Cybersecurity

To Pay or Not to Pay: Trying to Answer the Perennial Ransomware Question

No one wants to get hacked, particularly with ransomware. The immediate monetary costs that come in the aftermath of a ransomware attack can be prohibitive, and depending on how the situation is handled, organizations can suffer long-term damage to their reputation. Data breaches also open the door to potential lawsuits from those whose personal information has been compromised. At some point, decision makers must ask themselves: Is it cheaper and easier to just pay the ransom?

Atlanta, Georgia Skyline

SeanPavonePhoto / iStock / Getty Images Plus / Getty Images

It’s a tough question to answer, under any circumstance. For reference, let’s take a look at the ongoing fallout from the mid-March 2018 SamSam ransomware attack on the city of Atlanta.

The threat actors behind the attack demanded approximately $51,000 (the value of 6 bitcoin at the time of the attack) in payment before they would decrypt the ransomed data. Mallory Locklear, writing for Engadget, notes that whether or not city officials worked with the hackers, they either didn’t try to pay or were unsuccessful in their attempts. Even if they wanted to, it wasn’t clear that payment was possible, as the threat actors deleted their communications portal after it was exposed via an image shared with the media.

The city is still suffering service outages over a month later.

An Expensive Mistake

Locklear reported last week that Atlanta had spent $2.7 million on recovery efforts in the aftermath of the breach. A quick check of the city’s emergency procurement website (on April 30, 2018) shows that the number has ballooned to over $5 million. These newer charges appear to cover labor and hardware charges for rebuilding (or building) and securing their networks. These expenses likely represent a fraction of the total cost of this attack. I’m sure we won’t understand the full impact for quite some time.

What is most surprising is how easily this attack could’ve been avoided. Following the March ransomware attack, Rendition Infosec, an Atlanta-based cybersecurity firm, published evidence that the city’s network had been compromised 11 months prior. Also, Lily Hay Newman, reporting for Wired, presented a January 2018 report from the City Auditor’s Office that detailed a recent security compliance assessment failure. While the upfront cost to bake security into their networks prior to the March ransomware attack may have been high, it most likely would’ve been less expensive than the remediation expenses.

Paying the Ransom

A quick glance at these numbers might make you jump to the conclusion that it is easier and far less expensive to simply pay the ransom, get your data back, and move forward. In most of the major ransomware attacks over the last year or so, it’s clear that the threat actors are smart enough to keep the ransom demands reasonable to increase their odds of getting paid.

As tempting (and cost-effective) as that solution is, it is not without pitfalls. Kevin Townshend of SecurityWeek spoke to an anonymous chief information security officer (CISO) of another U.S. city who illuminated some of the potential problems with paying the ransom. The CISO states that “firstly, [the breached organizations] don’t know if they would actually get the decrypt keys; secondly they don’t know if they would simply get hit again; and thirdly, it would only encourage more of the same kind of action.” This posture is also supported by the FBI and other law enforcement agencies.

In the case of Atlanta, the SamSam ransomware presents a different problem altogether. Compared with other ransomware programs, it moves more slowly, compromising the network prior to beginning to encrypt files. In this instance, the attackers could’ve already secured enough personal data from the network to turn around and sell on the dark Web. They could’ve also installed other variants of malware or created other backdoors. At that point, getting a ransom payment is icing on the cake.

The outcome of the ransomware attacks in Atlanta is clear for other public and private sector organizations: Be better prepared. In their response to SecurityWeek, the aforementioned CISO makes an incredibly salient point: “for probably 10-20% of the cost of the emergency support ($2.7 million at the time of their comments) they could have brought in the same people to help with the same issues prior to the incident.”