According to Help Net Security, the 2018 Risk:Value Report from NTT Security reveals some disquieting facts about how organizations deal with ransomware:
- 33% would pay a ransom demand rather than invest in better security.
- 16% are not sure whether they’d pay up or not.
- Just over half would be prepared to invest actively in information security.
For the report, NTT “surveyed 1,800 C-level executives and other decision makers from non-IT functions in 12 countries across Europe, the US and APAC and from across multiple industry sectors.”#
I haven’t downloaded the actual report, as to do so requires registration and I don’t particularly want to be regarded as a potential customer by NTT. And, in fact, while there are evidently lots of other interesting data in the report, I want to focus here on the willingness of so many organizations to accede to the demands of the criminals. Let me refer you to an article by Kevin Townsend from 2016, in which he quoted me at some length (and I discussed those issues at greater length here). Better still, here’s a longer section from the text I originally sent him in response to this question:
“…some figures suggest that 40% of corporate victims pay up. Many AV companies say there is little chance of recovery without the keys. FBI says corporates have a risk decision to make. Europol says simply ‘don’t pay’. Is Europol being realistic?”
[Perhaps it’s a positive that the later report suggests a lower figure of victims that pay up, but there are probably too many variables to rely on that being a definite trend. Anyway, since the question seems to have been put hypothetically, it’s quite possible that respondents would react quite differently if they actually found themselves in the position of ransomware victims, by gritting their teeth and ponying up.]
Anyway, this was my (very slightly edited) response:
In the abstract, there’s an undeniable argument that if you give in and pay the ransom, you’ve directly contributed to the well-being of criminality. In many cases, it’s a purely economic decision: it’s cheaper to pay up than lose the data. In fact, you’re sustaining a protection racket. On the other hand, if you don’t pay up, you probably don’t get your data back – sometimes there is an effective free decrypter available, but most of the time we can’t provide one – and maybe the damage is so severe that you go out of business. You can’t blame people – or companies – to prefer paying up to economic suicide, any more than you can blame them for giving their wallets to people who threaten them with knives. In fact, since we’re talking about corporates rather than individuals, it might be seen as being more responsible to pay up rather than destroy the livelihoods of all staff, including those right at the bottom of the hierarchy who are generally less likely than the Board of Directors to survive the damage to their finances.
If people and companies didn’t pay up, then ransomware attacks would become uneconomic, which wouldn’t stop criminality, but would force crooks to explore other avenues – or maybe I should say dark alleyways. However, the attacks will remain economically viable as long as people aren’t prepared or able to defend their data proactively. It’s easy for those who have the knowledge and resources to implement adequate defences – not as easy as many commentators point out – to say that it’s ‘wrong’ to give in to ransom demands. Of course companies should implement such defences, and that would impact on the viability of the attacks. If they don’t do so because it’s cheaper to pay up than to spend money on a backup strategy, then that is reprehensible. I don’t know how often that happens, though: after all, sound backup practice is a defence against all sorts of misfortune, not just ransomware.
I was taken to task by a commenter on one of my ESET blogs for implying that paying the ransom is sometimes acceptable, pointing out that (I’m paraphrasing) failing to ensure that all an organization’s data could be backed up and recovered as necessary is essentially a symptom of management failure. I’m inclined to agree, in general, as I think my quoted text above bears out. Do incompetence and clinging to false economy make it unacceptable to pay a ransom? Well, that’s a more complicated question. After all, the people who are penalized if an organization chooses not to pay ransom and therefore loses its data are by no means always the people whose incompetence and penny-pinching put their data in jeopardy. I’ll come back to that.
He also asserted that apart from the fact that payment perpetuates the problem, some of the money paid in ransom goes to fund organized crime and even terrorism. Well, that’s a very good point. And while I don’t think it’s necessarily up to me to decide what is or isn’t ‘acceptable’ behaviour on the part of a victim of ransomware, I would at least agree that a ransomware victim (individual or organization) should take into account that possibility. I don’t know how much money paid to ransomware gangs actually does go to organized crime or to fund terrorism, but I’m certainly not going to say it doesn’t happen.
But does that mean that paying ransom should in itself be a crime? Well, we don’t usually go after people who pay up in cases of kidnapping, protection rackets, and so forth, even though those payments may subsidize all sorts of undesirable activities, so I’m not convinced. The more so since I can think of several scenarios that might be seen as being in mitigation. To quote myself again (again, lightly edited):
- An individual is faced with losing decades worth of family photos or other irreplaceable data.
- A healthcare organization faces an ethical dilemma because the medical records of thousands of clients are at risk: if they pay, criminals benefit, but if they don’t, the health of many is put at risk. It’s easy to say it’s the victims’ own fault in these cases, but it isn’t necessarily the case: data might be backed up but unrecoverable for a variety of reasons – a failed or incompetent 3rd-party provider, or natural disaster, for instance.
There might be an argument for criminalizing ransom payment where a company could access backups but chooses not to because it’s cheaper to pay up, but that’s still penalizing the victim for the actions of the criminal.