Ransomware has infected the machines and important information the organization needs is locked up. The clock is ticking. Pay, or not pay?
It sounds like a binary choice—pay to remove the malware and get the data back, or not pay and try to rebuild and restore everything as much as possible—but it’s actually not. There are questions about the criticality of the information, what would happen if the data is permanently lost, whether the group responsible for the infection can be trusted, and how the payment would be made, to name just a few. There is so much conflicting advice on what to do, and they frequently don't take into account the organization's priorities and incentives.
Framing the situation as “never pay” and “pay if you have to” ignores all the other factors that go into making the decision, said Tony Martin-Vegue, risk management expert who leads a security risk management program at a a San Francisco-based financial services organization. It all comes down to incentives. Law enforcement’s official advice is to never pay (although there have been agents in the past who advised paying), because their incentive is to remove the revenue stream and “cut off the heads of cyber-criminal gangs,” he said. When the hospital cannot access important, possibly life-saving, information, their incentive is to do whatever possible to get back in the business of providing patient care, not helping law enforcement arrest the perpetrators.
“We have to have empathy for these companies and these IT folks that are just completely stuck,” Martin-Vegue said. “Some people just have no options.”
“We can't browbeat them anymore. We can't just continue to yell at people, patch your stuff,” Martin-Vegue said. Change the options available to victims so that they can make different decisions.
Ransomware and other forms of extortion have an impact that extends beyond the victim organizations. Cybercrime gangs making money off ransomware can buy exploit kits or rent out the infrastructure needed to expand into other types of attacks and victimize even more people. However, telling organizations they shouldn’t pay the ransom to prevent future attacks unfairly puts the onus of solving the ransomware problem onto individual victims, Martin-Vegue said.
To get victims to consider the long game—reducing cybercrime—instead of their immediate needs, the overall environment has to change. History has shown that kind of seismic change is beyond a single organization.
A quick history lesson: The manufacturing boom in Chicago in the mid-1800s increased the city’s population, but it also worsened the city’s pollution problem. Factories dumped waste and by-products in the local waterways and the city did not do its part to keep sewage out of the river.
“The Chicago River was a toxic, contaminated, lethal mess,” Martin-Vegue said.
The fact that the Chicago River emptied into Lake Michigan, the city’s primary source of freshwater, led to regular outbreaks of typhoid, cholera, and other waterborne diseases. The city needed to do something drastic to protect the city’s drinking water supply. The city planners worked with engineers to reverse the flow of the river so that it no longer flowed into Lake Michigan.
“What does dumping toxic waste in the the Chicago River and paying cyber extortionist have in common? Quite a lot, actually,” Martin-Vegue said.
Companies dumped toxic waste in the river because it was cheaper and more convenient than treating and disposing of the waste properly. However, the consequences of the action was felt by everyone in the area and was not fully borne by the company doing the dumping. The short-term benefits to the company outweighed the broader harm. The same thing happens with a ransomware payout. The “never pay” group is correct in that ransoms ultimately fund criminal enterprises and encourage future attacks. It costs a few bitcoin to get data back, but that action directly enriches and encourages the cybercriminals, thereby creating an environment for more extortion attempts and more victims, Martin-Vegue said. The harm is pushed downstream and spread out across many victims, while the victim’s immediate problem is fixed.
Negative externalities is a concept in economics which means parties engaged in economic activity gain something, but there’s a separate party that isn’t part of the transaction that gets harmed. Dumping sewage and toxic waste into public waterways is one example. So is paying criminals to get data back.
“Advising a victim to not pay is like trying to stop one person from throwing waste into the Chicago River,” Martin-Vegue said. One organization’s choice isn’t going to stop ransomware attacks.
Reducing the societal harm caused by ransomware attacks is the security equivalent of changing the flow of the Chicago River? One way to do that is by changing—minimizing—the amount of damage ransomware can cause the victim.
Going Further Upstream
Public policies help counteract the effects of negative externalities, Martin-Vegue said. Public policies can help people from falling victim in the first place or to avoid paying if they are affected. In environmental policy, that meant taxes, fines and regulations. That is not going to work with ransomware since the burden will fall on the victim.
Laws or regulations banning ransom payments or creating criminal penalties for getting infected would be a “terrible way to approach [the problem],” Martin-Vegue warned.
Public policy and government intervention should focus on creating more “nudges” and positive externalities, or outcomes where society as a whole benefits from a transaction. One example of a positive externality is the antivirus companies creating decryptor kits for the most common strains of ransomware. These kits are released to the public free of charge and let the victims decrypt their data without having to pay the criminals. The victim gets the files back free of charge and the larger security ecosystem benefits because the criminals don’t get their payout.
