Would Hamlet Pay a Ransom?
The FBI strongly advises companies to never pay when ransomware strikes. So why do organizations continue to do so in the face of an attack?
Would Hamlet Pay a Ransom?
Hamlet once pondered, “To be, or not to be. That is the question.”
If the Prince of Denmark lived in the modern world, he is more likely to be pondering the impact of ransomware on his kingdom and be saying, “To pay, or not to pay. That is the question.”
Government and justice officials are clear about their opinion. The FBI strongly advises companies to never pay a ransom. It is quite possible that the Justice Department will start fining anyone found to have paid over a ransom. Similarly, the UK Home Security has publicly stated that the government doesn’t support victims of ransomware attacks paying the ransom.
Their logic is simple. Paying the bad guys the money just tells them that ransomware is a great way to accumulate cash. Further, who is to say that the cybercriminals will decrypt organizational files once the ransom is paid?
Remember all those movie plot lines where the blackmailer keeps coming back for more and more money? The same thing can and has happened in ransomware attacks. When you are dealing with a criminal, there is never any guarantee that they’ll keep their word.
Another ploy used by the bad guys is to threaten to publicly reveal sensitive or embarrassing data or intellectual property (IP) to the world at large if a large sum is not paid. Even if a ransom is paid, there is still a possibility the criminals will cash in again by quietly passing such data onto a competitor or a journalist – for a fee, of course.
Finally, if hackers have been inside your network, how sure can you be that they haven’t left some form of malware lurking inside. Perhaps a back door, or a way to siphon off money quietly. It is not an easy task to ransack every nook and cranny in the enterprise to find malware and vulnerabilities.
As Hamlet said, “Though this be madness, yet there is method in’t.”
Why Some Pay the Ransom
Colonial Pipeline recently paid almost $5 million. The logic in that action seems clear. It would cost the company far more in potential revenue losses than the ransom demand. Revenue loss is often what motivates payment.
But in local government, healthcare, and education hacks, what drives payment may be something different. The need to restore vital services. Hospitals need access to care for their patients, after all.
Anyone paying a ransom may be subject to government fines. Currently, that is only a threatened action. But with many countries running in heavy deficit, fining organizations for submitting to ransom demands may be seen as another way to fill up the coffers.
How Will the Cybercriminals Respond?
If governments continue the rhetoric about not paying, and fines begin to be issued, more and more organizations will resist the temptation to pay the requested ransom.
The Irish national healthcare service, for example, is currently in a standoff with hackers who have locked it out of many healthcare and social service systems. Ongoing mitigation efforts include shutting down all computer systems, isolating those that were attacked, then wiping, rebuilding and updating all infected devices, updating antivirus and other security apps, and recovering systems using offsite backups.
If refusal to pay becomes a trend, the ball falls into the court of the criminals. How will they respond? In the old days, anyone failing to pay protection money would see their store vandalized, a family member brutalized, or would become the victim of an arson attack. The cyber-equivalent of some of these would seem to be the obvious response. Time will tell.
The best approach, though, is to be vigilant in doing everything you can to prevent the possibility of a ransomware attack. Patch all systems, keep an eagle eye for potential vulnerabilities, and act whenever one is found.
As Hamlet said, and he might even have been talking about cybercriminals, “Let the doors be shut upon him, that he may play the fool nowhere but in’s own house.”