The ransomware debate – to pay or not to pay?

With a global surge in ransomware attacks, governments have concentrated their attention on what drives these attacks’ popularity among cyber criminals. Most have concluded that it is their profitability. As Lindy Cameron, CEO of the UK’s National Cyber Security Centre, said earlier in 2021: “Cyber criminals are out to make money, and the more times a method is successful, the more times it will be used. It is important that we do all we can to ensure this is not a criminal model that yields returns.”

Many CISOs and cyber security professionals have drawn strength from the wave of government commitments to defy ransomware demands, and rightly so. Across the Atlantic, the recent ransomware attack on Colonial Pipeline in the US has similarly inspired decisive action, with president Joe Biden eliciting an agreement in principle from his Russian counterpart, Vladimir Putin, to tackle ransomware attacks on critical infrastructure. The more governments can do to make ransomware an ineffective criminal enterprise, the better.

But we must be careful not to lose sight of who the criminals are. Increasingly, both security agencies and cyber security professionals have been calling for the criminalisation of ransomware payments. It is concerning that experts in the field would come down so decisively against negotiating with ransomware attackers that they would be willing to see cyber victims penalised too.

Consider other instances of robbery and extortion, and ask whether all parties in such transactions, both criminal and victim, should be punished. Would you penalise the bank teller for handing over the cash register? Or the person who surrenders their phone and wallet to the mugger on the street?

In reality, those looking for hard-and-fast rules for how to act in a ransomware crisis are going to be disappointed. The real answer is that we must consider ransomware negotiations on a case-by-case basis. Sometimes the data under threat will be simply too important to abandon; sometimes the threat will be overstated by the hackers; and sometimes the nature, origin and extent of the cyber attack will dictate the response to demands.

By focusing on crippling the ransomware business model, we are in danger of blaming companies for falling victim to incredibly sophisticated cyber attacks, and in so doing losing all nuance in the ransomware debate. For example, following the recent incident at US meat producer JBS Foods, which resulted in an $11m payment to the REvil syndicate, headlines in some media outlets used language that may have given a layperson the impression that the victim was at fault.

Shaming companies for falling victim to attack, and in certain circumstances paying exorbitant amounts of money to retrieve highly sensitive data, is only appropriate where companies have been incompetent or negligent in their cyber security obligations. This may sometimes be the case: UK CISOs often complain that they are scapegoated for cyber attacks after years of under-resourcing.

Most of the time, however, businesses are doing the best they can to monitor and protect themselves from the fast-evolving threat. There are things we can all be doing to combat the ransomware surge: knowledge-sharing, for example, is fundamental to building proactive, preventive strategies. Collaborative discussions between industry professionals and open channels with security services monitoring the threat can also be a useful way for all businesses to stay engaged and prepared.

We must endeavour to limit the damage caused by ransomware, and must always inform and engage the appropriate authorities. But pretending that the ransomware question is an easy one to answer gets us nowhere.