February 04, 2020 at 3:23 PM
To Pay, or Not to Pay _ The Ransomware Dilemma
Aaron R. Warner, CEO of ProCircular, Inc. in Coralville, Iowa
February 5, 2020
Plain and simple, ransomware attacks are on the rise. In just the first three quarters of 2019, more than 150 million ransomware attacks occurred worldwide. Its affecting Iowa companies every day, and often we’re the company that they call for help.
While conventional wisdom dismisses negotiating with criminals, ransomware presents a different scenario entirely. Like all other decisions in a cybersecurity breach, ransomware payment should be weighed in terms of risk. There’s a strong case for keeping payment on the table, at least until objective risk analysis rules it out.
For decades, law enforcement and media have propagated the DO NOT PAY mantra regarding terrorism. Given the risk of further emboldening terrorists, this argument makes sense in the Global War on Terror.
Unlike terrorism, data ransom attacks require very little planning or expense. Many effective hacking tools are freely accessible through the dark web and usable by anyone with a laptop, internet connection and know-how. If a ransom attempt fails, it’s of little consequence to the hacker. They’ll simply leave the data locked and move on to another target until they do get paid, suggesting non-payment may incite more ransomware attacks, not fewer.
However, while payment should remain an option, ransom should never be paid without risk analysis. When managing a cybersecurity incident, ProCircular considers several quantifiable factors before recommending payment to a client, including viability of the attacker, ransom amount, ethical concerns, estimated cost of operational downtime, the actual value of the data and the ability to recreate it.
If an organization has no functional backups, extraordinary costs of downtime, and the hacker appears to be experienced and somewhat credible, taking a chance on a ransomware payment may be the right course of action.
I will be delivering this message tomorrow and Thursday to Iowa Senate subcommittees: when it comes to data ransoms against state agencies, we must keep payment as a possible if unfortunate tool in our toolbox.