To pay, or not to pay, that is the question:
Whether ‘tis nobler for a business to suffer
The slings and arrows of outrageous fortune [during a ransomware attack],
Or to take arms against a sea of cyber troubles
And by opposing [aka, paying the ransom] end them.
I could go on, but I think we can all agree that Shakespeare’s original Hamlet soliloquy is better. The question at the crux of it all – and one that more and more companies are having to contend with – is whether to negotiate with cyber criminals and potentially pay a ransom to remediate a cyberattack. Unfortunately, there is no easy answer to that question.
Ransom demands have skyrocketed in recent months. According to figures released by the Unit 42 security consulting group, the average extortion demands jumped by 518% in the first half of 2021 compared to 2020, with the highest demand of US$50 million trumping the record US$30 million demand in 2020. Unit 42 also revealed that ransom payments surged by 82% in the same period.
So, it seems that more and more companies are “taking arms against a sea of cyber troubles” and paying ransoms to “end them” – but is that really a good idea?
Ransom payment is a controversial topic around the world. The general stance from law enforcement agencies is “not to pay” because there’s a risk of incentivising further attacks if threat actors are given what they want. Also, there’s no guarantee once a ransom demand is met that the “slings and arrows of outrageous fortune” will suddenly cease for victim organisations.
Read next: “EXTERMINATE” … the underperformers
These days, hackers are using double extortion (encryption, plus data exfiltration), triple extortion (encryption, data exfiltration, and DDoS attack), even quadruple extortion (encryption, data exfiltration, DDoS attack, and further harassment) techniques to squeeze as much money out of their victims as possible. Thus, paying the ransom does not necessarily end the “sea of cyber troubles”.
In the United States, the Treasury Department’s Office of Foreign Assets Control (OFAC) prohibits ransomware payments – and their reimbursement under cyber insurance policies – to any person on the “Specially Designated Nationals and Blocked Persons” (SDN) list. Under OFAC’s standard of strict liability, any US company that pays or facilitates the payment of a ransom demand to an SDN can be sanctioned, even if they weren’t aware the transaction was being made to a prohibited entity.
While insurers are used to dealing with these types of regulations – they’ve long been in place for other coverages like kidnap and ransom – OFAC’s stance does potentially put corporations in a tough spot, especially when it comes to determining the attribution of an attack and then meeting OFAC compliance measures at speed. This is why insureds should make use of their insurer’s expertise and the legal counsel that comes with cyber insurance policies when deciding whether “to pay, or not to pay”.
Meanwhile, in Australia, top cyber officials have argued publicly that cyber insurance should not cover ransom or extortion payments. Rachael Falk, CEO of the Cyber Security Cooperative Research Centre (CSCRC), and Anne-Louise Brown, the CSCRC’s director of corporate affairs and policy, stated that providing insurance coverage for extortion and ransom payments “is problematic, serving to feed the criminal enterprise of ransomware gangs, especially those that prey on insured organisations”.
Not only that, but in covering rapidly inflating ransom demands – the average extortion demand in the US for the first six months of 2021 was US$5.3 million, according to Unit 42 – the cyber insurance industry has fallen under extreme pressure, and the market is now hardening rapidly to mitigate against increased losses.
There are a lot of different opinions on whether victims should pay ransomware demands or not. Unfortunately for some, payment is the only option. In 2021, there have been multiple high-profile ransomware attacks, targeting companies with global supply chains or critical infrastructure (such as the attack against global meat processing giant JBS), or software/IT services providers that can be manipulated to spread the malware (such as the SolarWinds attack).
JBS confirmed in June that it paid the REvil hacker group US$11 million to free up its systems and end disruption in its supply chain. The agonising question of whether “to pay, or not to pay” was described as “a very difficult decision to make” by JBS chief executive Andre Nogueira, who said they did it to protect their customers as the disruption threatened food supplies and risked higher food prices.
There are countless other examples of chief executives that have had to make similar decisions – with the full knowledge that paying cyber extortion demands does not equal the end of their misfortune. Oftentimes, the payment is just the start of a long road to recovery, on which companies must restore their systems, comply with strict regulations around breach notification, and rebuild their damaged reputation.
“By opposing [cyber troubles] end them?” As things stand in the cyber risk landscape, with hackers always seemingly one step ahead of law enforcement and security experts, it seems to me that there’s no immediate “end” in sight.