Paying hackers a ransom: Is it the right thing to do?

Public disclosure of ransom payments is potentially compounding an already significant problem

Paying hackers a ransom: Is it the right thing to do?

Columns

By Bethan Moorcraft

The world’s largest meat processing company – Brazil-based JBS SA – recently fell prey to a ransomware attack in which hackers paralysed the servers supporting its operations in North America and Australia.

The FBI attributed the attack to REvil, a Russian-speaking hacking group that has made some of the largest ransomware demands on record in recent months. JBS managed to get its global operations back up and running at “close to full capacity” within five days of the cyberattack. It is not yet known if the meat processing giant paid a ransom, but the quick resolution might suggest some form of successful negotiation with the criminal group.

I think it’s wise for companies to remain tight-lipped (wherever the law allows) around the payment of ransoms, and I applaud JBS for keeping their cards close to their chest. Why let every other cyber criminal know that you’ll pay your way out of a sticky situation, if indeed that was the case?

The attack on JBS was the second significant assault on US critical infrastructure in recent weeks. In early May, Colonial Pipeline - the largest fuel pipeline in the US - was forced to temporarily shut down its operations after falling victim to a ransomware attack.

After learning of the ransomware attack on May 07, Colonial immediately took its pipeline system offline and did everything in its power to restart it quickly and safely, before making the decision to pay the ransom to the group of hackers know as DarkSide, who are also believed to operate from Russia.

Colonial Pipeline CEO Joseph Blount confirmed that the company paid hackers US$4.4 million in ransom, telling the Wall Street Journal that he authorised the payment because executives weren’t sure how badly the attack had breached Colonial’s systems or how long it would take to get the pipeline back up and running. He described it as a “highly controversial decision” that he didn’t make “lightly” but that he believed “was the right thing to do for the country.”

Was that the right thing to do for the country? Yes, in terms of minimising immediate damage to the US economy, but longer-term, I’m not so sure.

Blount’s public statement – which may have been necessary due to the high-profile nature of the event and the systemic impact it had on the US economy by triggering higher gas prices, fuel shortages and panic buying – gives hackers all the incentive they need to continue attacking critical infrastructure around the world, with the knowledge that huge corporations will pay enormous ransoms because … “it’s the right thing to do for the country.”

Obviously, it’s never an easy decision to pay a ransom or not. In May, it was reported that commercial insurance giant CNA paid US$40 million in ransom after a “sophisticated” cyberattack. News of the ransom payment, which is larger than any previously disclosed payment to hackers, was leaked by sources who asked for anonymity as they were not authorised to discuss the matter publicly.

CNA spokesperson Cara McCall then made the following comment: “CNA is not commenting on the ransom. CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.”

The problem with these ransom payments being made public – and a likely reason why CNA would have preferred for its alleged sizeable payment to have remained undisclosed – is that cybercriminals worldwide get critical information handed to them on a plate. They know who is likely to pay, they know their motivations for payment, and they know how much money they can ask for. And much to the concern of cyber insurers, they keep asking for more and more … and more.

This is compounding an already out of control problem in cyber insurance, with insurers reacting to the ransomware epidemic by reducing capacity and increasing rates by more than 100% in some jurisdictions.

Of course, there are lots of actions and controls that companies can put in place to minimise their cyber risk and reduce their exposure to ransomware attacks. Perhaps – based on the high-profile nature of some of these more recent events – one potentially critical mitigating factor in the fight against ransomware is for companies to play their cards VERY close to their chest.   

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!