Although ransomware took a backseat to other attack vectors in 2018, the threat has regained momentum this year. The most recent high-profile ransomware attack occurred 20 miles from my home, on the city government of Baltimore, on May 7. Baltimore was attacked by a ransomware strain known as RobinHood, and attackers demanded approximately $100,000 in exchange for the digital keys that would restore the city's systems and access to data. To date, Baltimore has refused to pay the ransom. We are now three weeks into the attack; significant disruptions continue to occur and are costing the city dearly in financial and reputational damages.
Ransomware sets the stage for a great debate on moral versus practical dilemmas. This recent surge of ransomware attacks raises the question: Is your local government next? And if you are in a position of power, will you pay the ransom?
To Pay or Not to Pay — That Is the Question!
Whether a city pays ransomware demands depends on many factors. It's not an easy question to answer, and whatever side you are on will have a sharp opposing view. Before making a decision, however, it's vital to examine your response through both a moral and a practical lens.
Morally, the most common, quick, and easy answer is "no." Don't pay the ransom because it only serves to reinforce attacker behavior. I appreciate this angle. It generally has been the US view on ransom demands involving hostage captivity, though the government has paid a ransom to free hostages in some situations. OK, I know here we're talking humans and not computers, but there must be some parallels — and in today's world, computers affect humans on an extraordinary level.
Practically, you'll find that many people believe that paying a ransom is the right move. This is because the costs of paying the ransom ultimately dwarf the costs associated with not paying it. It's hard to put an exact quantification on this, but the logic is clear.
For example, the government of Atlanta refused to pay $50,000 and ended up paying an estimated $17 million to recover from the attack. It's not easy to determine what costs would have been avoided if the city had paid the ransom, but a quicker recovery time would have resulted in less business disruption and reduced spending on third-party consultants. This alone would have indicated a positive return on investment for paying the ransom.
Unfortunately, Baltimore is three weeks into the attack, and it's still experiencing disruption. Email remains down. Real estate transactions have been disrupted. Online bill payment systems have not recovered, significantly affecting city revenue collection. These negative effects also result in the unavailability of services or the degradation of service delivery quality. For example, critical services such as emergency medical services, police, fire, and 311 have remained operational in the city. However, the quality of service and operations is being intensely affected — 911 alerts are now occurring via pagers rather than the normal manner of a computer-generated, automated alert.
Of course, there is always risk of paying a ransom and the attackers don't restore the system. A Trend Micro report from a three years ago indicated one in five companies never got their data back. However, this data is dated and it would be interesting to see a current look at where this issue stands. But decision-makers must ask themselves: What is the cost of disruption? How much has been paid to third-party consultants to restore systems? And how do these costs compare with the costs had the city paid the ransom initially?
The moral reaction to ransomware says to not pay the ransom because it reinforces bad behavior. However, I think the practical aspect of ransomware is that the cost of not paying the ransom is materially greater than the cost of paying it. I had a conversation recently with a savvy CISO that led me to believe that it's more standard than not for organizations to pay the ransom. I suspect this is happening more frequently than we realize and that there are likely many ransomware attacks we don't hear about because significant disruption was mitigated by paying the ransom.
And while there may be honor among thieves, the value of holding an entire city government under ransom is a tempting and interesting dilemma given the amount adversaries will pay for information on the Dark Web. All in all, where do you stand on the spectrum of practicality versus morality when it comes to ransomware? Let us know by commenting below.