Ransomware: should your business have the right to pay?

Byte-size Bulletin by Rachael Brown in Security, News on Sep 17, 2021

pay up

According to research by Chainalysis, targets of ransomware attacks in 2020 paid an estimated $350M, a shocking 311% up from last year.

With ransomware attacks becoming more and more common, there has been a greater legislative push towards banning payment.

But is this right? Should businesses be able to choose if they want to pay? And what are the potential consequences of such legislation?

Here are both sides of the debate.

The Argument Against Businesses Paying

It’s undeniable that paying ransomware is extremely damaging, not only to individual companies but to the business world.

Josephine Wolff, Associate Professor of Cybersecurity Policy at Tufts University, agrees that governments should strive to prohibit companies from paying ransoms as a long-term goal. Why?

Well, paying ransomware:

1. Fuels the ransomware ecosystem.

2. Doesn't guarantee companies will get their data back.

3. Encourages perpetrators to target more victims.

4. Creates an incentive for others to get involved with/offer ransomware services.

Those companies who do pay ransom also face an intense risk of double extortion. By proving their willingness and capacity to pay, they’ve put themselves into the pocket of the attacker, who has intimate knowledge of them and their business.

With arguments like this, banning companies from paying a ransom seems a no brainer.

However, doing this right now would be a major mistake.

Before prohibiting ransom payments, we need to seek greater control as a society over what happens when a ransomware attack unfolds.

Because at the moment, responding to a ransomware attack for many companies is deeply complicated.

Why It's Complicated

Wolff herself stresses that prohibiting ransomware payments should be a long-term goal, not something we institute tomorrow.

Why? Because for many organisations paying the ransom is a question of their long-term survival. A reality that is often indicative of their lack of cyber security defence.

Many critical infrastructure companies and organisations, even with the rise of cyber crime during the pandemic, remain below the security poverty line.

The security poverty line refers to a threshold for the minimum level of cyber security deemed adequate for companies by security experts.

In the same way the poverty line describes those individuals and families who are just about surviving on the essentials, the security poverty line applies this scenario to companies' level of defence.

Businesses that fall below this line, are those which lack the budget, resources or expertise to meet even their most basic security needs. Rendering them extremely vulnerable when targeted by ransomware.

Realities like this expose the flaws in portraying every incident of paying ransomware as poor decision making, because paying the ransom for many businesses is barely a choice at all.

The Argument For Businesses Right To Pay

Succumbing to cyber criminals’ demands is sometimes the only way businesses can avoid costly disruptions, the shutdown of essential services, the release of sensitive information and even the destruction of their whole business.

Ari Schwartz, Managing Director of Cybersecurity Services and Policy at Venable, adds to this by highlighting the complex factors mediating the decision making of ransomware victims. These factors include:

Being pushed by insurance companies to pay.
Being motivated by relationship with shareholders to think about fiscal responsibility.
Being put under pressure due to fear over exposed or lost data.

So creating a situation where companies legally aren’t allowed to pay could not only destroy businesses but also ruin important relationships within them. Additionally, prohibiting payments is not a magic wand solution that will make cybercrime disappear.

But it is a decision that runs the risk of penalising companies who choose to pay their ransom out of desperation.

For now, what companies need is not a criminalisation of ransomware but a reliable security contingency plan they can turn to in the wake of a ransomware attack. They need to be above the cyber security poverty line. They need insider cyber security expertise which educates their leaders and staff on the realities of ransomware.

And more than anything, business leaders need to keep in mind that no matter their decision when it comes to a ransomware attack, once you're hit you will face difficult consequences.

Consequences which can be greatly mitigated, and even avoided entirely, by investing now rather than later in your cyber security defence.