No industry wants to set the precedent that they are the most lucrative target, which is why having a conversation in strict black and white terms of paying or not paying isn’t feasible. “Every organization is different,” said Sean Mason, director, threat management and incident response, Cisco Security Services.
Government agencies and private enterprises have two very different ways of looking at the world. Mason said, “For government agencies ransomware is terrorism versus the private enterprise that has an obligation to their shareholders and customers.”
Whether to pay a ransomware fee really depends on what type of organization they are because if an attacker can come in and essentially shut them down, that is a significant impact with costly repercussions. Understanding the impact of what has happened to the organization is important and ought not to be clouded by fear.
Many do share the concerns of Mike Hanley, director of Duo Labs at Duo Security who spoke about the continued attacks on hospitals. Hanley said that these attacks can directly impact patient health, but Mason isn’t as convinced that there is a correlation.
“It’s easy to say that a hospital got hit and patient lives are at risk, but that is not necessarily the case. It can be down the road, but I have not read about or seen one where patient lives were at risk,” said Mason.
“I think there are a number of cases where they should pay, and I say that unfortunately. If there is an impact to human life, that’s a no brainer. You pay the ransom,” Mason said.
Criminals prey on the fear of their victims whether the ransomware impacts patient health or shareholder profit. They know that every minute without access translates to some sort of loss, and they rely on the hope that their victims will pay, which is why paying should be a last resort.
Taking a firm stand that nobody will ever pay is not realistic or even feasible as proven by the fact that ransomware is a viable business model for criminals. “It works,” said Mason, “and to unilaterally say we won’t pay again is not in the realm of possibility.”
Instead, enterprises should prepare themselves for an imminent attack so that they are well placed to recover and move on. Lance James, chief scientist at Flashpoint, noted that ransomware is a symptom of a bigger problem.
“There is malware that comes in before the ransomware drops in, like Pony, Dridex, or other information stealing malware, so those systems are already infected and they are stealing other data as well,” James said.
Many enterprises should be able to quickly recover without having to pay. “Paying is ill advised. There is already a security flaw if they are getting in the door. Hopefully those who have already been attacked will focus on thinking about the ransomware hit as a problem in their environment,” James said.
Sign up for CIO Asia eNewsletters.