The Great Payment Debate: How to Evaluate Your Ransomware Response

With ransomware attacks on the rise, all organizations must assume they will eventually be a target and start putting prevention and mitigation strategies in place now.

Derek Manky, Chief Security Strategist & VP Global Threat Intelligence, FortiGuard Labs

September 7, 2021

4 Min Read
Source: nicescene via Adobe Stock

The federal government has called ransomware one of the biggest national security threats. For organizations hit by a ransomware attack, there's still a lot of fear and uncertainty about what to do. It's not a cut-and-dried situation; while the FBI recommends not paying ransomware, there's a lot more nuance to be considered.

A recent CNBC survey of US CFOs concurred that Colonial Pipeline had "no choice." The reality is that the company's hand was forced. For critical infrastructure like this, that's a legitimate concern.

So, how do you evaluate the situation when you face a ransomware attack? Here are some points to consider.

Don't Assume You'll Get Your Money Back
The Colonial Pipeline situation was a bit of an anomaly, because the US Justice Department was able to recover the approximately $2.3 million in bitcoin the company paid to the DarkSide bad actors. This was an action taken by the Justice Department's newly created Ransomware and Digital Extortion Task Force.

The growth of cryptocurrency platforms has helped ransomware attackers in some ways, by making it easier for them to extort money. Unlike the days when a cybercriminal had to rely on something like a wire transfer service, cryptocurrency has simplified the process. It's instantaneous, and the paper trail is shorter, if it exists at all. That means it's harder to reclaim payments if they are made, so this shouldn't even be a factor in your consideration. Don't assume you'll be able to get that money back.

Fueling the Cybercrime Fire
One of the most significant issues with paying ransom goes beyond the impact on your individual company; it gives the bad actors what they want. If they get paid out, that emboldens them to keep going — and to go bigger. Those payments are funding their efforts to weaponize new technology and expand their attacks. We're already seeing the ripple effect of ransomware. Colonial Pipeline, JBS, and Kaseya are some of the largest attacks, but they're far from the only ones.

Ransomware is now in a "boom" phase, contributing to a bustling cybercrime industry that often targets large sectors, including healthcare, education, finance, the legal sector, and manufacturing. According to the latest FortiGuard Labs "Global Threat Landscape Report," average weekly ransomware activity is tenfold higher than levels from a year ago.

Understanding the Risks and Impact of Potential Exposure
This should be top of mind when it comes to considering whether to pay ransom: What information could the attackers get? Where is that information stored? How valuable is it?

Remember that paying doesn't guarantee your data won't be exposed. Some organizations, when experiencing a ransomware attack, might find it easier to pay than have their IT team spend days trying to recover data, all while business operations remain at a standstill. However, that's not always the case. It's also important to remember that paying a ransom does not guarantee the threat will go away instantly. In some cases, the information that organizations worked so hard to protect had already been exposed and can cause long-term problems.

There have been instances where organizations try to call the bad actors' bluff, but this isn't recommended because they usually aren't bluffing. Your data could very well be released in damaging ways.

In This Together
While paying ransom isn't recommended, we can't vilify those companies that do — it's a nuanced situation, and each is unique. The point is that prevention and mitigation are always the preference when it comes to ransomware. Organizations must start assuming they will get hit by ransomware and that, therefore, they need to put prevention and mitigation strategies in place.

That said, if you do get attacked, it's important not to make a hasty decision to pay the ransom. Think carefully about all aspects involved and seek help if you need it. Your security vendor, for instance, can help you with quarantining access and come up with the right incident response. They also can help with reporting the attack to law enforcement. There are internal and external stakeholders that can assist an organization hit by ransomware. 

This includes entities like the Cybercrime Support Network, a nonprofit organization created to meet the challenges facing businesses affected by ransomware. This collaboration provides more insight for the greater good, too, as more information ensures more effective responses in the future. Simply defeating a single ransomware incident at one organization does not lessen the cumulative impact within an industry or peer group. Sharing intelligence with law enforcement and other global security organizations is the only way to effectively take down cybercrime groups.

About the Author(s)

Derek Manky

Chief Security Strategist & VP Global Threat Intelligence, FortiGuard Labs

As Chief Security Strategist & VP Global Threat Intelligence at FortiGuard Labs, Derek Manky formulates security strategy with more than 15 years of cybersecurity experience. His ultimate goal is to make a positive impact toward the global war on cybercrime. Manky provides thought leadership to the industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work has included meetings with leading political figures and key policy stakeholders, including law enforcement, who help define the future of cybersecurity. He is actively involved with several global threat intelligence initiatives, including NATO NICP, Interpol Expert Working Group, the Cyber Threat Alliance (CTA) working committee, and FIRST, all in an effort to shape the future of actionable threat intelligence and proactive security strategy.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights