Ransomware:

To Pay or Not to Pay?

by SentinelOne
Contents

Is Paying a Ransom to Stop a

Ransomware Attack Illegal? 3

Is it Ethical to Pay a
Ransomware Demand? 5

Is it Prudent to Pay a
Ransomware Demand? 7

What happens if I don’t pay a

ransom for Ransomware Attacks? 9

What happens if I pay a ransom

for Ransomware Attacks? 11

Conclusion14
 7 Lessons Every CISO Can Learn From the ANU Cyber Attack

Is Paying a Ransom to Stop a

Ransomware Attack Illegal?

It may seem odd to some, but it isn’t illegal to pay

a ransomware demand, even though the forced In sum, one
encryption of someone else’s data and demand for could argue that
payment is itself a federal crime under at least the it is the ease with
Computer Fraud and Abuse Act and the Electronic which criminals
can be paid and
Communications Privacy Act, as well as many laws
the perceived
passed by State legislatures.
anonymity of crypto
payment that
One might argue that the best way to solve the
helps foster the
ransomware epidemic would be to make it illegal
continuance of the
for organizations to pay. Criminals are naturally only ransomware threat.
interested in the pay off, and if that route to the
payday was simply prescribed by law, it would very
quickly lead both to companies exploring other options to deal with ransomware
and, at least in theory, criminals moving toward some other endeavour with an
easier payout.

The idea of outlawing the payment of ransomware demands might seem

appealing at first, until you unpack the idea to think how it would work in
practice. Publicly traded companies have a legal duty to shareholders; public
service companies have legally binding commitments to serve their communities.
A law that threatened to fine organizations, or perhaps imprison staff, would be
hugely controversial in principle and likely difficult to enforce in practice, quite
aside from the ethics of criminalizing the victim of a crime whose sole intent is to
coerce that victim into making a payment.

Imagine a prosecutor attempting to convince a court that an employee – whose

actions, say, restored a critical public service and saved the taxpayer millions of
dollars after authorizing a five figure ransomware payment – should be jailed.
How would that, in principle, be different from prosecuting a parent for securing
the safety of a child by paying off kidnappers? It doesn’t look like an easy case
to win, particularly when the employee (or organization) might cite legitimate
extenuating circumstances such as preserving life or other legal obligations.
 7 Lessons Every CISO Can Learn From the ANU Cyber Attack

Is it Ethical to Pay a
Ransomware Demand?

If it’s not illegal to pay a ransomware demand,

that still leaves open the separate question as to On this pragmatic
whether it’s ethical. There’s a couple of different conception of
angles that can be taken on this one. According ethics, one might
to some interpretations of ethics, something is a argue that paying
“good” or “right” decision if it leads to an overall a ransomware
demand that
benefit for the community.
restores some vital
service or unlocks
On the other hand, it could be argued that what
some irreplaceable
is right, or ethical, is distinct from what is a
data outweighs
pragmatic or merely expedient solution. Indulging
the ‘harm’ of
in a fantastical thought-experiment for a moment, rewarding and
would we consider it ethical if a ransomware author encouraging
demanded the life of a person, instead of money, to those engaged in
release data that would save the lives of thousands criminal behavior.
of others? Many would have a strong intuition that it
would always be unethical to murder one innocent
to protect the lives of others. And that suggests that what is “right” and “wrong”
might not revolve around a simple calculation of perceived benefits.

The real problem with the pragmatic approach, however, is that there’s no
agreement on how to objectively calculate the outcome of different ethical
choices. More often than not, the weight we give to different ethical choices
merely reflect our bias for the choice that we are naturally predisposed to.

If pragmatism can’t help inform us of whether it’s ethical or not to pay

ransomware, we could look to a different view of ethics that suggest we should
consider actions as “right” or “wrong” insofar as they reflect the values of the
kind of society we want to live in. This view is sometimes expressed more simply
as a version of the “do unto others as you would have them do unto you” maxim.
A more accurate way to parse it might be to ask: Do we want to live in a society
where we think it’s right (ethical) to pay those who engage in criminal behavior?
Is this a maxim that we would want to teach our children? Put in those terms,
many would perhaps say not.
 7 Lessons Every CISO Can Learn From the ANU Cyber Attack

Is it Prudent to Pay a
Ransomware Demand?

Even if we might have a clear idea of the legal

situation and a particular take on our own ethical Even if they
stance, the question of whether to pay or not to pay believe it would
raises other issues. We are not entirely done with be technically
the pragmatics of the ransomware dilemma. We unethical to do
may still feel inclined to make an unethical choice so, sometimes,
some people may
in light of other, seemingly more pressing concerns.
judge that today’s
hard reality just
There is a real, tangible pressure on making a
takes imminent
choice that could save your organization or your
precedence over
city millions of dollars, or which might spare weeks
loftier principles.
of downtime of a critical service.

A case in point: recently, three Alabama hospitals

paid a ransom in order to resume operations. The hospitals’ spokesperson said:

“We worked with law enforcement and IT security experts to assess all
options in executing the solution we felt was in the best interests of our
patients and in alignment with our health system’s mission. This included
purchasing a decryption key from the attackers to expedite system recovery
and help ensure patient safety.”
This “hard reality” perspective is reflected in recent changes made to the
FBI’s official guidance on ransomware threats.

“…the FBI understands that when businesses are faced with an inability to
function, executives will evaluate all options to protect their shareholders,
employees, and customers.”

However, the possibility that the criminals will not hold up their side of the
bargain must be factored into any decision about paying a ransomware
demand. In some cases, decryption keys are not even available, and in others,
the ransomware authors simply didn’t respond once they were paid. We saw
this to some degree with WannaCry. In the flurry of the WannaCry outbreak,
some victims paid and got keys, yet a large amount either never heard from the
authors, or the key pairs between victim and server were unmatched, making
per-user decryption impossible.

A further point to consider when weighing up the prudence of acquiescing to

the demand for payment is how this will affect your organization beyond the
present attack itself. Will paying harm your reputation or earn you plaudits? Will
other – or even the same – attackers now see you as a soft target and look to
strike you again? Will your financial support for the criminals’ enterprise lead to
further attacks against other companies, or services, that you yourself rely on?
In other words, will giving in to the ransomware demand produce worse long-
term effects than the immediate ones it seems – if the attackers deliver on their
promise – to solve?
 7 Lessons Every CISO Can Learn From the ANU Cyber Attack

What happens if I don’t pay a

ransom for Ransomware Attacks?

If you choose not to pay the ransom, then of course

you are in the very same position the ransomware The NoMoreRansom
attacker first put you in by encrypting all your files in Project is the
order to “twist your arm” into paying. culmination of
effort from global
Depending on what kind of ransomware infection law enforcement
you have, there is some possibility that a decryptor agencies and private
already exists for that strain; less likely, but not security industry
partners. They host
unheard of, is the possibility that an expert analysis
a large repository
team may discover a way to decrypt your files.
of stand-alone
A lot of ransomware is poorly written and poorly
decryption tools
implemented, and it may be that all is not lost as it which are constantly
might at first seem. updated by industry
partners.
Projects like NoMoreRansom can be a very valuable
resource when evaluating your course of action
when facing a ransomware attack.

Also consider whether you have inventoried all possible backup and recovery
options. Many look no further than the Maersk shipping story during the NotPetya
attack to emphasize the importance of being able to rapidly restore one’s entire
infrastructure from backup. The most eye-opening realization for Maersk (and
indeed the entire industry) was that recovery depended on a happy accident: a
sole unaffected domain controller did not become infected due to a local power
outage where it was residing. Without that fortunate, coincidental event, it would
have taken exponentially longer to rebuild their entire infrastructure after 50,000
devices and thousands of apps were destroyed all at once.

