Crossroads of Ransomware: To Pay or Not to Pay
Last evening I had the pleasure of attending a meeting with Dr. Mansur Hasib and others taking a light hearted perspective at ransomware. The conversation was fun and had a “hint” of sarcasm on how some believe these criminals have any sense of decency or morality. One story even identified a company that thought it was a good idea for the threat actor to sign an NDA before payment. Really?
As fun as that conversation was the topic of ransomware has become a serious national threat. Companies have fallen woefully short of their fiduciary duty. ( I think recent headlines will bear this out ) Whether it’s financial constraints, skill deficiency, apathy from the executive suite, mistake of effort or arrogance the fact remains there is a widespread crisis that could permeate every company or entity involved in the digital frontier. Which is everyone!!
So, what do you do? Do you pay or not pay? It depends. There is no clear path or divine guidance on the right course of action. Take for example EY’s “Ransomware Payment Decision Process” workflow:
This is a good action framework that could be followed when a ransomware demand is encountered. But the “Decision” point is where it becomes gut wrenching. Do you pay the ransom or not? Many factors will need to be considered. Not the least of which is the industry you operate in and the regulations which govern that industry when it comes to a cyber-attack.
Now, add into this decision the recent announcement by the US Dept of Treasury titled “ Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments1” (https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf ) which states: “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
Will this position by the government influence those entities who are ransomware victims? Time will tell. It certainly adds another data point to be considered in whether to make payment.
My take: do not pay This position will certainly cause a lot of angst, but entities need to live up to their fiduciary duty. Perhaps, this added incentive by the government will help.
What do you think? To Pay or Not to Pay?