Ransomware locks experts in debate over ethics of paying
When ransomware victims pay to restore their data, it encourages cybercriminals to carry out additional attacks. But do infected organizations have much of a choice?
In yet another sign that business is booming in the underworld of ransomware, Trend Micro has reported that the number of new ransomware families it observed in the first half of 2016 has already surpassed the total number observed in 2015 by 172 percent.
Such explosive growth shows that infected individuals and organizations continue to pay up, not only making these schemes profitable, but also encouraging more criminal activity. As ransomware's extended family of malicious code continues to multiply, experts are once again debating if victimized organizations have an ethical responsibility to refuse cybercriminals' demands.
“Our stance on this is simple and clear: don't pay the ransom. Ever,” said Christopher Budd, global threat communications manager at Trend Micro, in an email to SCMagazine.com. “There is no situation where it is acceptable to pay the ransom. If you do, there's no guarantee you'll get your data back. There's no guarantee that you won't face additional demands or attacks. Finally, paying the ransom harms not only yourself but everyone because it makes crime pay and gives attackers incentives to carry out additional attacks in the future.”
But Maxim Weinstein, security advisor at Sophos, cited some nuances in that argument, taking a less hardline approach. “In theory, paying the ransom is a bad idea…With that said, theory and practice are not the same thing,” Weinstein said in an email interview with SCMagazine.com. “There will be times where the value of getting the data back exceeds the cost of the ransom and the risk of a repeat attack. Obvious examples are a small company that would have to go out of business if it doesn't get its data back, or a hospital that would have to shut down for weeks to bring its records back online.”
In a recent blog post, David Harley, senior research fellow at ESET, expressed sympathy for some victims, noting that “You can't blame people – or companies – if they decide to pay up rather than commit financial suicide, any more than you can blame them for giving their wallets to people who threaten them with knives.”
However, in that same post, Harley also cited a far more cynical scenario: “We sometimes hear of instances where organizations pay ransomware even though they do have backups because it's the cheaper option,” wrote Harley. “That's not only irresponsible (because there is no doubt that it encourages criminality) but it suggests something significantly wrong with the backup strategy they have in place. A deterrent that you can't afford to use is of little practical use.”
Asked for more details to support this troubling claim, Harley's colleague Stephen Cobb, senior security researcher at ESET, replied to SCMagazine.com, recalling a recent conference presentation he made in front of 300 Managed Service Providers. According to Cobb, several of the MSPs in attendance told him that they had clients whose system administrators “had paid ransoms even though recovery from backups would have been possible.”
“The risks of doing this extend beyond not getting the data back despite paying. They include – and again, there was actual knowledge of this – getting hit again because you are seen as a soft target,” said Cobb, adding that these companies apparently had no policies to place to “limit the sysadmin response to a ransom demand,” seemingly giving them carte blanche to open up their organizations' wallets.
However, other experts downplayed concerns that this is a common problem among organizations.
“I've never heard of a company explicitly making this decision. However, all security is about risk management: how much you are willing to spend on security is (or should be) determined by how much you have to lose and how likely you are to lose it,” said Sophos' Weinstein. That said, “it wouldn't be surprising if a company did make this kind of decision.”
Trend Micro also could not provide SCMagazine.com with an example of a company forgoing existent back-up protocols in favor of paying the ransom.
In his own emailed responses to SCMagazine.com, Harley stated that other companies are acting irresponsibly by implementing inadequate defenses, often because they are not “security-savvy enough to plug all the holes.”
“If ransomware gets the chance to execute, the amount of damage it can do is limited by access restrictions in the environment in which it is executed. Unfortunately, if backup systems are set for convenience rather than ransomware-specific security, backups may also be compromised by the malware,” said Harley. “If there are organizations that are missing out steps that would help them survive such circumstances, in the expectation that they can always pay the ransom, they could be in more trouble than they realize."
To avoid missteps in handling a ransomware crisis, experts advise having an incident response plan in place. To that end, the Health Information Trust Alliance (HITRUST), an organization composed of healthcare, business, technology and information security leaders, is in the process of updating its CyberRX program – a series of free, industry-wide cyberincident exercises – to include a number of ransomware scenarios.
“We are encouraging organizations to look more broadly at cyber resilience which goes beyond cyber defenses and preparedness but response and recover,” said Daniel Nutkis, CEO of HITRUST, in an email interview with SCMagazine.com. Nutkis said that the CyberRX program's exercises include “scenarios targeting information systems, medical devices and other essential technology resources of government and healthcare organizations.”
According to its 2016 first-half report, Trend Micro observed 79 new ransomware families in the first six months of this year, compared to just 29 in all of 2015. Of the 80 million ransomware threats it detected and blocked, 58 percent were distributed via spam email attachments and 40 percent were downloads from URLs. Database-related files were the business files most often encrypted by infections, followed by SQL files, web pages, tax return return files and Mac OS files.