Ransomware is a very topical threat to many organisations and individuals in today’s connected world. Recent high profile attacks on US hospitals have highlighted the damage this simple tactic can cause, along with the moral dilemma posed to the executives of the affected organisations. Whether you agree or disagree with some of the decisions made by the affected organisations, we can all conclude that ransomware poses some extremely complex moral and ethical questions for the victims themselves. Lets take a look at some of these complexities.
The Business Model
Ransomware tactics are simple. Pay us, or never see your data again. The attackers understand that data, rather than infrastructure, is by far more precious to an organisation and they are now focusing their efforts on this avenue of attack.
DDoS attacks demanding ransoms have been rather unsuccessful and did not see the uptake in the underground that we have seen with ransomware. The complexity of maintaining a DDoS platform is a likely reason for this, however, the mitigation actions taken by the victims are much simpler to justify. Moving infrastructure, upgrading equipment and developing business continuity plans can be seen not only as an expense caused by an attack, but also as an investment, giving security teams better cases to take to the finance team when mitigating against these external threats.
Data, however, cannot be so easily “upgraded”. Complex business relationships create data processing, storage and transmission requirements that are not always clear to an organisation in all cases. Understanding your data is certainly an arduous task.
Attackers used this insight to direct the threat to within the organisation through required ingress points, such as email, file sharing and web browsing; all needed in a complex business environment. Simply put, these are holes we cannot fully close.
The genius of the ransomware attack model, however, is not in the attack vectors or the malware itself, it is the way that attackers give the organisations a choice: to pay or not to pay.
A ransom demand appears on every screen within your organisation, as the CISO you are tasked with making a number of complex decisions but the primary choice is this:
“Do we pay the ransom?”
A number or variables come into play at this point, not least of which is whether payment will actually guarantee the release of the data. Ransomware actors appear to have understood the mindset of a victim; if there are many published cases where payments do not result in the decryption of files, then more and more victims are unlikely to pay. It is also important to bear in mind that the attackers have no incentive to keep your data encrypted, it is unlikely to provide them any advantage as their motivation is typically financial gain alone. Of course they could come back and do it again, however, after such an attack security controls are reviewed and updated making another attack unprofitable.
Another major variable for the CISO to consider is the ransom amount. If the ransom is too high for the organisation targeted, then it is unlikely to be paid. Understanding the target “market” has meant that attackers are asking for fairly low amounts and are using scale to reap their profits. Keeping ransom amounts below the cost of typical remediation strategies also makes the CISO’s decision more complex:
“Shall we pay £3000 for specialist assistance or the £1000 ransom?”
It seems a clear cut financial decision, pay the ransom, update your security, get back to business as usual.
Complexities of Choice
As always in life, choices are not made purely on numbers. Ideology, ethics and politics all play a part in making many decisions, and will certainly play a part in deciding whether or not to negotiate with criminals.
As an organisation there will be both private and public points of view that will guide executives to a final decision, but ultimately one single factor will guide this decision making process more than any other, reputation.
Let’s take a look at three fictional scenarios and discuss the decision making process in each, along with the expected public perception of such actions:
A large private financial institution have been hit by EthicsLocker™. This bank has both a personal and corporate finance arm and has a global turnover of £3 Billion. The ransomware has removed the bank’s ability to manage accounts and many businesses and individuals are concerned about access to their investments, some of which are likely to be time sensitive.
The ransom is set at £1 Million, it costs around £3 Million to recover without paying up, along with a lengthy clean up period.
Should the bank pay?
There is an argument to be made that as a financial institution with such a large turnover they would easily absorb the ransom cost and should not jeopardise their customers’ investments. After all, that is what they are being paid to protect. The money the bank would use is its own private capital and will in no way impact customers.
However, the CEO is an old school businessman who will not be blackmailed and is leaning towards the more costly and disruptive option.
How do you feel the public and, in particular, the bank’s customers or shareholders would feel about either outcome? Would they be upset if a bank paid money to these criminals, or would they assess it to be a logical decision?
Keep your views in mind as we move along.
The Tax Man
Her Majesty’s Revenue and Customs (HMRC), the UK tax authority, have been hit by ransomware. The effects of which have rendered HMRC completely unable to function and they can no longer service the tax needs of the British public. Tax cannot be collected efficiently, nor can tax adjustments be made (for better or worse).
The ransom is set at £9m, a mere third of the total cost of manual recovery, £27m, not forgetting the long recovery process. However, HMRC is a government body and, in this scenario, 100% funded by the state.
Does the Tax Man pay the ransom?
Does a government organisation pay criminals with public money which could potentially fund all forms of criminality? Or do they use a greater proportion of public money to “take a stand” against these Cyber Bullies and uphold the government stance of non-negotiation?
And lets not forget, no one likes paying taxes.
Sick-Puppy.org are a registered charity that look after abandoned and mistreated puppies (yes the really cute ones). They have been hit by EthicsLocker which has halted their ability to rehome puppies with their new loving owners.
Ransom is set at £100,000 with a manual recovery cost of £500,000.
Paying the ransom would require a considerable amount of publically donated cash to be handed over to the criminals. How would you feel about that as a donor or a member of the general public, seeing charitable donations being passed to criminal gangs involved in drugs, human trafficking and terrorism, simply to save some dogs?
However, manual recovery is also likely to be economically damning for Sick-Puppy.org, and would see the organisation fold with the puppies sadly having to be destroyed and subsequent cases not being cared for.
Did I mention these puppies are really cute?
The clock has run down, the decision is here. Do you pay?
Ultimately the answer should always be no. No amount of disruption to a business should warrant paying money to criminal gangs, not least because of what the money may be used for, but also as it perpetuates the ransomware business model, a scourge of the Internet. As a society we have to make a stand and say “we will not be blackmailed!”
Remember the US healthcare system attacks? What if it was your mother’s hospital?