SAN FRANCISCO -- Attitudes about ransomware payments are changing, and not necessarily for the better.
Ransomware attacks and defenses were major topics of discussion at RSA Conference 2020 last week. Much of the discussion was focused on the evolving threats, particularly threat actors who threaten to expose victims' data as a tactic to pressure them to pay. But other discussions tackled the economics of ransomware, including the ethics around paying the ransom, and several experts said attitudes toward paying ransoms have change drastically in recent years.
"The propensity to pay has gone way up," said Andrew Morrison, leader of cyber strategy, defense and response at Deloitte. "Two years or even 18 months ago, the general philosophy was 'We don't negotiate with terrorists, we don't pay the ransoms.' That was the FBI's perspective, that was our perspective -- everyone's advice was not to pay the adversary because it just makes things worse and you have no guarantee of data recovery."
That philosophy has dramatically shifted, according to Morrison.
"Now almost every organization views it as a business decision," he said. "They weigh the decision to pay the ransom like they would any other financial decision. Is the return on this expenditure worth the expenditure?"
Adam Kujawa, director of Malwarebytes Labs, said the change in attitudes is a direct result of the evolution of ransomware attacks, which have become increasingly devastating as threat actors have set their sights on bigger enterprise targets.
In the early years, ransomware mainly targeted consumers, and the standard advice was not to pay, Kujawa said.
"Don't pay these guys, don't encourage them, it'll just make it worse. The FBI was saying it too," he said. "But we live in a different day today. Ransomware is more targeted toward businesses than ever before. Ransomware families are being developed specifically to go after larger networks to be as damaging as possible once you have an entire network compromised, and we see that with Trojans like Emotet and TrickBot that move laterally and are able to compromise an entire network, and then launch the ransomware after every endpoint has already been infected."
The risks of paying the ransom
Even law enforcement and government officials appear to have softened their stance on refusing to pay ransoms. During his RSAC session, FBI supervisory special agent Joel DeCapua stressed the risks of making ransomware payments and advised against doing so, but also acknowledged some businesses may be left with few options.
"We do not advocate the paying of ransoms," DeCapua said. " We've had people pay ransoms and then not get their data back.
"A lot of times when you pay the ransoms, the actor actually has a bunch of other backdoors on the system. You're not going to get what you want; it's not going turn out good," DeCapua said. "We encourage people not to pay the ransom, but we do understand that when people are in those terrible situations, they have to make difficult choices."
In another ransomware-focused session at RSAC, William Hall, senior counsel in the Justice Department's Computer Crime and Intellectual Property Section, offered an inside look at his work on the prosecution of alleged SamSam threat actors. During his session, Hall hesitated to join the debate over whether to pay ransoms or not but did point out the positives of both sides.
"Many in law enforcement believe if victims stop paying ransoms, ransomware at a minimum would not be a very effective endeavor for criminals and would likely come to a stop," Hall said. "I'm not here today to wade into this very difficult issue area."
However, the SamSam ransomware payments that victims made were "an important piece of evidence" that helped law enforcement identify the threat actors, he said.
Some in the infosec community expressed concerns that the changing attitudes on ransomware payments have led to more organizations paying threat actors -- which they fear has led to more attacks. Jake Kouns, CEO and CISO of Risk Based Security in Richmond, Va., agreed the tendency to pay ransoms has increased, especially among smaller and midsize businesses that have small security budgets and may be less prepared for attacks.
"It's a tough situation because you don't want to contribute to more attacks," he said. "But at the same, do you want to tell a midsize company they have to go out of business for the greater good?"
Andrew MorrisonLeader of cyber strategy, defense and response, Deloitte
Morrison said Deloitte performed incident response (IR) for a pharmaceutical client that had suffered a serious ransomware attack, which encrypted the company's research for potentially life-saving drugs that were about to go to market.
"It was a no-brainer for them to pay," he said, "because it's not just lost revenue, it's lives too."
That said, some attacks fall well below that threshold, and clients still opt to pay the ransoms, Morrison said.
"Sometimes they make the nuisance payment. They say, if I activate my [IR] retainer, it'll cost more than the ransom. That's the initial mindset, at least," he said. "What they don't necessarily understand is that decision is fraught with risk. You don't just get a magical key and plug it in and everything comes back."
Ransomware attacks on the rise
Another factor contributing to the rise in ransomware payment is the increased volume of attacks. Matt Valites, outreach lead at Cisco Talos Intelligence Group, said as attacks have gotten more severe and more pervasive through victims' IT environments, the decision to pay is more than a pure financial tradeoff.
"There's certainly no shortage of ransomware. Our IR team sees it constantly," he said. "Deciding whether or not to pay it is such a personal decision for that organization. It depends on a lot of things, like what your budget is. And even if you pay it, you're not out of the hot water. Someone could come right back in and do it again."
Matt ValitesOutreach lead, Cisco Talos Intelligence Group
Despite the cautionary tales offered by incident response experts, experts said the ransomware situation is trending in the wrong direction. Morrison said the biggest issue is that ransomware attacks are successful, and enterprises are struggling to stop the infections and pervasive disruption of their environments.
"Cybersecurity has always been a cat-and-mouse game of better weapon, better defense," Morrison said. "That's always been in equilibrium and I think we're losing a little bit equilibrium right now. Until that equilibrium is restored, and until there is a better defense for ransomware, it's going to continue along this axis."