For years, the prevailing wisdom for organizations grappling with ransomware was to not pay the ransom and to recover the data as best as they could. Baltimore’s mayor opted for a recovery bill of $18 million (and still growing) instead of paying a ransom because, “We won’t reward criminal behavior.”
The Secret Service and the Federal Bureau of Investigation advise against paying since there was no guarantee the criminals would return the data, and the payments would encourage criminals to target other organizations. However, the reality is that for some organizations, paying the ransom made sense—because it was the only way to get the data back, or to minimize the downtime. The FBI acknowledged the alternative in its latest guidance for companies on how to handle ransomware attacks, and asked that organizations who pay still notify law enforcement.
"The FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers," the section on paying the ransom in the updated guidance said.
The FBI's amended guidance comes a day after the Department of Homeland Security's Assistant Director for Cybersecurity Jeanette Manfra made similar remarks at the Washington Post Live Cybersecurity Summit.
“You know, I always say you should--you shouldn't pay out. That being said, I'm not the person in the midst of making that tough decision about what's going on, and I don't fully understand what their risk calculus is,” Manfra said.
Attacks Aren’t Going Away
According to statistics collected by security company Emsisoft, at least 621 government entities, healthcare providers, and educational institutions have been affected by ransomware in the first nine months of 2019. At least 62 incidents involved school districts, which means as much as 1,051 individual schools, colleges, and universities were affected. About 70 attacks affected local government—states, counties, and municipalities—and at least 491 affected healthcare providers.
Three hospitals in Alabama's DCH Health System—DCH Regional Medical Center in Tuscaloosa, Fayette Medical Center, and Northport Medical Center—have temporarily diverted new patients, “other than those that are critical,” to other facilities while they deal with a ransomware outbreak. Local ambulances are being asked to take patients to other hospitals, and some outpatient appointments were being cancelled.
"There is no reason to believe that attacks will become less frequent in the near future," said Emsisoft CTO Fabian Wosar.
The soaring number of ransomware attacks suggest that criminals are willing to go after organizations even if most of the victims don’t pay and have no qualms about targeting the most vulnerable organization. It is, after all, a fairly low-risk operation for the criminals.
“People who are willing to stop schools from functioning, hospitals from functioning, municipalities. That takes a certain low kind of criminal to do that,” Manfra said.
Organizations may also be getting conflicting advice, with law enforcement advising against paying and insurance providers urging a speedy resolution by paying the ransom. Over the summer, the mayor and council of Lake City, Florida, decided to pay because the city was covered for ransomware under its cyber-insurance policy. While the ransom was 42 bitcoin, worth about $460,000, Lake City was responsible for the $10,000 deductible and the insurance company handled the rest.
The city chose to pay the ransom because the cost of recovering from backups would have exceeded the insurance policy’s $1 million coverage limit. Paying also meant there was a chance the municipality would be able to resume normal services sooner.
“At the end of the day, it really boils down to a business decision on the insurance side of things: them looking at how much is it going to cost to fix it ourselves and how much is it going to cost to pay the ransom,” Lake City spokesman Michael Lee told Pro Publica.
Insurers prefer to pay the ransoms because it holds down claim costs. The impacted entity won’t be filing a claim for things such as lost revenue from offline services and costs incurred paying consultants to recover the data. The insurance company’s focus is to help get back up and running, not deter criminals from future attacks. DHS/CISA’s Manfra acknowledged that law enforcement and insurance companies have different goals.
"When you have insurers and others that are going to cover that, that furthers our problem of misalignment of incentives," Manfra said.
Ransomware victims must make a series of choices in determining whether to pay a ransom, including assessing the value of their data, the existence of backups or decryption keys, and legal concerns. As part of the calculus, organizations can look at services such as ID Ransomware to try to identify the ransomware and look for decrypter keys from projects such as the No More Ransom.
Regardless of whether the organization decides to pay the ransom or not, the FBI said in its guidance that it was important to report the incident to law enforcement.
"Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks,” the FBI said.