Previous Bulletin articles have discussed the risk of an organisation, university, institute, company or enterprise falling victim to a so-called ransomware attack, whereby the successful attackers infiltrate into (many) computers, laptops and computing services and encrypt valuable files, documents and data. That data is only released after a certain amount of money (the ransom) has been paid to the attackers. The central question is, however, whether a compromised entity should or should not pay.
Of course, paying is the easiest way to eventually recover the data and re-establish compromised computing services – in particular if the damage done vastly exceeds the ransom demand. But hold on, there could be collateral costs, so let’s think about what other risks an entity might consider:
- Attackers’ ethics: Are the attackers serious, reasonable and trustworthy? Will they not be tempted to ask for even more money? Will they really hand out decryption keys? Will and can they ensure that all malicious activity is stopped and that any stolen data is purged and not further distributed?
- General ethics: Ransom payments usually support and subsidise criminal activities and provide funding for more/other criminal activities. Hence, paying the attackers encourages them to either ask for more money and/or continue such a "lucrative" business against the same or another entity.
- Legal risks: Is paying a ransom illegal in the country where the entity under attack is based? And what about the liabilities for damages a bank suffers as a result of unknowingly carrying out a ransom payment instruction (e.g. if it causes them to breach – US – sanctions regulations)?
- Insurance coverage: Is there a cyberinsurance policy in place that might cover ransom expenses? What are the conditions and are there any exclusion clauses that might invalidate coverage? Fun fact: attackers have already compromised some such insurance companies and, subsequently, attacked their clients, reasoning that “They’re covered by insurance, so they’re more likely to pay”.
- Reputational risks: The media will cover the fact that an entity has paid a ransom. How might this be perceived by the general public? By similar entities? By its peers and the wider community? Could there be negative consequences that would be detrimental or destructive to the entity?
- Risk of "replay" attacks: Given that the attack (and a possible payment!) will become public, other attackers might see this as an incentive to also have a go, launch a similar attack and try to press for their money: “They paid once, why wouldn’t they pay twice?”
It’s not an easy call to make. While some entities paid, others did not. In the end, it largely depends on what incident recovery and business continuity capabilities are in place. Recovery is incredibly complex, time-consuming and expensive, regardless of whether or not the ransom is paid. Do unaltered / untampered back-ups exist? Is all the information (documentation, configuration files, procedures, including all dependencies) available to rebuild systems and services from scratch? Has this restore and rebuild been regularly and successfully exercised? In case you manage or administer a computing service or control system, have you ever tried? If your palms are getting sweaty now, it’s time to talk: Computer.Security@cern.ch.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.