Why You Shouldn't Pay Ransomware Attackers

When the lights go down in the city, it might be something far more nefarious than bad weather or a simple equipment malfunction. The cause could be an attacker who has infiltrated the utility company’s defenses (or lack thereof), infected controllers, and is now holding the city ransom.

Seem far-fetched to you?

Unfortunately, it’s an increasingly popular reality in the United States and even worldwide. Ransomware attacks have already impacted utilities in places like Michigan, North Carolina, Colorado, and Johannesburg, South Africa to name a few. It’s not that the ransomware attempts themselves have evolved either. The organizations the attackers are targeting are though. Utilities are being hit more frequently—municipalities specifically.

City and county government offices across the United States have been in the news frequently due to ransomware attacks. Municipalities such as Baltimore, Atlanta, Riviera Beach (FL), Lake City (FL), the Georgia Courts, and the Georgia State Patrol have all been hit and have suffered varying degrees of damage. One thing is certain—municipalities are being targeted at an alarming rate, especially over the past 18 months.

There’s a higher sense of urgency to remediate an attack on a municipality because the impact is more significant when a municipality is taken offline. The nature of the services provided by a municipality is often critical to the municipality’s function, and the impact is often felt by a significantly large population. This combined with the fact that many municipalities are easy targets, make them ideal for a good return on the attacker’s investment.

The motive? Money. Plain and simple. The whole point of ransomware attacks is to bring your operations to a screeching halt until payment has been made. Attackers hold your information and systems hostage, which effectively holds you hostage. It’s just like the movies where a bad guy steals the child of a rich kid and expects millions of dollars via a magazine clipped note, except in this case, the kid is literally your entire city.

As these attacks become more popular, an interesting debate has risen to center stage once again.

“Should you pay an attacker to get your network, devices, power, systems, or information back?”

While the answer should be a resounding “no,” it can be very tempting to give the attackers what they want so they’ll release the chokehold they’ve put you in. Here are some very important reasons why it’s necessary that you don’t cave in to the temptation to pay.

You Should Have a Plan to Combat Ransomware

The truth is, no matter what you do, no matter how much money you spend, no matter how blinky your blinky lights are, you will never stop 100% of attacks 100% of the time. A determined attacker will eventually find a chink in your armor and get in.

This does not mean you give up! This means you prepare better.

Ransomware Planning

While you cannot prevent all bad things from happening, you can detect the bad things and have a plan in place for an effective response. You can’t prevent all ransomware attacks, but you can be 100% certain you won’t have to pay if (and only if) you plan well.

In 2019, 77% of organizations (not just municipalities) don’t have a formal cybersecurity incident response plan.

Frankly, that’s absurd.

Organizations that have a strong incident response plan in place do a better and quicker job detecting an attack early, and early detection is critical to limiting the damage. In an age where ransomware attacks are a frequent occurrence, you’re setting your organization up for failure if you’re not properly planning to handle incidents before they occur.

Some Components to a Good Incident Response (IR) Plan

Although this article is written specifically on how to build an incident response plan, here are some critical components:

  • Clearly-Defined Roles and Responsibilities
    • Who does what?
    • Who doesn’t do what?
    • Who’s in charge?

Two of the most frequently overlooked roles and responsibilities in incident response plans are communications responsibilities and including executive management. Controlling communications (internally and externally) is essential to controlling the message. Loose lips sink your IR ship.

  • Defined Test Plan
    • Test the plan regularly and whenever there are any significant changes (technologically or organizationally). Annual testing is not enough.
    • The wrong time to find your plan doesn’t work is when you-know-what hits the fan.
  • Lessons Learned
    • In every test and in every actual incident there are lessons.
    • An incident response plan must mature over time. If you don’t incorporate the lessons you’ve learned, your incident response plan doesn’t mature and will eventually become obsolete.
  • Have a Backup
    • Backups are so basic, it’s hard to believe how many people don’t have good ones.
    • Use a simple but effective backup strategy. The more complicated it is, the more difficult recovery is.
    • Test recovery often. Never, ever assume that your backups are going to work. You must prove that they work through constant testing.
    • Quick pro tip: store encryption keys somewhere offline where you can get them quickly. Storing them on a system that was hit by ransomware isn’t going to help you much.

With ransomware, you can 100% be certain you’ll never have to pay a ransom if you have solid, easily accessible, and tested offline backups.

What’s your excuse for poor planning? If you don’t plan well, you’ll probably be forced to pay a ransom. If you’re forced to pay a ransom, you’re costing all of us.

You’re Fueling the Fire

You may think that you’re the only one who suffers when you pay a ransom, but you’re dead wrong. Every penny you give to an attacker is another penny they can use to attack again. They use the money to improve their methods, and they use the money to attack me, my friends, or even to attack you again.

Giving ransom money to the black hats gives them resources to continue to their efforts – potentially on a grander scale.

