Ransomware: to pay or not to pay?

By EY Americas

Multidisciplinary professional services organization

7 minute read 10 Jun 2020

Organizations across the globe need to develop a ransomware payment policy, anticipating a potential future attack.

In previous articles, we have focused on mechanisms by which you can protect against and recover from ransomware attacks. Many clients have subsequently asked… what if we were to consider payment? Is it a viable option? What are the risks? Would we have to disclose to regulators, shareholders, or the public? How should we be preparing for this decision? While we at EY do not suggest organizations pay ransoms, we do acknowledge this option exists. We have therefore created this concise guide on the subject with the caveat that organizations who are faced with this scenario should seek legal counsel, recommendations from any cyber insurance providers, input from law enforcement as well as expert security advice before making any final determination as to the appropriate course of action.

The basics – what is ransomware?

Ransomware is a type of malicious software cyber actors use to deny access or availability to systems or data. The cyber actor holds systems or data hostage until the ransom is paid. After the threat actors gain access to a network, they deploy ransomware to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted. A recent and emerging tactic is for these threat actor groups to exfiltrate sensitive data and threaten to publicly disclose the data if the ransom is not paid, further extorting impacted companies.

How should I prepare for a ransomware event beyond the usual IT infrastructure protections?

  • Consider cybersecurity and business interruption insurance.
  • Place a cybersecurity response team on retainer with expertise in responding to ransomware events.
  • Establish corporate policy (and legality) for payment of ransom as an option, in consultation with your internal or external counsel and cyber insurance carrier.
  • Establish who you would call in the event of a ransomware attack and ensure their contact information is up to date (law enforcement, external counsel, insurance carrier, regulators, IR Team). This should be part of your incident response playbook, which should be exercised, reviewed, and refreshed often.
  • Define particulars of when, how, and under what conditions the decision to pay or not pay would be made. This is where an executive ‘tabletop exercise’ (TTX) can be helpful, wherein you create a similar ransomware incident environment, and then pressure test decisions which will be needed if the event occurs.
  • If the payment of ransom is an option, plan for how you would acquire and pay out cryptocurrency (ransom is usually paid in bitcoin). Note this is typically done by a third party. External IR and counsel will have their preferences as will Insurers who may require use of a particular party.
  • Evaluate your ability to recover from backup at scale. It is best to assume your last known good backups are also compromised.
    • Note that whichever path you choose – pay or not pay – it may take time to return to normal operations. You should take steps to maintain your organization’s essential functions according to your business continuity plan.

Whichever path you choose – pay or not pay – it may take time to return to normal operations. You should take steps to maintain your organization’s essential functions according to your business continuity plan.

What are the risks to consider before payment of ransom?

While delivery of ransomware is an illegal “business”, and it appears that most who pay do receive decryption keys, paying a ransom does not guarantee an organization will regain access to their data.

The decision to pay a ransomware demand must be taken carefully, with acknowledgement and acceptance of risks and in concert with various stakeholders – legal counsel, law enforcement, cyber insurance carrier, and security experts. 

Ransomware payment decision flowchart

Below is an advisory taken directly from the U.S. FBI

“The FBI does not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data. In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.

Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”1

Furthermore, paying of ransom by either the organization or insurer could trigger questions as to whether payment constitutes funding criminal groups, terrorism, rogue states, and/or violating Anti-Money Laundering (AML) laws.

Despite the risks, there are some who would argue that paying ransomware should be viewed as a viable option and evaluated like any other business decision (See: Unconventional Wisdom: Explore Paying The Ransom In Parallel With Other Recovery Options, Josh Zelonis, Principal Analyst, Forester Research, June 4, 2019).

With the average ransomware attack lasting 12.1 days2, there are real costs to having a company or city off-line for days. If one were to accept facts published in popular media, it would appear that ransom payment is often the least costly option. For instance:

  • The City of Atlanta was hit with SamSam in March 2018 refused to pay the $51,000 demanded, end result being unable to work around the encryption and $17 million to rebuild its network.
  • Baltimore in May 2019 refused to pay attackers the demanded $76,000, then had to spend an estimated $18 million to rebuild its networks.3

Experts – like those in Forrester Research – recommend that organizations weigh everything from their ability to recover to consultant costs to DR plans as well as cybersecurity insurance and whether it will cover ransom. Other factors weighed should include quantification of brand reputation loss, customer satisfaction anticipation, and potential legal liabilities.

Do organizations actually pay ransom?

