The Ransomware Payment Dilemma: Should Victims Pay or Not?

It's time to steer the conversation away from whether payment bans should be implemented to how and when they should take effect.

Anthony Grenga, VP, Cyber Operations, IronNet Cybersecurity

October 20, 2021

4 Min Read
Source: vchalup via Adobe Stock

While the ransomware spikes of 2021 appear to have temporarily subsided, the issue remains a pressing concern among the US cybersecurity community. On Sept. 21, the US Department of the Treasury announced a set of proposed sanctions and regulatory tools focused on disrupting the ransomware model by increasing ransom payment reporting to government agencies, among other actions. It was a step in the right direction, but time will tell if these new regulations for facilitators of malicious transactions will positively move the needle toward eradicating the threat of ransomware.

Remember when FBI Director Christopher Wray recently equated the ransom payment dilemma to a similar "never negotiate with terrorists" challenge brought on by the 9/11 attacks? If that concept applied 20 years ago in light of 9/11, then why not now?

It depends on whom you ask.

The problem is that most victims often believe they don't have another viable option. Veritas research shows that 66% of US companies say it would take more than five days to fully recover from a ransomware attack without paying a ransom. But by meeting the demands of their attackers, ransomware victims are essentially throwing gasoline on the fire of a raging societal and ethical crisis that follows a repetitive cycle:

  1. Attackers deploy malware that encrypts an organization's files and then demand a ransom to restore access.

  2. The victim wires the ransom via untraceable cryptocurrency in exchange for the decryption keys to restore access.

  3. The attackers leverage the additional financial resources to execute their next plot.

This cycle fuels the digital extortion business model by providing cybercriminals the means and motivation to target additional victims and industries. The nefarious loop could lead to more serious attacks that threaten critical national infrastructure, where extended data breaches and operational downtime in these sectors pose severe threats to public safety and health. Military bases, hospitals, public transportation authorities, energy infrastructure, financial institutions, law enforcement agencies, and schools are obvious targets.

Repercussions exist on both sides of the dividing line, however. Take the 2019 ransomware attack against the city of Baltimore. The city's leadership refused to pay a ransom of $76,000 to restore control of its network infrastructure, opting to rebuild and reformat the entire network instead. That decision ultimately cost Baltimore more than $18.2 million in lost revenue and restoration fees, magnifying the steep ramifications associated with a refusal to pay.

More must be done to combat ransomware on a global scale before the intent of attacks progresses from just monetary gain to scenarios that put lives at risk or cause irremediable economic chaos. If companies were prohibited from paying ransoms by sanctions or civil penalties, the digital extortion model would quickly deteriorate. But as calls for stricter penalties grow louder than ever, it's important to understand that a widespread ban on ransom payments isn't a magic bullet.

We should start by steering the conversation away from if payment bans should be implemented to how and when they should take effect. It's vital to identify which course of action, as well as what timing, is most practical for swinging the balance of power away from our adversaries.

The Case for Collective Defense
To effectively combat ransomware, we need to shift toward a more collaborative effort that encompasses the private and public sectors to help security measures evolve and meet the present threat. Adopting a collective defense approach to cybersecurity built on cross-sector sharing of anonymized data and attack intelligence can enable companies and their supply chains to better prevent and respond to ransomware attacks in real-time.

On the other side of the (Bit)coin, the root cause of ransomware isn't the actual act of paying ransoms. Cryptocurrencies serve as the glue holding together the ransomware-as-a-service model. As the decentralized nature of the wallet has evolved into a cultural phenomenon, it has also become ransomware's primary enabler by allowing cybercriminals to collect large quantities of untraceable cash across international lines with minimal risk of exposure. Implementing new ways of monitoring and tracing large crypto payments over international lines could serve as a positive step forward.

Before rolling out strong policies and sanctions to reduce the rate of ransom payments, however, it's essential we take proactive measures for our own protection to heighten the difficulty of attacks and make ransomware infeasible to deploy. Early network detection fueled by behavioral analytics is essential, as the deployment of ransomware is not an instantaneous process. It can uncover a series of events that have allowed the adversary to infiltrate the network, navigate through it, and eventually deploy the ransomware payload to set up the path for exfiltration and extortion.

If we can get ahead of cybercriminals before they even reach the ransom phase of their attack campaign, then proactive network defense comes much closer to putting them out of business — for good.

About the Author(s)

Anthony Grenga

VP, Cyber Operations, IronNet Cybersecurity

In his role at IronNet, Anthony oversees the hunt operations and threat analysis teams within the Cyber Operations Center. He works with detections and prioritization to improve product and works with the customer success team to act as a technical liaison, advanced user and service provider for the product. Before joining IronNet, Anthony:

  • Worked as an Exploitation Analyst, TAO at the NSA

  • Developed and lead national level computer network exploitation operations against foreign CNO programs

  • Provided actionable intelligence and tactical access in support of national defense and foreign policy needs

  • Studied at the Air Force Institute of Technology, receiving a Masters of Science in Cyber Operations

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights