Paying Ransomware Actors: 'It's a Business Decision'Analyst Paul Furtado and CISO Daniel Smith Advise to Stay Impartial
Two to three times a month, Paul Furtado of Gartner gets called in to help somewhere in the world with an active ransomware incident.
Furtado, who is a vice president and analyst with Gartner, says he hasn’t seen an organization take paying a ransom off the table from the start.
"I have yet to see an organization going through that that says 'No, I’m not going to pay,'" says Furtado, who spoke on Tuesday in Sydney at Gartner's Security & Risk Management Summit. "The reality is they're [the executive board] going to do what they need to do and give you that blank check to get the business back to a functional level."
Ransomware is a nearly perfect crime. Encrypting a company's data and holding it hostage has been an astonishingly effective criminal ploy with a low risk and high reward. Governments such as the U.S., Australia and the U.K. have developed plans to combat transnational ransomware gangs, but their actions will take time to reduce ransomware.
Furtado says up to one-third of organizations pay the ransom even though it is advised to try to avoid paying if possible. The majority of those organizations do get access to their data, as cybercriminals generally hold up their end of the deal.
But Furtado warned that the decryption key for data isn't the golden path to recovery: There is often data that is irrevocably corrupted, and restoring systems from key material can be slower than a well-practiced backup-and-restore regime.
He cited the example of Colonial Pipeline, the energy company stricken by the DarkSide ransomware gang in May 2021. The company quickly paid a $4.4 million ransom but concluded that restoring from its own backups was faster than using the key material provided by its attackers (see: Colonial Pipeline CEO Confirms $4.4 Million Ransom Payment).
Another point to consider: Paying a ransomware puts victims at higher risk, as either the same group or another one may mount new attacks while incident response is still under way.
"If you do pay, there’s an 80% change you’re going to get hit again," Furtado says. "It will either be from the same group that hit you the first time or will be from another group that heard of the successful attack on the dark web."
After an attack, the business asks security practitioners what to do and whether to pay.
"Having a blanket 'We will not pay' policy does not always align," Furtado says. "From a security practitioner perspective, [I] most definitely wholeheartedly support that mentality, and that's what we should be doing. But the reality is it's not our call; it's a business decision."
The business has to consider what the maximum tolerable outage is as well as other impacts of the decisions they must make, Furtado says.
It's important that those on the security teams realize that the call on whether to pay or not - and the accompanying moral implications - is not theirs, says Daniel Smith, CISO of Hearing Australia.
Smith was called on to help an Australian organization in the aged care sector recover from an attack by the REvil gang, and he presented on his experiences at the Gartner summit on Tuesday. The organization was not identified by name.
Smith says there was one person at the organization who had very strong personal views on whether to pay the ransom.
"The repetition of those personal views ended up with that person being bundled out of the conversation because they were no longer objective," Smith says. "So even if you do have a strong view on the payment of ransoms … if you're a CIO or a CISO, you're there as a subject matter expert. You will provide advice only. You will not be responsible for making the decision. That will be the board's decision, so leave it to them. Just provide the advice as best you can."