Whichever path you choose – pay or not pay – it may take time to return to normal operations. You should take steps to maintain your organization’s essential functions according to your business continuity plan.
What are the risks to consider before payment of ransom?
While delivery of ransomware is an illegal “business”, and it appears that most who pay do receive decryption keys, paying a ransom does not guarantee an organization will regain access to their data.
The decision to pay a ransomware demand must be taken carefully, with acknowledgement and acceptance of risks and in concert with various stakeholders – legal counsel, law enforcement, cyber insurance carrier, and security experts.
Below is an advisory taken directly from the U.S. FBI
“The FBI does not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data. In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.
Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”1
Furthermore, paying of ransom by either the organization or insurer could trigger questions as to whether payment constitutes funding criminal groups, terrorism, rogue states, and/or violating Anti-Money Laundering (AML) laws.
Despite the risks, there are some who would argue that paying ransomware should be viewed as a viable option and evaluated like any other business decision (See: Unconventional Wisdom: Explore Paying The Ransom In Parallel With Other Recovery Options, Josh Zelonis, Principal Analyst, Forester Research, June 4, 2019).
With the average ransomware attack lasting 12.1 days2, there are real costs to having a company or city off-line for days. If one were to accept facts published in popular media, it would appear that ransom payment is often the least costly option. For instance:
- The City of Atlanta was hit with SamSam in March 2018 refused to pay the $51,000 demanded, end result being unable to work around the encryption and $17 million to rebuild its network.
- Baltimore in May 2019 refused to pay attackers the demanded $76,000, then had to spend an estimated $18 million to rebuild its networks.3
Experts – like those in Forrester Research – recommend that organizations weigh everything from their ability to recover to consultant costs to DR plans as well as cybersecurity insurance and whether it will cover ransom. Other factors weighed should include quantification of brand reputation loss, customer satisfaction anticipation, and potential legal liabilities.
Do organizations actually pay ransom?
While statistics are difficult to find, organizations do pay the ransom. For example, an article published by the Associated Press and appearing in The Ledger on June 20, 2019 entitled “Florida city agreed to pay $600,000 in ransom to hackers:”
“A Florida city agreed to pay $600,000 in ransom to hackers who took over its computer system, the latest in thousands of attacks worldwide aimed at extorting money from governments and businesses.
The Riviera Beach City Council voted unanimously this week to pay the hackers’ demands, believing the Palm Beach suburb had no choice if it wanted to retrieve its records, which the hackers encrypted…
The hackers apparently got into the city’s system when an employee clicked on an email link that allowed them to upload malware. Along with the encrypted records, the city had numerous problems including a disabled email system, employees and vendors being paid by check rather than direct deposit and 911 dispatchers being unable to enter calls into the computer. The city says there was no delay in response time.
Spokeswoman Rose Anne Brown said Wednesday that the city of 35,000 residents has been working with outside security consultants, who recommended the ransom be paid. She conceded there are no guarantees that once the hackers received the money they will release the records. The payment is being covered by insurance. The FBI on its website says it “doesn’t support” paying off hackers, but Riviera Beach isn’t alone: many government agencies and businesses do. “We are relying on their (the consultants’) advice,” she said.”
What are the disclosure requirements related to payment of ransom?
The question – what percentage of companies pay ransom – is hard to answer primarily because ransomware victims do not report or disclose the ransomware incident. Why don’t they disclose? Given that ransomware attacks typically involve denying availability of data or systems, notification responsibilities relating to a ransomware attack do not neatly align with other cybersecurity related notification obligations and triggers.4
The real question to investigate is whether unauthorized access alone triggers a notification to customers. In effect, that is what ransomware is doing – accessing your PII without your permission.
Summary of breach notification laws5
HIPAA’s Breach Notification rules requires covered entities (hospital, insurers) to notify customers and the Department of Health and Human Services (HHS) when there’s been unauthorized access to protected health information (PHI). This is the strictest federal consumer data laws when it comes to a ransomware breach response.
Consumer banks and loan companies
Under GLBA, the Federal Trade Commission (FTC) enforces data protection rules for consumer banking and finance through the Safeguards Rule. According to the FTC, ransomware (or any other malware attack) on your favorite bank or lender would not require a notification. They recommend that these financial companies alert customers, but it’s not an explicit obligation.
Brokers, dealers, investment advisors
The Securities and Exchange Commission (SEC) has regulatory authority for these types of investment firms. Under GBLA, the SEC came up with their own rule, called Regulation S-P, which does call for a breach response program. But there’s no explicit breach notification requirement in the program. In other words, it’s something you should do, but you don’t have to.
Investment banks, national banks, private bankers
With these remaining investment companies, the Federal Reserve and various Treasury Department agencies jointly came up with their own rules. In this case, these companies have “an affirmative duty” to protect against unauthorized use or access, and notification is part of that duty. In the fine print it says, though, that there has to be a determination of “misuse” of data. Whether ransomware’s encryption is misuse of the data is unclear. In any case, the rules spell out what the notification must contain — a description of the incident and the data that was accessed.
US state laws
Currently, there are 48 states that have consumer breach notification laws. However, only two states, New Jersey and Connecticut, require a breach notification on access alone, thereby covering a ransomware attack. But there’s additional fine print that may allow companies to avoid reporting the breach to affected consumer in their state.
EU data laws
Under the Data Protection Directive (DPD), there isn’t a breach notification requirement. Some countries such as Germany, though, have added it in their national data laws. (And ISPs and telecoms under the EU’s e-Privacy Directive already have their own breach reporting rule.) But the new EU General Data Protection Regulation, which will go into effect in 2018, does have a 72-hour rule requiring notification to local data protection authorities (DPAs) and consumers when “personal data” is accessed. However, a harm-based threshold is applied – the breach would have to “result in a risk to the rights and freedoms” of consumers. Notification for a ransomware attack would be very dependent on specific circumstances, and we’ll likely have to wait for more clarification from the regulators.
Please note this material has been prepared for general informational purposes only and is not intended to be relied upon as legal, accounting, tax or other professional advice.
Show article references#Hide article references
- FBI Alert Number I-100219-PSA, October 02, 2019
- Coveware Ransomware Marketplace 2019.
- Ian Duncan, “Baltimore estimates cost of ransomware attack at $18.2 million as government begins to restore email accounts,” The Baltimore Sun, May 29, 2019
- John Reed Stark, former Chief of the SEC’s Office of Internet Enforcement
- A Guide to Complying with US and EU Breach Notification Rules
The decision to pay a ransomware demand must be taken carefully, with acknowledgement and acceptance of risks and in concert with various stakeholders. The time to figure out the policy toward ransomware payment is not during the event. It is strongly advised that organizations tabletop the incident with relevant stakeholders, pre-define the alternatives, and practice execution of the plan. This is all the more critical as it would appear ransomware attackers recognize the limitations of their business model – and are beginning to not simply encrypt data, but exfiltrate it just in case the victim decides to recover from backup.