If we ban paying the ransom, cybercriminals won’t scatter like cockroaches in the kitchen when the light is turned on. And anyhow, succumbing to the criminals’ demand is the best way out.
Colonial Pipeline is one of the many cyberattack victims who have chosen to pay ransomware demands. The biggest American oil pipeline system paid $4,4 million in exchange for a decryption key.
According to experts, paying the ransom is the obvious way out in many cases, especially for critical infrastructure companies and organizations that are below the security poverty line.
In 2020, according to Chainalysis, targets of attacks paid an estimated $350 million, up 311% from the previous year.
When faced with a ransomware attack, what should victims do? Is paying the ransom really a viable solution? And are there any alternative methods of getting the precious data back? Prominent cybersecurity experts tried to answer those questions during the Institute for Security and Technology webinar.
To pay or not to pay
While some argue that paying ransom only fuels the ransomware ecosystem, experts agree that succumbing to cybercriminals’ demands sometimes might be the only way for businesses to avoid costly disruptions, the shutdown of essential services, or the release of sensitive information.
“A lot of times payment is the way to go,” Ari Schwartz, Managing Director of Cybersecurity Services and Policy at Venable, said.
According to him, ransomware victims have a lot to take into consideration. A public company with shareholders has to think about fiscal responsibility. The insurance company might be pushing you to pay. The fear of losing or exposing data also adds up to the pressure.
According to Jen Ellis, Vice President of Community and Public Affairs at Rapid7, many organizations find themselves below the security poverty line. In that case, not paying the ransom will most certainly mean the loss of business that belonged to your family for generations.
"They really can't afford a lot of defense and in-depth measures, and they lack the resources and capability. For them, a ransom incident can mean an end of the business. If you don't pay, you have no recourse," she said.
For them, according to Ellis, the choice to pay or not to pay is simply not there. "You have to pay because otherwise, you are saying goodbye to your businesses."
Josephine Wolff, Associate Professor of Cybersecurity Policy at Fletcher School at Tufts University, agrees that paying is the obvious choice a lot of the time. But individual companies should not be blamed for the choices they make. Policymakers, according to Wolff, are letting that happen.
Should ransom payments be forbidden?
Governments argue that ransom payments are fueling the ransomware ecosystem. The FBI doesn't recommend paying the ransom as there's no guarantee you will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity. However, legislators are not yet moving ahead with banning it.
The goal, all three experts agreed, should be enacting a prohibition on ransom payments eventually. But doing that too soon would do no good.
"If you look at the Colonial Pipeline case, people on the East Coast are not getting gas, and there are lines at the pumps, and then it's illegal to pay, and we don't have a solution for them. That's problematic," Ari Schwartz said.
Before prohibiting ransom payments, we should have more control over what happens, make sure there are other solutions for people to seek, and maybe have some exemptions to the prohibition.
"If you do it tomorrow, we will all be in a lot of trouble," he said.
Ellis agreed that the ransom payments should be prohibited eventually but definitely not yet. Besides people losing their businesses, there's also a chance that companies choosing to break the law and pay the ransom will end up in even more trouble.
Attackers, she believes, will become more focused and target either critical infrastructure that has no tolerance for disturbance or companies below that poverty line to whom ransomware attack might simply mean the end of the business.
"The majority will stick to the law, and it will be devastating to the economy and them individually. But those who do consider going down that route and will make a payment, will put themselves in the pocket of an attacker. They've proven the willingness to pay and the ability to pay, and they’ve now made themselves indebted in terms of the attacker's knowledge about them. That's your new form of double extortion," Ellis said.
And anyhow, the prohibition of ransom payments would not make cybercrime disappear.
"If you wrap all those things together, what happens is you flick a switch to turn off payments, it's not like turning the light on in the kitchen, and all the cockroaches scatter. They're going to be there still, trying to see how resolute you are on this", she said.
More from CyberNews:
Subscribe to our newsletter