By Dan Featherman   /   Jun 22nd, 2021

To Pay or Not to Pay Ransomware Demands, That is the Question!

to pay or not to pay ransomware imageThe debate over whether to pay or not to pay ransomware demands is hitting a fevered pitch. In recent weeks we’ve seen insurance companies, like AXA, place a moratorium on paying ransom demands. Further, there is a push to implement a ransomware payment ban at the federal level. With the uncertain future of insurance coverage for ransomware incidents, it is especially important to evaluate your organization’s business continuity and disaster recovery (BC/DR) plans (read more details on cybersecurity BCDR plans).

Key Factors to Consider when Deciding to Pay or Not to Pay Ransomware

Ultimately, the decision to pay or not to pay ransomware demands lies in the hands of the victim. Counsel and law enforcement can make recommendations one way or another, but at this point they cannot strictly prohibit a victim from paying ransomware demands. However, there is a common misconception that if the ransom is paid, the victim’s files will be immediately available or “unlocked.” There’s a fundamental error with this belief; affected files and systems aren’t merely “locked”, these files are actually encrypted.

If you’ve read some of our other blog posts, like my colleague Ben Kast’s recent post on encryption best practices, then you know that encryption is a process and can take time. Conversely, decryption also takes time and is in no way immediate. Business continuity and disaster recovery planning should take this into account, a tough lesson Colonial Pipeline learned recently as their cyber response plans did not. Both Recovery Point Objectives (RPOs) and Recovery Time Objections (RTOs) should be considered when evaluating the risk associated with a ransomware event. RPOs define the minimum amount of data or systems that must be recovered after an event. Often RPOs are thought of in terms of an organization’s backups, such as “we want to be able to restore all data through last week.” RTOs define the maximum amount of time acceptable when satisfying an RPO. Using our previous example, to restore all data through last week may take up to 4 days.

RPOs and RTOs may influence whether a victim decides to pay or not to pay ransomware demands, but it is critical that organizations recognize that the decryption process should be accounted for when defining an RTO. Additionally, tasks like negotiating with the threat actor, verifying “proof of life” (i.e., verifying that the threat actor can actually decrypt the files they encrypted), obtaining the decryptor, and testing it in a sandbox environment, all take valuable time that in a normal outage would be spent recovering systems and data.

How Ransomware Groups Operate

Many ransomware operations are run like reputable businesses, with responsive representatives and functioning decryptors – in fact, ransomware-as-a-service is built on this principle. Word would spread quickly if these operations were haphazard and decryption was unreliable, resulting in very few payments. That said, even ransomware operators make mistakes and we’ve seen more than a few instances where the threat actor was unable to decrypt the data, leaving recovery from backups as the only course of action.

Reliable Backups Play a Role in Your Decision

Every IT professional understands the importance of having good backups. Just as important though is testing those backups and ensuring they are available should you need them. Offsite backups safeguard data; this ensures you have options if something catastrophic occurs at the organization’s headquarters or datacenter. When considering whether to pay or not to pay ransomware demands, think about your recovery plan. Offsite backups provide little value if they are only physically separated but still accessible on the network. You don’t want to be the organization whose systems and data, including your backups, are encrypted by ransomware. Offsite backups should not only be offsite but also “offline.” An offsite repository that is still accessible over the network may not provide the resiliency you were planning on.

From a business continuity perspective, your organization should have plans and procedures for continuing operations during a ransomware incident. This could include things like reverting to paper records (healthcare organizations often refer to this as “EHR downtime plans”) or offering a subset of normal services or operations.

The Ethical Considerations of Paying Ransom Demands

Finally, there can be ethical implications when deciding to pay or not to pay ransomware demands. By paying, the victim is supporting and enabling the ransomware operation, allowing them to grow their business and target others. However, remember that the victim is just that, a victim. They are not willfully utilizing these cyber criminals. The decision of whether to pay or not to pay a ransomware demand is never cut and dry, and it’s certainly not an easy decision to make. Our best advice is to be prepared to restore operations from backups – this can ensure RPOs and RTOs are met, it will help avoid any ethical quagmire, and it may end up being substantially cheaper.

Hope for the Best, Prepare for the Worst

If you want to be prepared to respond to ransomware, LMG recommends your organization:

  • Conduct a risk assessment specifically focused on ransomware.
  • Perform ransomware tabletop exercises (ideally facilitated by an unbiased third party). Consider involving key decision makers, counsel, IT, and whoever is responsible for public relations and external communications. Also consider conducting versions of these exercises without the primary person for a given role (if for example counsel is on vacation in Hawaii). Throughout these exercises, ensure that incident response and business continuity plans align.
  • Develop playbooks and procedures that outline business and operational continuity if critical systems or data are unavailable, presumably indefinitely.
  • Ensure incident response plans include out of band communications and systems to support response, tracking, and recovery efforts.
  • Ensure backups are being performed regularly, are stored in a location that wouldn’t also be susceptible propagating ransomware, and are tested both to ensure they work and to give you a sense of how long a restore operation may take.

I hope this article has been informative and helps your organization be prepared for a cybersecurity incident. If you need assistance preparing for or responding to a cyber incident LMG Security has ransomware risk assessments, training, policy development and incident response services that can help!

About the Author

Dan Featherman

Dan is the Chief Technology Officer and a Senior Security Consultant at LMG Security. He came to LMG in 2014 from Garlington, Lohn and Robinson where he served as Network Administrator and IT Manager for 7 years. Dan graduated with high honors from the University of Montana with a degree in Applied Science. Dan’s current certifications include CISSP, GIAC GPEN, CompTIA IT Operations Specialist (CIOS), Secure Infrastructure Specialist (CSIS), A+, Net+, Security+, CCENT, Metasploit Pro Certified Specialist (MPCS), and Nexpose Certified Administrator (NCA). Dan is also a member of the GIAC GPEN advisory board, in addition to the University of Montana Computer Science advisory board, and served several years as the Montana State Representative for the International Legal Technology Association.