and was without doubt, a tipping point in ransomware awareness by the media and general public alike.

Whilst we can speculate that ransomware attacks have increased because many companies pay, there is also cause for optimism that the attention given to such a high-profile attack would have the effect of generating more energy around improving our overall digital security posture and preparedness.

It can also be surmised that the increased attention surrounding the Colonial Pipeline event also gave the attackers the impetus to elevate their tactics to better vet their targets such that they minimize media attention, as well as target business that would likely result in more lucrative paydays.

Paul Chichester views the attack patterns from a geographical approach, contemplating those occurrences have plateaued in the United Kingdom, due to the implementation of decisive protective measures. Admitting that causality is inferential, there seems to be some progress towards defensive and deterrent actions of organizations as well as governments. Paul emphasized that this should not be viewed as complacency, and the dynamism of the threat could shift this observation at any moment.

Actions in the United States, such as the President’s Executive Order on Improving the Nation’s Cybersecurity posture is a good first step. The government does play an important role, in not only raising awareness, but also putting resources and energy behind initiatives to protect not only itself, but also private industry. One additional key to success is to improve the transparency and information pathways between government and private entities, which seems to be in its nascent phase. These are all positive developments.

Building Defenses

Paul offered some examples of definitive defensive steps that are being undertaken in the UK, including “takedown” services that target the servers of ransomware operations, and a protective DNS service that is available to the entire public sector, which can stop many precursor and targeted attacks. A lot of the information is also being shared with the private sector. Internationally, last year’s meeting of the G7 included discussions about cyber risks. While it was primarily focused on the financial sector, it is a clear indicator that international collaboration and cooperation is gaining significant momentum.

Organizations can take steps on their own to prevent and stop ransomware attacks. Criminals will continue to act opportunistically, finding the most available weakness to exploit. One of the best defenses is a good Business Continuity Plan (BCP) that focuses on the ransomware threat. Traditional BCPs have examined natural and regional disasters, however, ransomware is indiscriminate and unconstrained geographically so a plan that considers business-wide digital impact is critical. Most importantly, this includes a communications plan that does not rely upon any corporate infrastructure that may be compromised, such as email, VOIP phone systems, and chat applications. Another important defense is to have a strong recovery strategy by making sure that there are solid plans about how to get systems back in reliable operation as quickly as possible. And perhaps most importantly, ensure that all those plans are exercised and tested on a regular basis.

Moving Forward Together

The vexing question remains: should organizations pay the ransom? Paul stated that the official position in the UK is to not do so. However, it is a sensitive subject, as criminalizing ransomware payments twice victimizes a company that may not see any alternative remedy. The UK government works to assist ransomware victims.

There is cause to be optimistic that ransomware will start to level off as a result of the individual efforts of governments and private industries, as well as reciprocity between the two. It is important to recognize, however, that the criminal enterprises that perpetrate ransomware crimes are quite adept as well. Paul encourages people to visit the NCSC site’s Exercise in a Box, which includes many threat scenarios, including a ransomware exercise.

To hear the full episode entitled “Ransomware – To Pay or Not to Pay, visit the Thales Security Sessions Podcast page.