Ransomware Victims Shelling Out Despite Government Advice

As ransomware woes beset more and more organizations following a series of notable hacking incidents hitting headlines, the decision to pay up has become a pure cost-benefit business compromise. Though the federal government’s official recommendation asks victims to stand tall in the face of ransom threats, an increasing number of companies are seeking outside guidance to help facilitate payments. This is about more than saving face. Many victims do not have the necessary financial leverage to withstand cessation of operations and protracted recovery campaigns.

The current cybersecurity counter-strategies for ransomware, both preventative and post-attack, are not nearly encouraging enough for companies to live up to the optimistic non-payment instruction from the government. In fact, consulting firms such as Booz Allen Hamilton have carved a private sector niche for serving victimized companies needing assistance with the often complex payment arrangements associated with these ransoms. The government’s call to completely rebuff hackers is surely meant to mitigate these risks, but firms work with digital currency brokers and run the money through top-down compliance checks to avoid pitfalls. Private firms are not advocating payment, but want their clients to maintain control of the final business decision.

Giving in to ransom demands is not the exercise in defeatism it’s been branded as; rather, companies are simply striving to keep their heads above water by resuming day-to-day functionality. Former NSA Analyst and Cofounder of BreachQuest, Jake Williams, said, “While it's easy to say that ransoms should never be paid, that's just not the reality for too many organizations. I would love to never broker a ransom again, the thought of it makes me a bit nauseated. But I also won't pretend that paying ransoms hasn't been a net positive for most of the organizations I've done it for. Even when we're not talking about something as big as the Colonial Pipeline, getting the business operational again has real impacts outside of cyberspace.”

For Colonial, forking over several million dollars in cryptocurrency paid off twofold. Not only was the pivotal pipeline reopened in the nick of time to prevent total chaos in the gas market, but a sizable portion of the money was recovered by the newly-created Ransomware and Digital Extortion Task Force of the Justice Department. The high-profile nature of Colonial’s plight points to this semi-happy ending being more of an exception than a rule. Even if government intervention leads to an eventual ransom retrieval, there is too much at stake for companies to be comfortable with the idea of lying in wait for a life preserver.

In theory, the U.S. government’s recent elevation of cybercrime to a terrorism-level security threat priority is perfectly consistent with the recommendation of withholding payment. Compliance with malicious actors is not optimal, but in the face of shutting down operations or losing control of sensitive data, companies with no immediate, proven solutions for countering ransomware attacks aren’t likely to adhere to the guidance. Further legislative action and government agency cooperation could afford vulnerable organizations an improved confidence and ultimately make the federal “stonewalling” mandate feasible.