Several companies wander whether they should pay the ransom, in case of ransomware attack on their systems.
Unfortunately, multiple CISOs have faced such tough situation, not only from a pure technical point of view but also from a more deontological, social, political or even ethical point of view.
Some companies are strictly opposed to such “payment”, while others consider the difficulty to survive without the “lost” data (which is fully understandable), but some Execs also consider the “payment” as a “quick and easy way to solve the problem”.
Interestingly, while it’s sometimes quite hard for CISOs to get enough budget to perform their necessary projects, their management may take the decision to pay within a very short period of time (under the pressure of the incident). Well… I believe this is just the wrong way to address it.
Let’s study why.
First, you’re not sure to retrieve access to your data. Were you “trusting” the bad guys for that? Well you should rather trust your CISO, and his/her teams… Ransomware is not “a product”, it cannot be compared to ethical hacking, vulnerability disclosure programs, bug bounty and other useful commercial activity.
Second reason not to pay is that hackers would keep in mind that you’re a good customer.
That money is obviously not an issue for you.
That if you did it once, you may do it again.
Hence, they’ll come back. And unlike what you could do with your customers, there’s no “fidelity” program! Cost will not decrease over time.
So don’t put one more coin in the system, it’s not a piggy bank!
Last and not least, because giving money to those guys is just the same as funding cybercrime. The more money they get, the more weapons will be developed and sent out to all connected systems out there. And as you’re asked to pay in crypto-currency it’s gonna be hard/impossible to chase down criminals by “following the money”, just as law enforcement forces would have done decades ago. Forget it.
I’ve known one of my peers, a CISO who has been asked by his management (probably not enough aware…) to pay the ransom. When he informed the bad guys about it, there was another “surprise”: such criminals were suggesting to pay a little more, in order to download a “specific protection software” to avoid further attacks in the future!
Are you kidding? Do you believe it’s a “defense” or rather a “backdoor” to ease future attacks instead of preventing them? Well, his manager asked him again to pay for the addon. He did not, but rather resigned. Very brave, but sad, indeed. Keep your cybersecurity teams and install cybersecurity software, not malware.
With regards to the on-going discussions related to the reimbursement by insurance companies of the ransom (provided that victim companies declare the attack), I believe that we should not encourage companies to pay. That’s it.
For sure, companies that are about to bankrupt if they don’t retrieve access to the data could be forgiven for paying the ransom… But still: they encourage cybercrime and should rather invest in their protection to prevent cyber-attacks.
Olivier DALOY's Blog 