To Pay or Not to Pay: That is the Question That Ransomware Victims Must Answer
Colonial Pipeline Company recently paid $4.4 million dollars to get its data back after a ransomware attack, rekindling the debate of whether companies should give in to cybercriminals’ demands. Find out why some companies decide to pay the ransom while others do not.
Most people never heard of the Colonial Pipeline Company before May 2021, even though it transports 45% of all fuel consumed on the US East Coast. This company works behind the scenes, moving 100 million gallons of refined gasoline and jet fuel through 5,500 miles of pipeline each day. However, that all changed in early May when the fuel stopped flowing for several days. Numerous reports about gas pumps running dry and people panic buying gas made Colonial Pipeline a household name.
A ransomware attack was to blame for the fuel stoppage. The DarkSide ransomware gang had infiltrated the IT systems in Colonial Pipeline’s corporate network. Besides having its IT systems offline, the company shut down certain systems in its operational network as a precautionary measure. The operational network uses automated systems to monitor and control the fuel that flows through the pipeline. Taking those systems offline prevented the infection from spreading to the operational network. However, it also resulted in the shutdown of all pipeline operations.
The company paid $4.4 million to the DarkSide ransomware gang to get the key needed to decrypt its data. While paying the ransom enabled Colonial Pipeline to get its pipeline operations online sooner, security experts are concerned that it will encourage other cybercriminals to try similar attacks. And their concerns may be well founded. Just weeks after Colonial Pipeline paid the hefty ransom, one of the largest meat producers in the world, JBS, announced that it was the victim of a ransomware attack.
These events are rekindling the debate about whether companies should pay the ransom if their data is being held hostage. Answering this question, though, is not as simple as it seems, especially given the new tactics that cybergangs are using. Even the Ransomware Task Force — a group that recently developed a strategic framework for combating the growing ransomware threat — could not agree on an answer. “The Ransomware Task Force discussed this extensively,” said one of its members. “There were a lot of important things that the group came to a consensus on and payment was one where there was no consensus.”
So, it is up to businesses to decide for themselves whether it is a good idea to pay ransomware gangs. Here are some of the reasons why companies do and do not pay up when they fall victim to a ransomware attack.
Why Companies Pay the Ransom
Paying the ransom to get data back is a fairly common occurrence among companies. “The State of Ransomware 2021” study by Sophos found that 32% of the companies whose data was encrypted by ransomware in 2020 paid the ransom.
Colonial Pipeline also decided to pay the ransom after it discovered some of its files were encrypted. “I know that’s a highly controversial decision,” said the company’s CEO Joseph Blount. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this. But it was the right thing to do for the country.”
Blount said he authorized the payment because, at that time, no one knew how badly the company’s systems were breached. Therefore, he did not know how long it would take to repair those systems and get the pipeline back online.
As the Colonial Pipeline example illustrates, some companies pay the ransom to minimize the disruption to their operations, especially when the disruption significantly affects the lives of other people. In other cases, businesses pay the cybergangs because doing so is easier or quicker than reconstructing their data from backups. Or organizations might find that their only option is to pay. Perhaps they did not create any backups or the ransomware encrypted both the original data and the backup files.
Additional pressure tactics used by ransomware gangs can also prompt a company to give in to their demands. Those tactics include:
- Data exfiltration. Nowadays, most ransomware gangs steal data before encrypting it, threatening to publicly post the stolen data if a business refuses to pay up. In the first quarter of 2021, 77% of the ransomware attacks included a threat to release stolen data, according to Coveware’s “Q1 2021 Ransomware Report“.
- Some ransomware gangs try to bully businesses into paying the ransom. For example, members of the DoppelPaymer gang often call their victims to intimidate them into paying. In one instance, they even threatened to send a gang member to the home of a certain employee and provided the employee’s home address as proof they knew where that person lived. The gang also called several of the employee’s relatives.
Why Companies Do Not Pay Up
About two-thirds of the companies whose data was encrypted by ransomware in 2020 did not paid the ransom, according to “The State of Ransomware 2021” study. They were able to recover their data from backups or through some other means (e.g., using a decryption tool provided by a third party), thereby eliminating the need to pay up.
Most security experts recommend that ransomware victims follow in these companies’ footsteps. The experts believe that giving into ransomware gangs’ demands encourages them to carry out even more attacks. It also lures other cybercriminals into carrying out this type of attack. The newcomers do not even need to know how to create a ransomware program. Some gangs let other cybercriminals use their ransomware programs for a share of the profit, a practice referred to as the Ransomware-as-a-Service business model. In 2020, two-thirds of the ransomware attacks were carried out by cybercriminals using this model, according to Group-IB’s “Ransomware Uncovered 2020/2021” report.
Besides encouraging more ransomware attacks, there are other reasons why security experts do not recommend paying the ransom. Here are a few of them:
- Giving into the cybercriminals’ demands does not guarantee that companies will get all their data back. More often than not, companies get only some of it back. For example, only 8% of the ransomware victims participating in “The State of Ransomware 2021” study got all their files back after paying the ransom. On average, the victims recovered just 65% of the encrypted files, which means about a third of their data was still inaccessible despite paying the ransom.
- Cybercriminals might demand more money once the initial ransom is paid. That’s what happened to the Kansas Heart Hospital in Wichita. The hospital paid the ransom, but the cybercriminals did not provide the decryption key. Instead, they demanded more money, which the hospital refused to pay.
- Paying the ransom might violate Office of Foreign Assets Control (OFAC) regulations. OFAC is a financial intelligence and enforcement agency in the US Treasury Department. It imposes economic sanctions on individuals and groups it designates as “malicious cyber actors”, including perpetrators of ransomware attacks and those who assist, sponsor, or support these attacks. US citizens and organizations are generally prohibited from engaging in transactions, directly or indirectly, with designated malicious cyber actors. This type of engagement is banned because it enables the cyber actors to profit from and advance their illicit activities — and those activities might threaten US national security, according to the US Treasury Department.
Only the Start of the Long Road to Recovery
Deciding whether or not to pay the ransom is a difficult decision that companies need to make if they fall victim to a ransomware attack. No matter their decision, they will face many challenges while recovering from the infection. Besides having to restore their data and systems, they will need to find and fix the security hole that allowed the cybercriminals to access their networks so they do not get attacked again. And they will need to determine how to absorb the losses (e.g., lost revenue from downtime) and additional costs (e.g., cost of bringing in forensic experts) resulting from the attack.
For Colonial Pipeline, the recovery will take months and cost the company millions of dollars, according to Blount. However, there is one loss the company won’t be able to recoup — the company’s anonymity. “We were perfectly happy having no one know who Colonial Pipeline was,” said Blount. “Unfortunately, that’s not the case anymore. Everybody in the world knows [us now].”