Whether it’s critical data that supports patient care or systems that control life-saving medical devices, organizations are faced with the difficult choice of paying ransom. However, doing so carries many risks, including legal challenges, financial complications, and reputational damage.
In addition, paying a ransom encourages cybercriminals by giving them funds that they use to develop more sophisticated attacks.
Legal Issues
When companies decide to pay a ransom, they are, in effect, funding criminal enterprises. This is especially true in countries still requiring laws forbidding this payment type. There is a strong argument that lawmakers should step up and make the settlements illegal.
If nothing else, this would put a significant dent in the profitability of the crime. Moreover, it would reduce the frequency of attacks. A survey by Cybereason revealed that 80% of businesses that pay a ransom are hit again, often by the same attackers. Banning the first payment would essentially cut off the criminals’ revenue stream and limit their ability to attack.
In addition, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently made it illegal for non-U.S. companies to pay ransoms and thereby facilitate the sending of funds to individuals, entities, and regimes on OFAC’s sanctions lists. This makes it even more critical for U.S. companies to carefully evaluate whether the benefits of paying a ransom outweigh the risks.
While refusing to pay a ransom should be the preferred option, not all businesses are ready or able to do so. In those cases, the company must work strategically with its attackers to reduce damage and restore operations as quickly as possible. This includes identifying critical systems and negotiating with the criminals to ensure they don’t delete the exfiltrated data after payment.
Technical Issues
Whether or not a business ransomware payment, significant costs are associated with a successful attack. Even the most minor attacks shutter business operations and can cause productivity to plummet, costing companies time and money. In some cases, the cost of a ransomware attack is ultimately borne by municipalities and taxpayers stuck with the bill for repairs to critical infrastructure.
As cyber insurance becomes more widely available, organizations can offset some of the financial impact of a ransomware attack. However, deciding whether to pay or not to pay requires careful consideration. This includes ensuring that any negotiations with cyber criminals are done strategically and in a way that reduces the risk of retaliation or other types of cyber-attacks.
Businesses must be well-prepared to respond to ransomware attacks, including resilient business continuity practices and disaster recovery capabilities. In addition, the industry should work with law enforcement to improve threat intelligence and collaboration between organizations and their security partners to help prevent extortion.
Some legislative proposals have been introduced to address the issue, including a bill in Texas that would prohibit U.S. financial institutions from paying ransoms without first notifying federal authorities. However, the industry is still grappling with how to incentivize organizations to change their culture and implement the necessary controls to thwart ransomware attacks.
Ethical Dilemma
Whether it’s the personal data of customers, critical infrastructure, or life-saving medical devices, many leaders face an ethical dilemma when faced with ransomware attacks. On one hand, law enforcement agencies urge victims to “never pay.” But in the case of cyberattacks that threaten to disrupt operations and lead to financial ruin and loss of life, some leaders feel a moral obligation to meet the criminal demands for regaining control of their systems.
But if a company pays a ransom, it’s sponsoring the criminal enterprise, and there is no guarantee that a decryption key will be delivered. Further, the profitability of ransomware creates a strong incentive for threat actors to continue their attacks.
In addition, if a business decides to pay the ransom, it may also be subject to legal and regulatory penalties for violating anti-money laundering or wire transfer laws, commercial agreements, waiving attorney-client privileges, or other compliance implications.
As a result, it is often impossible to determine what is genuinely fair compensation under these circumstances. However, some schools of ethics can guide decision-making in the face of a ransomware attack, such as useful philosophy, which stresses the importance of promoting the greatest good for the most significant number. This school of thought can be seen in the decision made by Colonial Pipeline CEO Joseph Blount to pay a ransom to regain control of his firm’s pipeline system, which serves millions of people across North America.
Regulatory Concerns
Depending on the context, ransomware attacks may also raise regulatory concerns. Specifically, many organizations are legally obligated to report cyber incidents in their annual filings with the Securities and Exchange Commission (SEC). A ransomware attack could trigger financial covenants or other obligations under financing arrangements or credit facilities. Moreover, companies that pay ransoms may be publicly disclosed as doing so, further potentially raising regulatory concerns.
In addition, organizations that pay a ransom to restore systems and data must be mindful of the broader implications. Besides the obvious ethical concerns of propping up a criminal ecosystem, paying a ransom does not guarantee files will be recovered and can embolden adversaries to continue targeting other organizations, encourage others to distribute ransomware, or fund illicit activities, according to a recent advisory from the U.S. Department of the Treasury’s Office of Foreign Assets Control.
Additionally, some threat actors research entities that pay ransom to target them more effectively. For example, they might research the corporate reputation of a company known to pay ransoms to assess its vulnerabilities or determine whether the organization holds cyber insurance policies that it discloses in investor disclosures. Despite the pitfalls, some organizations have paid the ransom to mitigate unacceptable system and data unavailability losses. Ultimately, the onus is on business leaders to weigh the risks and benefits of making this often tricky and morally fraught decision.
I'm an Ethical Hacker, Penetration Tester, Content Creator, Technology Lover, Passionate Learner & The Founder of Spinning Security. For Any Inquiry Contact Us Here :- contect.spinningtech@gmail.com
- Elisabetta Franchi: A Deep Dive into Signature Footwear and Handbags - November 7, 2024
- Introducing the Sonos Amp: Your Versatile Amplifier for Any Audio Setup - November 6, 2024
- When Will Spotify Wrapped Be Released in 2024? Here’s What We Know - October 30, 2024