Pay or Not Pay the Ransom? What's Your Opinion?

The debate over whether to pay or not to pay the ransom once your system is encrypted is heating up. Yesterday, the US Conference of Mayors approved a resolution coming down in favor of not paying cybercrooks. There are arguments on either side of the question. Paying the ransom creates a huge incentive for ransomware crooks to keep plying their trade. However, in many cases, the costs of not complying with the demand can cost many millions more than paying and may not be a realistic option for some smaller cities. And once your system is compromised with ransomware there may be residual malware left behind and the only way to totally reduce that risk is to build back from bare metal.

Pay or Do Not Pay? What do you think?

Interesting article from Talos appeared today.

I see the need for an overall policy, but then each city has to access their individual situation when it does occur. In the cases when they do pay (like Riviera Beach), does the public and/or residents have a right to know if the data was recovered since it is taxpayer money that was utilized to pay the ransom (majority was from their insurance policy, but tax dollars paid for that of course)? Little has been reported about what was recovered and no word on what the city of Lake Mary got back. A third city, Key Biscayne, is contemplating paying the hackers at this point.

1 Like

Hi nedt45. Thanks for your first post to the community!!! State and local governments should be transparent on what was lost if they hope of getting funding from their taxpayers for uncovered losses.

In some cases, what is lost may not be known immediately. In the case of Lake City the New York Times reported that thousands of pages of documents of over 100 years of records were manually scanned in. That would take a significant amount of time to identify the loss.That might be the case in many other small municipalities. And in some cases it may never be known if the data is not decrypted and rebuilt from scratch.

"More than 100 years’ worth of municipal records, from ordinances to meeting minutes to resolutions and City Council agendas, have been locked in cyberspace for nearly a month, hijacked by unidentified hackers who encrypted the city’s computer systemsand demanded more than $460,000 in ransom.

“Weeks after the city’s insurer paid the ransom, the phones are back on and email is once again working, but the city has still not recovered all of its files. There is a possibility that thousands of pages of documents that had been painstakingly digitized by Ms. Sikes and her team will have to be manually scanned, again.”

I think this is more of a business decision than an IT dept. decision. IT input is certainly needed, but we shouldn’t be deciding this, as each situation is different than the next. Wasn’t the ransom for Baltimore only ~$76K, which they didn’t pay, and now they’re estimating the cost of recovery to be ~$18 million? Hindsight is 20/20… Each situation should be evaluated individually, but the option of paying ransom should remain on the table.

2 Likes

Thanks for your post Brian. Good to see you back!

Any responsible security pro has to vote for “not pay.”
However, from the business perspective this can’t be an absolute prohibition any more than you could say to a parent never pay the kidnapper for a child’s release - and expect the parent or business to heed your request.

Concerning the resolution of the Council of Mayors: A stronger resolution would initiate a framework to support not paying. This could include shared remediation support services funding through pooled self-insurance contributions from a community of organizations, and volume discounts on general cyberinsurance policies for members of that community who follow a specified set of improvement practices.

What do you think, and who else could I talk to about this?

1 Like

I agree Dan this is not a yes no situation. There are several efforts at establishing task forces at state, federal and local levels and my guess is they are in the process of trying to put together a framework. I think there is already discussion going on about this in cyber task forces proposed or in operation across states. You might try reaching out to them directly.
One group is the Task Force on Cybersecurity.

Task Force on Cybersecurity of the National Conference of State Legislatures [updated August 18th]

hmm. Just noticed they don’t have a https certificate.
http://www.ncsl.org/ncsl-in-dc/task-forces/task-force-on-cybersecurity.aspx

"States can benefit from continually investing in the protection of state networks from cyber-attacks and securing the homeland with strong cyber policies. But in order to do so, states look to reliable, clear, and concise information on cyber threat prevention including best practices and remediation plans.

This task force can help consolidate and synthesize existing resources and best practices to support policy makers’ ability to understand and implement cybersecurity measures and privacy policies that work best for their state."

Contact for Council of Mayors Technology and Innovation is Dan Burns. His email is on their site below.

The Council of Mayors has a task force on Technology and Innovation

https://www.usmayors.org/the-conference/committees-and-task-forces/

  • Steve Adler, Austin, TX, Chair
  • Jenny A. Durkan, Seattle, WA, Vice Chair
  • Hardie Davis, JR., Augusta, GA, Vice Chair for Cyber Security

Staff Contact: [David W. Burns]

I think the bigger question is, what do these companies do after they pay up? As a security guy, I am adamantly against paying the ransoms for a few reasons:

  1. If the ransomware is still on your network, you will likely get reinfected
  2. If you’re not sure how you got infected, you will likely get reinfected
  3. There have been several reports of ransomers not sending working decryption keys after getting paid
  4. If it works, the scumbags will not stop

Getting back on point, once you pay, what happens next? After paying a boatload of money to get their data decrypted, how many of these victims spend the time and additional money to shore up their security?

I would love to see a study on reinfection rates, how money to remediate without paying is being spent, and what organizations are doing to prevent future issues after paying a ransom.

1 Like

Yes. Bare metal rebuild.


Featured Webinars


Advanced Phishing and
Training

Monday 1:30 PM – 2:30 PM
» Learn More
Outlook Phish Alert Button
Tuesday 1:30 PM – 2:30 PM
» Learn More
Customizing Phishing Templates, Landing Pages, & Training Notifications
Wednesday 1:30 PM – 2:30 PM
» Learn More
Active Directory Integration
(ADI) Setup

Thursday 1:30 PM – 2:30 PM
» Learn More
Gold/Platinum/Diamond
Features

Friday 1:30 PM – 2:30 PM
» Learn More

Privacy Policy | Terms of Service