Action movies taught us early on that people can be kidnapped by nefarious criminals and held under duress in bleak conditions until ransom is paid.
In this not-so brave new cyber world, criminals are instead holding businesses electronically hostage until ransom is paid.
Commonly, criminals accomplish this by encrypting the data on business systems to crippling effect—often all from behind a computer screen. When a screen appears on the computer demanding a ransomware payment in exchange for the decryption key needed to recover the data, each minute spent grappling with the question of whether to pay the ransom can be money down the drain.
This “delay tax” may arise from the criminal demanding increased ransom as a penalty to a delayed response or from the sheer force of the business disruption—or both.
Ransomware attacks against businesses are on the rise and how organizations respond to them varies dramatically. There is no single “right way” to respond. Each organization must evaluate how to respond based on its own individual circumstances.
Businesses should ask these top five questions now, before an attack, to help develop a corporate philosophy on how to quickly decide whether to pay a ransom in the face of an actual attack.
1. What Are the Costs of Paying?
The costs of paying a ransom range from the obvious, the price of the ransom demand, to the more subtle, the morality of paying.
Often ransom demands ask for “only” hundreds or thousands of dollars, but have hit as high as several millions of dollars.
The FBI denounces paying ransoms as encouraging cyber criminals to proliferate the practice. One reason is that the ransom payment may go on to fund other criminal activities. Another reason is the hope that if the financial motivation is stripped from the cyber criminals by not paying ransoms, the attacks will decrease.
In this same vein, businesses may very well end up putting a target on their backs for repeat attacks if criminals view them as ATMs that will reliably pay out when faced with a ransomware attack.
2. What Are the Costs of Not Paying?
Headlines affirm that ransomware attacks can wreak financial devastation in their paths when businesses do not pay the ransom. Just this year, global aluminum producer Norsk Hydro refused to pay a ransom and suffered 45 million pounds in losses, and rising. Baltimore’s ransomware attack ravaged the city to a tune of more than $18 million dollars after refusing to pay the ransom.
Typically, these giant losses are the result of business interruptions caused by lack of access to the data.
3. Can the Data Be Recovered Without Paying the Ransom?
If the computer screen is demanding payment, it is worthwhile to take a moment before immediately paying. As a preliminary matter, it may not be an actual ransomware attack that has successfully encrypted your data. Bringing in your IT or computer forensics experts can verify if the attack is real or not. Your IT or computer forensics experts can also help ascertain if the data can be restored from backups without paying the ransom.
Even if it is a legitimate ransomware attack, there may be ways to decrypt the data. For example, European law enforcement agencies have engaged partners to maintain the website No More Ransom! As explained by the site: “[I]t is sometimes possible to help infected users to regain access to their encrypted files or locked systems, without having to pay. We have created a repository of keys and applications that can decrypt data locked by different types of ransomware.”
Engaging computer forensics experts or law enforcement may also lead to the liberation of your data. In their years of experience with different types of attacks, these experts may also be able to identify the type of ransomware attack sustained and share the decryption key businesses would otherwise pay for.
4. Is It Worth the ‘Will You Get Your Data Back’ Gamble?
Businesses need to appreciate that they may cough up the ransom money and, disappointingly, not get the data back at all. Remember, we are talking about a criminal’s promise here. Law enforcement and forensic experts may be able to help vet whether you are dealing with an “honorable” criminal who will actually release the data or not, if they have worked with the bad actor before.
NotPetya is a devastating example of this. NotPetya initially presented as ransomware and demanded payment, but paying was futile. It was a wolf in sheep’s clothing—or perhaps a ferocious wolf in a less ferocious wolf’s clothing. The malware was, in fact, destructive wiper malware intended to destroy data in the guise of ransomware that gave false hope to victims lulled into thinking paying the ransom would solve all their problems.
5. Should the Business Pay This Ransom?
A middle ground exists between paying the ransom or not. Specifically, should you pay the ransom amount demanded?
For example, criminals demanded a ransom of $3.6 million from Hollywood Presbyterian Medical Center. Rather than paying out millions of dollars, the victim negotiated the demand down to $17,000. This shows that part of the thought process when assessing a corporate philosophy on paying ransoms includes how much you are willing to spend.
These are only a handful of the many considerations businesses should contemplate when hit with a ransomware attack. The number of issues, both technical and legal, that arise are enormous and take significant advanced planning and thoughtful analysis.
Engaging counsel to light a path through this cloud of confusion can enable companies to respond quickly and nimbly in the face of a cyber crisis. You may want to revisit the decided philosophy when faced with a real attack.
However, revisiting a decision in light of real, and not hypothetical, facts can be far easier than debating the issue from scratch while an attack is ongoing.
In sum, evaluating a ransomware philosophy should be a key component of a comprehensive incident response plan. Deciding ahead of time arms businesses with a playbook of how to effectively respond to minimize financial and public relations damages.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Anne Lockner, a partner at Robins Kaplan LLP, chairs the firm’s Privacy and Cybersecurity Group and is a member of the firm’s executive board. She has extensive experience in handling and solving a broad array of problems for her clients in a variety of commercial litigation matters including healthcare litigation, internal and government investigations, privacy and data breach matters, financial fraud, breach-of-fiduciary-duty claims, breach of contract, and antitrust.
Brandy Worden is a co-chair of Robins Kaplan LLP’s Cyber Risk Group, and a leading member of the Privacy and Cybersecurity Group. As a certified informational privacy professional for both the U.S. and Europe, and a Harvard-certified cyber-risk management professional, she counsels clients regarding both domestic and international cybersecurity and privacy issues.