In early August, the City of Atlanta reported that the costs associated with its SamSam ransomware infection could reach $17 million, and the FBI has estimated the number of ransomware attacks may be as high as 4,000 per day. To help address the complex issue of when organizations might consider paying a cyber ransom, we’ve invited The Crypsis Group, a leading data breach forensics consulting group, to collaborate on this post.
The Crypsis team has helped their clients respond to over one hundred ransomware incidents during the past year alone, and Davis Polk has conducted many tabletop exercises to walk companies through the decision-making process of whether to pay. When faced with a ransomware demand, companies have the following concerns: (1) the hackers will take the money but not release the data, (2) paying the ransom will just encourage more attacks against the company, (3) the legal risks associated with handing large sums of money over to unknown criminals, and (4) a general feeling that taking corporate assets and giving them to people who will use that money to fund future criminal attacks is wrong. All of these are good reasons not to pay a ransom, and in most cases, paying a ransom is not advisable. But, there are some situations in which companies should seriously consider paying a ransom to hackers as the best choice among a limited number of bad options. And many companies do pay.
Planning is key to improving what can be a chaotic decision-making process, and here are some tips to help in that planning:
Conduct Regular Training Exercises. The best way to deal with a ransomware attack is to have it fail. Phishing is still the most common way companies are targeted, so you can reduce the risk of ransomware attacks with regular phishing training and testing.
Cover the Basics. You can also significantly reduce the risk of ransomware if you have good programs for software updates, patch management, and data backups. The Davis Polk Cyber Portal is now available to assist our clients in their efforts to defend against cyberattacks and maintain compliance with their cybersecurity regulatory obligations. Contact firstname.lastname@example.org for more details.
Make Sure You Can Find Out What Happened. It’s hard to make the right decisions if you don’t know the nature and scope of the compromise. So, another priority is to have detailed activity logs that allow you to quickly figure out what happened and when it happened.
Establish Contacts with Law Enforcement. It is often very hard to assess whether a particular hacker, if paid, is actually willing and able to unlock encrypted data and restore access. Law enforcement can often help identify particular hacking groups and advise as to whether they have a history of doing what they promise. The FBI or the Department of Homeland Security may also have the tools needed to unlock encrypted data without having to involve the hackers. The better your preexisting relationship with law enforcement on cyber issues, the more likely they will be able to promptly provide you with meaningful assistance in a ransomware situation.
Validate Your Backup Data So It Is Ready for Recovery. You may not need to pay a ransom if you can restore the encrypted data from backups. Companies should periodically test their backup data, including whether it can be quickly restored, whether the backup intervals are appropriate, and whether the backup data itself is vulnerable to a cyber attack.
Have a Cybersecurity Consultant that Can Be Available Quickly. In addition to helping investigate how the attack occurred and the scope of the attack, cyber firms such as Crypsis can be very helpful during ransomware attacks in identifying the hacker, determining whether the data is recoverable, negotiating with the hacker, and being able to quickly obtain Bitcoin or other cryptocurrency if a decision is made to pay.
Evaluate Cyber Insurance. When deciding whether to pay, you should understand whether the payment would be covered by insurance, and which, if any, of the losses associated with not paying would be covered. Before making any final decisions, you may want to involve your cyber insurer to ensure that you’ve preserved coverage.
Establish a Decision-Making Process. Another thing to work out ahead of time is who should be involved in deciding whether to pay, and who makes the final decision (e.g., the CEO, the general counsel, the board, etc.).
Understand the Disclosure Obligations. Another important factor to consider is disclosure obligations: how would the ransom be recorded on the company’s books, and would there be any regulatory obligation to disclose the payment or the underlying attack? How would the auditors regard such a payment? Some companies may decide that the potential upsides of paying a ransom are not worth the downside risks of disclosing the payment, or they may decide that the underlying attack must be disclosed in any event, which may affect their willingness to pay.
One final consideration is the legal risks of paying. When negotiating a ransomware resolution, you almost never know the identity of the hackers, which means that they could be subject to U.S. sanctions, or have links to terrorists. They could also be associated with some form of organized crime, and paying them not only does not guarantee the safe return of the hostage data, but may also embolden them to conduct future cyber crimes. For these reasons, the FBI’s official stance is to discourage companies from making ransomware payments.
And yet, despite these legal risks, many companies make ransomware payments, and we are not aware of any company that has been investigated or prosecuted for making such payments. To understand why, it is helpful to consider the government’s historical position on ransom payments for human hostages.
On June 24, 2015, the Obama administration announced a change in official United States hostage policy. While maintaining that the United States would continue to not make concessions or pay ransoms to foreign terrorist groups, President Obama signed an Executive Order (Exec. Order No. 13,698, 3 C.F.R. 13698 (June 24, 2015)), directing that communication with hostage-takers by the government and families of hostages was permitted. The order provides that families should not be threatened with prosecution for making ransom payments. The Department of Justice (“DOJ”) affirmed that it would exercise prosecutorial discretion to conform to this policy. By stressing that the real targets in ransom prosecutions should be the hostage-takers, not the families of hostages, the government provided a common-sense policy to what had already been the practice of law enforcement. The Trump administration has not signaled any clear shift away from this policy. Although we are not aware of any government statement directly linking this policy to ransomware attacks, the underlying rationale seems applicable.
But even if this hostage policy does not apply to ransomware payments, prosecution for making such payments is unlikely because (1) the person receiving the payment is almost always anonymous, so proving willful or reckless violation would be difficult, and (2) in deciding whether to prosecute for unlawful payments, the government considers the facts and circumstances of each particular case, and ransomware demands present sound policy reasons against prosecution, as well as strong defenses, such as duress.
So to sum up, here are some circumstances in which making a ransomware payment may be the least bad option:
- After consulting with an outside expert, you conclude that the ransomware is impossible to remove without the encryption key, which is only available from the hacker.
- The encrypted data is extremely valuable to the company, cannot be easily restored or recreated, and is not available from any other source, including from backup (or the backup recovery process would be more arduous than the payment/decryption process).
- The cost of the loss of access to the data greatly exceeds the ransom payment. For example, suppose a hospital has critical medical information or machines that are encrypted by the attacker, which puts lives at risk. If there is a modest ransom demand by a hacker, and the hacker is known to be commercially trustworthy, with a track record of unlocking the data if paid (we know, trustworthy criminal hackers is an odd, but very real, concept), then payment is an option that needs to be seriously considered.
As with other cybersecurity exposures, businesses can best mitigate the damage of ransomware attacks through preparation. Planning for cyberattacks in general, and creating a decision-making process for ransomware attacks in particular, can help eliminate the need to pay ransom in the first place, or significantly reduce the damage that such an attack can create.
The authors gratefully acknowledge the assistance of summer associate Jonah Stotsky in preparing this entry.