Conventional wisdom says ransomware victims shouldn’t pay their attackers, but a panel of legal experts suggested Thursday that standing firm might not always be the smartest play in the real world.
FBI officials, corporate bigwigs and public sector security bosses in recent years all have advised their colleagues to keep their wallets closed when ransomware hits. There’s no honor among thieves, the logic goes, and even if you pay hackers to buzz off, who’s to say they will follow through on promises to unlock encrypted data? But there are scenarios in which small and medium-sized businesses should carefully consider their decision, Mark Knepshield and Matthew Todd said during a panel discussion at the Legalweek conference in New York.
“I would say, if it’s a small amount, pay it,” said Knepshield, a senior vice president at insurer McGriff, Seibels and Williams. “It’s likely just be the easiest way out of your situation.”
In a poll surveying Legalweek attendees, 86 percent said they would not pay a ransom if attackers threatened to publish stolen material online within 24 hours. That follows the traditional legal advice, with the FBI encouraging hacked businesses not to pay, in part because meeting extortionists’ demands could help thieves expand their operations.
“Law enforcement has to have a policy, and that has to be their policy,” said Todd, a principal consultant at Full Scope Consulting and a former chief security officer in the financial sector.
However the evolution of ransomware attacks over the past year has forced firms to reconsider, Todd said. Well-resourced criminal organizations have replaced comparatively low-level “spray-and-pay” operations. Those groups leave behind a trail of evidence that insurers, attorneys and corporate security teams can quickly research to understand their chances of recovering stolen information.
“Like with the city of Atlanta, with the source code that was coming in, even if they had paid the ransom, I don’t think the individuals who launched the attack would have had the sophistication to be able to un-do the [encryption] keys,” Todd said. “You need to ponder it carefully.”
Paying small ransoms may also help frustrated security bosses avoid a browbeating from higher-ups who are more concerned with resuming business than examining the forensic evidence in the midst of an attack. Forfeiting $500 to hackers could hasten that process, and give the chief information security officers an out with his or her boss.
“Being cyber resilient just means being able to explain yourself to shareholders when something goes wrong,” said Roberta Sutton, who founded RAS Enterprise Risk Management services after working with insurers. “We got breached all the time [in the past] but we never reported them because [hackers] never walked out with any of the data, at least that we could tell.”