Just recently, antivirus company BitDefender released a decryption tool for recent versions of andCrab, a prolific strain of ransomware. The decryption kit was developed in partnership with Europol and the Romanian Police and was supported by the FBI and other law enforcement agencies. GandCrab had infected more than half a million people in the United States, United Kingdom, China, India, Brazil, and Germany. The initial kit can decrypt data encrypted by GandCrab version 1, 4, and 5, and BitDefender promised a follow-up tool to address other versions.
Within hours of the tool kit’s release, 1,700 victims successfully decrypted GandCrab-locked files, BitDefender said. The company believes the criminal group behind this ransomware lost an $1 million in potential victim payments in the week since the tool was released.
Once the decrypter kit is released, that strain of ransomware loses much of its effectiveness. There may be some people who still pay the ransom because they don’t know about the kit, but if the majority of the victims stop paying, the attackers have to move on to a different attack.
The NoMoreRansom project is a great approach, as they bring companies together to develop decryptor kits. Organizations have a place to go to see what their options are when they are infected with the ransomware instead of going to multiple places looking for the right kit. Public and private funding for more decryptor kits for more strains of ransomware will make a difference.
Funding decryptor kits are just one of the areas that can be used to “influence outcomes in non-intrusive, unforced ways,” Martin-Vegue said. Both corporations and governments can invest to help with the ransomware problem and other areas of cybercrime, such as education initiatives promoting the NoMoreRansom project and the best ways to work with law enforcement. Right now, the conversation around ransomware is mostly about blame, about why things were not backed up or protected, but if the conversation can shift to the fact that there are some options, the decision-making process changes.
“You can find a decryptor kit. Maybe we can help you with backup restoration,” Martin-Vegue said. “[If] the viable option is simply to pay, can we negotiate the ransom down? We have law enforcement be involved when there's kidnapping, can we use professional negotiators to get a better outcome?”
Long-term efforts to encourage software vendors to improve how they handle software updates and make it easier for users to deploy them. Education and assistance programs for victims can talk about basic system hygiene such as backups and patching, negotiating ransoms, and finding decryptor kits. Provide professional negotiators to help get the outcome law enforcement and organizations can work with.
Other education programs can focus on partnering with software vendors to improve how they handle software updates and helping users install them. Initiatives focused on basic system hygiene such as backups and patching still need to be part of the mix.
It’s all about incentives. Health care organizations are more motivated about providing patient care and less about discouraging future attacks. But if there is a framework providing viable alternatives to paying, they would consider not taking the immediate, short-term fix.
It wasn’t up to the residents of Chicago to figure out how to drink the water safely. It isn’t up to the victims to solve the ransomware problem. Industry leaders and government officials that guide policy need to come up with ideas to crack this problem.
"Right now we don't have good options and you can't rely on the local IT shop to come up with a better answer to ransomware,” Martin-Vegue said.
One approach Martin-Vegue would like to see gain traction would be to treat ransomware kits as any other type of software and set up bug bounty programs. Whoever can create a decryptor kit for the malware or somehow compromise the kit would qualify for a reward. If someone finds vulnerabilities which could then be used to create the decryption kit, that would also qualify for a payout, as well.
“We pay people to find vulnerabilities [in software] today. Let’s do the same thing with ransomware,” Martin-Vegue said. “It would go a long way to solving some of this problem.”
Making Decisions Earlier
A lot of the current discussion focuses on the choices victims have when they’re already under attack. The decision tree looks at the possibility of restoring from backup, looking for tools that can decrypt the locked files, trying to negotiate with the attackers, paying the ransom, or walking away and starting over from scratch. However, there are many decisions made even earlier, long before the attack, that impact what kind of choices are currently available. There were decisions on what IT projects to prioritize and fund and choices made in light of resource and time constraints.
Instead of harping on the victims about why they didn’t patch systems, why legacy systems are still in use, or why the attackers succeeded, security teams need to insert themselves into the decision tree much earlier, Martin-Vegue said. Long before the attack even happens, security teams should be starting the conversation about the impact of having legacy systems, assessing the effectiveness of the existing backup strategy, and developing a plan on how to respond to this kind of extortion.
“We can't browbeat them anymore. We can't just continue to yell at people, patch your stuff because, that's not working, obviously,” Martin-Vegue said.
The core philosophy behind risk management is analyzing decisions and helping business leaders prioritize their decisions based on resource allocation. There is a whole science around decision-making, one that considers the obstacles and the consequences before making a decision that makes logical sense. Security leaders need to interject themselves into the risk management conversation—where decisions are analyzed and resources are allocated—if they want to influence the eventual security decision.
“I wonder if we’ve gotten to the point where we just accept this [extortion] as our fate in the sense that we just know that there's going to be a certain amount of ransomware victims per year, and they’re just going to pay,” Martin-Vegue said. “I just don't want that to happen. I don't want us to give up on that.”