There has been much debate in the cybersecurity world about the ethics and efficacy of ransomware payments. For many, the solution is simple: do not pay ransoms. Much like negotiating with terrorists, the logic suggests that paying ransomware operators encourages further attacks, sustaining the market, and perpetuating the cycle of compromise. If everyone refused to pay, continues this theory, the cybercriminals would be starved of funds and the practice would ultimately die out. This “no-concessions” policy is increasingly gaining ground in the United States, where it is almost certainly influenced by the government’s long-established reluctance to negotiate with terrorists. The problem is that this hard-line approach has been proven ineffective for decades. It is based on a simplistic, moralistic position that ignores evidence and fails to recognise either the nuances of individual cases or the complexity of the terrorist and cybercriminal threat landscapes. Consequently, we should take a pragmatic approach which appreciates that paying ransoms, while unsavoury, is sometimes the ‘least worst’ option.
No negotiation
Statements like “we do not negotiate with terrorists” or “do not pay ransoms” are forceful and easily understood. However, a good slogan rarely translates into effective policy. Both positions require a critical mass of adherents for them to work: a no-concessions policy, therefore, requires consensus. If enough stakeholders are willing to pay, the market can sustain itself and indeed flourish. Those that remain steadfast and refuse to pay often suffer worse outcomes as a warning to others considering such an approach. With ransomware, starving operators of funds would require public and private sector cooperation on a global scale. The complexity of reaching such an agreement, coupled with the skewed risk-reward calculus of many incidents, renders an outcome so unlikely that it strays into the realm of fantasy. Instead, organisations should focus on hardening their defences and preparing for an attack. Then, if they are compromised, assess the situation and respond in a way that minimises harm.
The US no-concessions policy – which is increasingly influencing attitudes towards ransomware attacks – became entrenched following a 1973 hostage situation in Khartoum, Sudan. In that incident, the Black September group killed three Western captives after President Richard Nixon stated that he refused to negotiate with terrorists. [1] Theoretically, this event should have dissuaded other terrorist groups and preceded a steady decline in the number of Americans kidnapped abroad: if the US government refuses to negotiate, the incentive to kidnap its citizens ought to diminish. Unfortunately, this has not been borne out by the evidence. A 2018 study by the RAND Corporation, one of the world’s leading US foreign policy think tanks, determined that the evidence to support the deterrent effect of a no-concessions policy was “meagre and unconvincing”. US nationals continue to top the list of nationalities kidnapped by terrorists. They are followed by citizens of the United Kingdom, which also has a no-concessions policy. [2]
Clearly, the notion that a no-concessions policy deters terrorist kidnappings is dubious. It does, however, stem the revenue streams of groups engaging in such heinous crimes. Exactly how impactful this financial pressure is for an established terrorist organisation, however, is debateable. The Islamic State (IS), for example, diversified its income by levying taxes, exploiting natural resources, looting, and foreign donations. [3]
Seeing the wood for the trees
Ransoms from kidnapping are one piece of a much larger criminal pie. Similarly, professional ransomware operators often have multiple revenue streams. A no-concessions policy for ransomware attacks, if it could be enforced, might deter ransomware attacks over time, but is unlikely to inflict a critical blow to the malicious actors. In fact, in the short to medium term, this policy actually incentivises increasingly damaging tactics that are intended to increase pressure on victims to pay. Over the longer term, it risks creating a “balloon effect”, whereby threat actors shift focus to new and potentially more destructive cyberattacks. Starving cybercriminals of cash is undoubtedly a laudable goal, but the evidence suggests that it is not an effective deterrent.