Every time you pay a ransom, you’re giving attackers money to recruit new people, purchase new technologies, and more. At the end of the day, you’re paying them to turn around and go attack someone else. It’s foolish to think they’ll stop after getting 20 bitcoin from you.

If you pay ransomware ransoms, you’re just shifting the money from good to bad.

Better Use of Money

I don’t know about you, but I don’t have an unlimited budget. Security budgets are often tight as it is. If your organization spends its hard-earned dollars on paying a ransom, it’s less money your organization can spend on more productive and enjoyable things. The money you spend must come from somewhere.

The money your organization makes is meant to further the organization’s mission, and the mission suffers with every diverted dollar.

What’s a better investment?

  • Paying a ransom or giving everyone in the organization a raise?
  • Paying a ransom or expanding into a new market?
  • Paying a ransom or providing new laptops to employees?
  • Paying a ransom or providing better healthcare benefits to your employees?

If you’re a municipality:

  • Paying a ransom or improving the quality of life for citizens?
  • Paying a ransom or being fiscally responsible?

From a budget standpoint, every time you make a ransom payment to an attacker, you’re taking money away from another budget that could really use the money. If you plan poorly, you might not have a choice to pay. If you planned well, you shouldn’t have to pay.

You’re Trusting a Criminal

Let’s not get this mixed up. People who hold systems and networks ransom are criminals. I’m guessing that ethics aren’t a strong suit for them.

You pay the ransom because you believe it will get you back up and running. What do you do if the attacker takes your money and doesn’t give you the key to get your information back? What do you do if you never hear from them again, after your money is gone?

  • Call the police?
  • File a lawsuit?
  • Punt?

It’s sad that you trust the attacker to give you the information back more than you trust yourself. If you trusted yourself, you would have planned better, and you would have had the confidence you would never be in this position in the first place.

Do you trust that an attacker will give everything back to you? Do you trust that they will return everything exactly the way it was (i.e. they didn’t sneak anything else in)? Do you trust that the attacker didn’t keep a copy for themselves, maybe for use against you later?

Maybe you’re dealing with a criminal you can trust, and maybe they’ll give your information back (most of them do because it’s part of their “business model”). Personally, I’m not going to rely on the integrity of thieves to get my business back up and running. Research backs up the concern about the integrity of these crooks. According to CyberEdge Group, companies paid ransoms 45% of the time, yet 38% of those companies still didn’t recover their data.

Remember, you can’t expect the bad guys to play by the rules. Paying a ransom is always a risk.

Now You’re a Target

You were already a known target to the attackers. When you pay a ransom, you’re now a known target who’s also willing to pay. What better target could an attacker ask for? You’ve already paid once. Would you do it again if you were faced with the same issues? Logic suggests you would.

Whether you would or wouldn’t doesn’t matter. Now you’re perceived as a company willing to pay attackers to get your data back. With that reputation comes a slew of attackers ready to see if you’d do it again.

U.S. organizations that paid the ransoms were targeted and attacked again with ransomware 73 percent of the time.

If the thought of increasing your risk of being impacted by a ransomware attack freaks you out, it’s in your best interest to create a proper response.

Effects on Insurance Prices

This may come as a surprise, but insurance companies don’t like to lose money. They’re in business to make money, and they’re very good at it.

Paying claims is not in the best interest of insurance companies. Every time they do, it’s money directly out of their pockets. That’s why your premiums always go up the riskier you are to cover. This is the case across insurance. If your driving record is worse, your car insurance rates go up. If you live somewhere where hurricanes run rampant, your homeowner’s insurance will be more expensive. If you’re more likely to be breached (or have been before), your cyber insurance rates will increase.

And unfortunately, it’s a shared marketplace. If companies start crawling to their insurance companies to pay their latest ransom at an alarming rate, it’s going to make the insurance companies think about increasing their rates across the board.

So, to continue to keep cyber insurance rates affordable and accessible to businesses across the board, it’s important that we avoid making a habit of doing things that will increase rates—including paying ransoms.

Moral of the Story

Don’t ever pay a ransom. If you plan properly, you will never be in a position where you don’t have a choice.

For more information on creating an incident response plan and protecting against ransomware attacks, visit frsecure.com.

Ransomware Assessment


Evan Francen on LinkedinEvan Francen on Twitter
Evan Francen
CEO at FRSecure
Nickname: "The Truth"

I am a 25+ year information security veteran, and I tell it like I see it. I’m not known for being politically correct, and this sometimes gets me into trouble. More often than not; however, clients and colleagues come to appreciate the candor and common sense approach. If you look at security (the right way), you’ll find that it’s just not as complicated as people make it. I hope you enjoy my writings on security and other miscellaneous things. I really have a strong and deep passion for helping people and making the world a better place.

Check out my new book UNSECURITY

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *