Over the last
week or so, I have had a number of podcasts, with guests speaking about differing
areas of their expertise. But one common
question kept coming up (which I have to admit I prodded for) was about Ransomware. For instance, I asked them what they thought
about it, and the big question: Should the
ransom actually be paid? Astonishingly
enough, the answers were mixed on this.
In my opinion,
a ransom should never be paid. First, it
shows to the Cyberattacker that you will bend, even though you may not want to. As a result, the chances are much greater
that they will come around the next time for you, and even demand a higher ransom
payment.
Second, if you
are good at maintaining backups on a prescribed schedule, then restoring
mission critical operations should not be a problem. But this is largely dependent upon what kind
of environment your IT/Network Infrastructure is hosted in.
If you are in
the Cloud, like using Microsoft Azure, then this will not be a problem. You could be up and running even within just
a few hours. But if you have some part
of it that is On Prem, it could take much longer, and the restoration process
could take much longer, assuming that you have to resort to tape backups.
Third, if you
do make a ransom payment, many insurance companies are now refusing to make
payments on filed claims in these cases.
I think this all started with a French insurance company called Axa,
when they all of a sudden said that they would stop making payments.
As a result,
other carriers followed suit. Fourth, it
can even be considered illegal if you make a ransom payment, especially if it
is done a nation state actor, such as Russia, China, Iran, and North Korea.
So now, this
begs a new question: Should all Ransomware
payments be made illegal? In other
words, even if you paid just a few thousand dollars to a Cyberattacker, should
you still face the legal consequences for it?
Here are some considerations:
1)
Ransomware
is getting uglier:
Gone
are the days when a Cyberattacker would simply deploy a piece of malicious payload,
lock up your computer, and encrypt your files.
It has become far worse now, with extortion-like attacks now taking
place, which could even threaten the lives of the victims that are
involved. If this were to happen, the first
instinct is to pay up. But if it is made
completely illegal, would you still do it???
2)
Not
all businesses are equal:
This
is where you would compare an SMB to a Fortune 500 company. With the latter, if ransom payments were made
illegal, these entities have a far better chance of surviving than the former. It would totally wipe them in a matter of
hours. Also, keep in mind that many
Cyberattackers are now targeting SMBs given just how vulnerable they are.
3)
Payments
can still be made:
Even
if they were made completely illegal, businesses will still try to find a way
to make a payment to the Cyberattacker, that is covertly. But given all of the audit trails that financial
institutions have to now implement, the payor would eventually be caught. But bringing him or her to justice would take
an enormous amount of time and expense not only to collect the forensics
evidence, but from the standpoint of litigation as well. Again, if this all worth it, if the ransom
payment was only just a few thousand dollars?
Probably not.
4)
More
participation from law enforcement:
While
the Federal Government agencies, such as the FBI, are doing a great job of
tracking down those Cyberattackers that have launched Ransomware attacks, their
resources are obviously limited. Because
of this, their priority is to first go after those attacks that have caused a
large amount of damage, or if there is an extortion plot going on. They obviously don’t have the resources to chase
down after those people that make the small ransom payments.
5)
The
Cyberattacker will find another way:
If
ransom payments are made 100% illegal, no matter what the circumstance is, the
Cyberattacker will find another way to be compensated. But this time, the consequences of this could
be far deadlier and even more extreme.
My Thoughts
On This:
So given the considerations
I just listed (and there are probably many more of them), is it worth it to
make ransom payments totally illegal?
While it may have short-term advantages, the long run will not be
served. In the end, businesses should
have the option if they want to pay up or not, even though I still think they
should not.
There are calls
now for the Federal Government to enact more best practices and standards for
businesses to follow, but in the end, it will be up to the business owner to implement
them. The only thing they would be
obligated to do is if it becomes actual law.
But, by the time this actually happens, the newly enacted legislation will
be far too outdated for the latest Cyber threat variants.
So, you may
be asking what can be done? Simple, keep a proactive mindset within you
and your IT Security team. Always
create backups!!! The
costs of taking the steps to mitigate the
risks of your business from being hit by a Ransomware attack pales in comparison
to what the actual damage will be in the end.
No comments:
Post a Comment