This was not always my opinion. In the early days (2015-2017) of ransomware, it seemed justifiable to pay the ransom if you absolutely had to. When your critical data is encrypted, and you don't have backups, then paying the ransom may be the only option.
What changed my mind?
There is one principle from history that changed my mind about paying the ransom.
It wasn't because some criminals don't release the keys after being paid [1].
It wasn't because the criminals may demand additional money.
It wasn't because paying the ransom increases the likelihood of being attacked again.
It wasn't because of the great difficulties encountered in restoring and fixing corrupted data after decrypting the data.
It wasn't even because some of the ransomware payments fund terrorism.
There is a simple truth we learn from history.
At all costs, when you are losing a position, do not leave anything behind that can strengthen your enemy.
When we read accounts about armies abandoning a position, they will destroy all of the stores that they can't take with them. During the American Revolution, for example, when the Continental army abandoned a Fort, they spiked the guns (a process that renders them useless), destroyed food supplies, and burned buildings. This may seem incredibly wasteful but in this context it makes sense — you are losing these resources; why should your enemy also be strengthened by gaining them?
In the same manner, paying the ransom strengthens criminals and weakens your own organization.
How long can this go on?
As the criminals gain resources, they gain strength — more hackers, better tools, more infrastructure. They will use these to successfully attack even more organizations. Meanwhile, on the defender side, we continue to lose resources.
When we think about this cycle, it is clear that it will only get worse and worse when we pay the ransom.
And it has! Because my former employer MEDITECH has a large number of customers in the United States and Canada, I was able to observe the ransomware trends over time. As each year went by, not only did the number of incidents increase dramatically but the severity did as well. In 2016, most of the incidents were low impact — events that only took a day or so to recover from. Starting in 2017, the incidents include a larger proportion of attacks that require over a week to recover — and in many cases it was 3-6 weeks!
Then the Pandemic Came
The pandemic only exacerbated the issue — I observed healthcare organizations large and small cut back on their IT and security spending due to the burden of the pandemic. Unfortunately there appears to be no Russian equivalent for "don't kick a man while he's down." In fact, in my mind these ransomware criminals are saying "that's exactly when you should kick a man — when he's down!"
Why don't we pull together?
While in the human body, individual cells may sacrifice themselves for the good of the entire organism, it's not likely that we will see this behavior in human society. It's easy to glibly say "don't pay the ransom" but when you are faced with a terrible situation at your own organization, you are rightly concerned about resolving the ransomware incident in the way that gives your organization the best possible outcome.
However, we do well to reflect on how our payment of the ransom will enable these criminals to gain strength and attack even more people in the future.
Realistically what should we do?
Be Proactive
We each need to work hard to provide the right information to our Executives and leadership and help them to see how vital it is to take proactive steps now. I hope that my recent blog article "This is not a Spy Novel" provides some examples that you can use in your own institution.
Be Resilient
The one bright spot in my work with Healthcare institutions and Ransomware was that most organizations do a good job of recovery and restoration because there has always been a major focus on resilience and disaster recovery within Healthcare.
Be Informed
Please read my other article "If you decide to pay the Ransom" so that if you do go down this road, you will be prepared for some of the traps and pitfalls.
Afterword
I originally came to this opinion sometime in 2020 and spoke about it at several conferences, including an InfraGard webinar on Ransomware in early 2021 held by the New York Metropolitan area chapter. Even now when ransomware is even more rampant, I find that it is not an opinion most people hold.
Please answer the poll and share your respectfully worded thoughts in the comments.
What do you think? Should organizations pay the ransom?
0%Yes - if that is their only option.
0%No. Never.
0%It depends...
References
Wikipedia: Zero Sum Game - At first I thought "these ransomware attacks are a classic zero sum game" but then I realized it is worse than that. In a zero sum game, your loss is equal to your enemy's gain. However, in this case, not only does the victim organization lose the amount of the ransom, but they lose significant amounts of resources due to downtime, investigation and recovery, damage to reputation, loss of employee morale, and much more. The losses of the victim may be much greater than the gains by the criminal.
Disclaimer: The information provided here (“material”) is intended for informational purposes only and does not constitute legal or professional advice. This material is not warranted to be exhaustive or complete. Additionally, every organization has a unique set of circumstances, business requirements, contractual obligations, and regulatory compliance requirements which we are unaware of. No guarantee is made that use of this material will secure your organization and help you to meet your compliance obligations.
Commentaires