RSAC speaker offers ransomware victims unconventional advice

An RSA Conference speaker argued that despite the stigma associated with paying ransomware gangs, it's sometimes better to "negotiate with terrorists."

In his session at the 2023 RSA Conference on Monday, Brandon Clark, CEO of Triton Tech Consulting in Denver, proposed a ransomware response process that works to squeeze out emotive instincts that are often tangled in the decision-making.

"It is absolutely critical that you do take as much of the emotion out of this as possible by looking at some of this ahead of time," Clark said during the session, titled "Negotiating with Terrorists: The High Stakes Game of Ransomware Response."

Clark suggested that ransomware victims often make detrimental decisions based upon emotional and moral instincts. He prefaced his response plan with a reference to the 1973 hostage crisis at the Saudi Arabian Embassy.

In that incident, three Western diplomats, among 10 others, were taken hostage at the embassy by the Black September group. Former President Richard Nixon refused to negotiate with the terrorists and publicly announced the U.S. would not pay the demanded ransom. The terrorists later killed the Western hostages. The remaining hostages were released and returned to their home in Sudan, which had negotiated with the group.

Clark related this piece of history to the life-threatening events that follow a ransomware attack on a hospital or an air traffic controller or other critical infrastructure targets. He stated that aversion to negotiate with terrorists was a polarizing mindset, "entrenched in our mental framework," that has induced poor decision-making.

"If I'm not able to understand a patient's history, if I can't see what their allergic to, and they're given medication that sends them into anaphylactic shock, I would argue that's probably worse and more evil than me paying $50,000 to get our systems back and running," Clark said.

There's also a financial component to the equation. Clark used the 2018 ransomware attack on the city of Atlanta as "a great example of what not to do," because the city government refused to pay a $50,000 ransom and ended up paying more than $3 million in remediation and recovery costs.

"It doesn't make sense for us to go in and spend a million dollars for a $50,000 problem," he said.

Incident response experts, however, often caution ransomware victims that decryptors regularly fail to restore all data and systems -- which Clark acknowledged during his session -- and advise even organizations that pay ransoms to do a full forensic investigation and remediation following an attack.

The FBI and many cybersecurity companies have long argued that compensating ransomware actors will only incentivize more malicious activity. Clark, however, disagreed with that belief; he argued that with the several ways threat actors can monetize the attack, such as selling stolen personal information online, ransomware will continue to hit organizations regardless.

"There's the argument of 'If we pay, then we're just going to encourage more [attacks].' I would honestly argue that they're already encouraged to do more just by the nature of these attacks," he said.

Clark's statements appeared to contradict the advice from another RSA Conference speaker: Deputy Attorney General Lisa Monaco. In her keynote on Monday, Monaco discussed the importance of victims coming forward to work with the FBI and the Department of Justice and commended organizations like Colonial Pipeline Company and Kaseya for contacting law enforcement.

While Colonial Pipeline made the decision to pay a multi-million-dollar ransom, Monaco said coming forward to report attacks is "good for America, because you're helping us prevent that next attack."

But Clark encouraged ransomware victims to put aside the obligations to society and risks posed to others when deciding whether to pay a ransom.

"It's important for us to recognize that at some point, whether or not we pay is kind of irrelevant," he said. "These guys are going to be doing this more anyway."