Some hail this as a success story for backups, but shareholders and operators on
board the thousands of ships worldwide are quick to remind us that this incident
still cost the company well over a half billion dollars in the 6 months following the
incident. While backup and restoration are indeed critical, they are by no means
the primary basis for a strategy to address the threat of ransomware.

Finally, there is the worst case scenario, where you have no backups and no
recovery software, and you will have to dig yourself out by re-building data,
services and, perhaps your reputation, from the ground up. Transparency is
undoubtedly your best bet in that kind of scenario. Admit to past mistakes,
commit to learning those lessons, and stand tall on your ethical decision not to
reward criminal behavior.
What happens if I pay a ransom
for Ransomware Attacks?

There is perhaps more uncertainty in paying than

there is in not paying. At least when you choose not Before going down
to pay a ransomware demand, what happens next the road of paying,
look for experienced
is in your hands. In handing over whatever sum
advisors and
the ransomware attacker demands, you remain in
consultants to help
their clutches until or unless they provide a working negotiate with the
decryption key. extortionists. Despite
the often taunting
Tactics like asking for ‘proof of life’ to decrypt ransomware notes,
a portion of the environment up front prior to some ransomware
payment, or to negotiate payment terms like 50% groups will engage
in negotiating
up front, and 50% only after the environment has
terms if they think
been decrypted, can work with some groups, albeit
it will improve their
not with others. chances of a payday.

The vast majority of ransom is still being paid in

bitcoin, which is not an anonymous or untraceable currency. If you do feel forced
to pay, you can work with the FBI and share wallet and payment details. Global
Law Enforcement is keen to track where the money moves.

And where do you go beyond that? Any sensible organization must realize the
need for urgent investment in determining not only the vector of that attack but all
other vulnerabilities, as well as rolling out a complete cybersecurity solution that
can block and rollback ransomware attacks in future. While these are all costs
that need to be borne regardless of whether you pay or do not pay, the temptation
to take the quick, easy way out rather than working through the entire problem
risks leaving holes that may be exploited in the future. Balance the need for speed
of recovery against several risks:

1.  Unknown back doors the attackers leave on systems

2.  Partial data recovery (note some systems will not be recovered at all)
3. Zero recovery after payment (it is rare, but in some cases the decryption key
provided is 100% useless, or worse, one is never sent)

Finally, note that some organizations that get hit successively by the same actors
might have actually only been hit once, but encryption payloads may have been
triggered in subsequent waves. Experience pays off tremendously in all of these
scenarios, and ‘knowing thy enemy’ can make all the difference.
Conclusion

Ransomware continues to evolve, with ransomware-as-a-service now

growing in popularity. Malware authors sell custom-built ransomware to
cybercriminals in exchange for a percentage of the profit. The buyer of the
service decides on the targets and the delivery methods. This division of
labor and risk is leading to increasingly targeted malware, innovation in
delivery methods and ultimately a higher frequency of ransomware attacks.

Along with the threat of extortion through data leakage, these recent
trends make it vital for organizations to invest in securing endpoints and
networks and preventing breaches from occurring in the first place through
AI-powered behavioral detection engines that do not rely on reputation nor
rely on cloud-connectivity. If you would like to see how SentinelOne can
help protect your business from ransomware and other threats, contact us
today or request a free demo.

We would like to thank Daniel Card and Chris Roberts for their assistance
with this whitepaper.

ABOUT SENTINELONE

SentinelOne is the only cybersecurity solution encompassing AI-powered prevention, detection,

response and hunting across endpoints, containers, cloud workloads, and IoT devices in a single
autonomous platform. With SentinelOne, organizations gain full transparency into everything happening
across the network at machine speed – to defeat every attack, at every stage of the threat lifecycle. To
learn more visit www.sentinelone.com or follow us at @SentinelOne, on LinkedIn or Facebook.