Shoul You Pay An Online Ransom?

If you weren’t convinced that data is one of your most valuable assets, just look at how often criminals are locking it up and holding it to ransom. Ransomware attacks have become an epidemic, hitting targets ranging from schools to government offices, and even hospitals.

Ransomware attacks are especially endemic among governments. Recently, 22 government organizations in Texas, mostly smaller municipalities, suffered a ransomware attack, possibly through the compromise of a third-party software provider. The hackers reportedly want $2.5m.

The question for many organizations hit by ransomware attacks is: Should they pay? Baltimore didn’t, after being hit by the RobbinHood ransomware in May, while LaPorte County, Indiana did.

Government agencies provide mixed messages. The FBI officially says no, but reports suggest that it often unofficially says yes. The UK’s National Cyber Security Centre is equivocal: ” It is a matter for the victim whether to pay the ransom,” it says. Canada’s RCMP has a strict no-payment stance.

Ransomware providers are criminals, and so shouldn’t be trusted. You can’t always guarantee that paying up will get your data back, and your mileage may vary based on the group you’re dealing with.

Some ransomware crooks offer a streamlined payment service. The operators of the Sodinokibi ransomware implemented an entirely automated system that returned the decryption tool promptly. Ryuk’s operators are similarly reliable, but have a lower recovery rate due to error-prone tools, says ransomware incident response consulting company Coveware.

Research suggests that companies often end up paying ransomware crooks indirectly even if they deal with ransomware consultancies. In May, investigative journalism site ProPublica conducted extensive research into the techniques used by these consulting firms, and found that many will take payments from victims and then pass them on to ransomware attackers for a fee. While some consultancies keep their techniques opaque, others openly negotiate with attackers and make no secret of their payments.

Insurers are often happy to fund ransomware payments, according to representatives of the Insurance Bureau of Canada contacted by SecTor. Recent cases illustrate insurers’ willingness to cover ransomware fees. The city of Riviera Beach, Florida, agreed to pay a US$600,000 ransom to attackers in bitcoin, and its insurance provider footed the bill.

Paying ransoms presents a couple of problems for insurance companies. The first is that fluctuations in the price of the cryptocurrency commonly used for ransoms make it difficult to manage—or even predict—the cost of an incident. Bitcoin has rallied substantially of late. In January, the price ranged between $4,500 and $5,500 CAD. At the time of writing, it’s over $13,000. The price can spike even in the days between discovering a ransomware attack and paying it out, as it did in the Riviera Beach case.

The other problem is the change in ransomware attack patterns. Criminals have become more sophisticated, and are tailoring attacks to become more targeted for bigger payouts. In that sense, they’re following the evolution of phishing campaigns, which evolved from unconvincing spray-and-pray attacks to sophisticated spearphishing campaigns designed to gain footholds in high-value targets.

According to ransomware consulting company Coveware, the average ransomware payout rose 90% to US$12,762 between Q4 2018 and Q1 2019. It rose again by 184% quarter-on-quarter in Q2 2019, to $36,295. These rises are due in part to the growth of ransomware strains like Ryuk and Sodinokibi, which are prevalent in targeted attacks.

The other puzzling aspect of all this is why insurers would cover a ransomware loss in the first place. Any company that loses data to ransomware is unquestionably failing at basic cybersecurity hygiene such as anti-phishing measures, application whitelisting, software patching, and malware detection. Moreover, if they had adequate backup systems in place, they wouldn’t need to make the payout in the first place. Surely these things should be table stakes in any insurance contract dealing with cyberattacks?

These factors—along with any other reasons they can find—could help make the case for insurance providers to kick back. In a case filed last October, Zurich Insurance refused to pay a NotPetya ransomware claim filed by food manufacturer Mondelez International, citing a clause excluding attacks that were an act of war after some experts attributed the ransomware to a state actor.

Ideally, companies will invest in cybersecurity and backup measures to reduce the risk of infection and recover their data if they are hit. In practice, those who don’t will face a painful decision that may leave them no choice but to pay up and cross their fingers.

Attendees of the SecTor conference this October can learn more about how to avoid online threats including ransomware. The (ISC)2 Toronto Security Nexus will explore the top ten cybersecurity threats facing companies in 2019 and beyond, and how they can adjust security practices to reflect the way that we work today. Our Hack it and Track It training will teach attendees how to think like an attacker and identify the techniques and patterns that bad actors use to gain access to enterprise systems. Register for these courses today.