While statistics are difficult to find, organizations do pay the ransom. For example, an article published by the Associated Press and appearing in The Ledger on June 20, 2019 entitled “Florida city agreed to pay $600,000 in ransom to hackers:”

“A Florida city agreed to pay $600,000 in ransom to hackers who took over its computer system, the latest in thousands of attacks worldwide aimed at extorting money from governments and businesses.

The Riviera Beach City Council voted unanimously this week to pay the hackers’ demands, believing the Palm Beach suburb had no choice if it wanted to retrieve its records, which the hackers encrypted…

The hackers apparently got into the city’s system when an employee clicked on an email link that allowed them to upload malware. Along with the encrypted records, the city had numerous problems including a disabled email system, employees and vendors being paid by check rather than direct deposit and 911 dispatchers being unable to enter calls into the computer. The city says there was no delay in response time.

Spokeswoman Rose Anne Brown said Wednesday that the city of 35,000 residents has been working with outside security consultants, who recommended the ransom be paid. She conceded there are no guarantees that once the hackers received the money they will release the records. The payment is being covered by insurance. The FBI on its website says it “doesn’t support” paying off hackers, but Riviera Beach isn’t alone: many government agencies and businesses do. “We are relying on their (the consultants’) advice,” she said.”

What are the disclosure requirements related to payment of ransom?

The question – what percentage of companies pay ransom – is hard to answer primarily because ransomware victims do not report or disclose the ransomware incident. Why don’t they disclose? Given that ransomware attacks typically involve denying availability of data or systems, notification responsibilities relating to a ransomware attack do not neatly align with other cybersecurity related notification obligations and triggers.4

The real question to investigate is whether unauthorized access alone triggers a notification to customers. In effect, that is what ransomware is doing – accessing your PII without your permission.

Summary of breach notification laws5

  • Healthcare

    HIPAA’s Breach Notification rules requires covered entities (hospital, insurers) to notify customers and the Department of Health and Human Services (HHS) when there’s been unauthorized access to protected health information (PHI). This is the strictest federal consumer data laws when it comes to a ransomware breach response.

  • Consumer banks and loan companies

    Under GLBA, the Federal Trade Commission (FTC) enforces data protection rules for consumer banking and finance through the Safeguards Rule. According to the FTC, ransomware (or any other malware attack) on your favorite bank or lender would not require a notification. They recommend that these financial companies alert customers, but it’s not an explicit obligation.

  • Brokers, dealers, investment advisors

    The Securities and Exchange Commission (SEC) has regulatory authority for these types of investment firms. Under GBLA, the SEC came up with their own rule, called Regulation S-P, which does call for a breach response program. But there’s no explicit breach notification requirement in the program. In other words, it’s something you should do, but you don’t have to.

  • Investment banks, national banks, private bankers

    With these remaining investment companies, the Federal Reserve and various Treasury Department agencies jointly came up with their own rules. In this case, these companies have “an affirmative duty” to protect against unauthorized use or access, and notification is part of that duty. In the fine print it says, though, that there has to be a determination of “misuse” of data. Whether ransomware’s encryption is misuse of the data is unclear. In any case, the rules spell out what the notification must contain — a description of the incident and the data that was accessed.

  • US state laws

    Currently, there are 48 states that have consumer breach notification laws. However, only two states, New Jersey and Connecticut, require a breach notification on access alone, thereby covering a ransomware attack. But there’s additional fine print that may allow companies to avoid reporting the breach to affected consumer in their state.

  • EU data laws

    Under the Data Protection Directive (DPD), there isn’t a breach notification requirement. Some countries such as Germany, though, have added it in their national data laws. (And ISPs and telecoms under the EU’s e-Privacy Directive already have their own breach reporting rule.) But the new EU General Data Protection Regulation, which will go into effect in 2018, does have a 72-hour rule requiring notification to local data protection authorities (DPAs) and consumers when “personal data” is accessed. However, a harm-based threshold is applied – the breach would have to “result in a risk to the rights and freedoms” of consumers. Notification for a ransomware attack would be very dependent on specific circumstances, and we’ll likely have to wait for more clarification from the regulators.

Please note this material has been prepared for general informational purposes only and is not intended to be relied upon as legal, accounting, tax or other professional advice.

Summary

The decision to pay a ransomware demand must be taken carefully, with acknowledgement and acceptance of risks and in concert with various stakeholders. The time to figure out the policy toward ransomware payment is not during the event. It is strongly advised that organizations tabletop the incident with relevant stakeholders, pre-define the alternatives, and practice execution of the plan. This is all the more critical as it would appear ransomware attackers recognize the limitations of their business model – and are beginning to not simply encrypt data, but exfiltrate it just in case the victim decides to recover from backup.

About this article

By EY Americas

Multidisciplinary professional services organization