Nevertheless, this intuitive, yet arguably specious position, has begun to influence the ransomware policy space. On 1 October 2020, the US Treasury issued two advisories warning that facilitating ransomware payments to sanctioned cybercriminals may be illegal. The alert was directed towards the growing number of companies that help victims pay ransoms to recover their systems and data. According to the advisory:
“…ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.” [4]
It is difficult to argue against these points. Paying ransoms to sanctioned cybercriminals does risk funding activities that are detrimental to the interests of the United States. Likewise, it almost certainly helps sustain the cybercriminal ecosystem and there is no guarantee that a victim will regain access to their stolen data even after they pay the ransom. However, professional ransomware operators are generally financially motivated, rational actors. In many instances, they will provide decryption keys if a ransom is paid. Failure to do so would disincentivise other organisations to cooperate in future, eroding their entire business model. The record on deleting (or at least not leaking) stolen data is less conclusive. Sodinokibi (REvil) has been accused of re-extorting victims with the same data sets weeks after a payment has been made; Netwalker and Mespinoza have both leaked data after a company paid the ransom. [5] Regardless, imposing sanctions on companies that facilitate ransomware payments is not the most effective way to combat this issue. The focus should be on punishing the perpetrator and not the victim.
Legislation – more bad than good?
A severe ransomware attack may pose an existential risk to a business. Under those circumstances, the organisation must decide between illegally paying the ransom or letting the business fail, incurring all the resulting costs to employees, shareholders, customers, and the wider economy. If the risks of a no concessions approach outweigh those of paying, the latter will often prevail. The FBI acknowledged this reality in an October 2019 Public Service Announcement, which stated:
“Paying ransoms emboldens criminals to target other organisations and provides an alluring and lucrative enterprise to other criminals. However…when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.” (bold added for emphasis) [6]
Unless the authorities are willing to impose costs on victims severe enough to fundamentally alter this risk calculus, the reality is that some organisations will always pay. Assuming the payment violated sanctions guidelines, the Office of Foreign Assets Control (OFAC) would need to investigate the victim and prove that a payment had been made to a sanctioned party, in cryptocurrency, via an intermediary. Not only would this be extremely challenging, but it would also incentivise organisations to conceal ransomware attacks. Such an outcome would stop the flow of information to security researchers and law enforcement, undermining efforts to understand ransomware groups’ Tactics Techniques and Procedures (TTPs), which help protect organisations against subsequent attacks.
Paying a ransom should always be considered a last resort: a necessary evil if all other options have been exhausted. Fundamentally, organisations have a responsibility to protect themselves and minimise the likelihood of a successful attack. In many instances, this comprises little more than patching known vulnerabilities and hardening defences against common TTPs. Most attacks use the same intrusion vectors, including spear-phishing, targeting exposed Remote Desktop Protocol (RDP) endpoints, and hacking vulnerable VPN appliances. RDP remains the most popular ingress point in 2020. [7] Systems that are publicly accessible and protected with weak username and password combinations are routinely compromised and sold to ransomware operators. VPNs also present an increasingly prominent point of entry. Multiple severe vulnerabilities have been identified in VPN appliances in recent months from companies including Pulse Secure, Palo Alto Networks, Citrix and F5. When information on an exploit becomes publicly available, threat actors begin targeting the flaws and subsequently sell the network access to ransomware operators. No organisation is immune from a breach. However, there is no excuse for leaving poorly protected RDP instances exposed to the internet or failing to patch high-risk vulnerabilities months after disclosure.
Prepare. Protect.
If a ransomware attack occurs, it is vital to have a robust plan in place to mitigate the damage. A pragmatic and carefully risk assessed response is the optimal solution. This needs to be formulated and agreed prior to an intrusion, not improvised after an attack. The latter approach dramatically increases the likelihood of a misstep that could have serious repercussions for the business and its stakeholders. Cyber insurance can help cushion the financial blow but should not be considered a panacea. A comprehensive and regularly reviewed incident response plan will ensure that any attack can be responded to as efficiently and effectively as possible. It should clearly define the circumstances under which a ransom would be paid. If this is an option, the plan should include how this would be conducted. The risks should be carefully assessed in concert with all relevant stakeholders, as would be the case for any other damaging incident. Ultimately, the focus should be on minimising harm, not sacrificing the organisation in the hope that it will deter further attacks. Negotiating with ransomware operators, and indeed terrorists, is always distasteful. Sometimes, however, it is the least-worst option.