Recent news about large ransomware payments made by global insurer, CNA Financial ($40 million) and Colonial Pipeline ($4.4 million) has brought the debate about the legality and ethics of paying ransoms following attacks. Analysis of Bitcoin payments made to the DarkSide ransomware group show that in just a nine month period, the cyber-crime organization brought in $90 million in ill-gained profits.
With the huge payouts and continued rise of disruptive attacks, the debate about making it illegal to pay ransom demands again is resurfacing with many cybersecurity professionals on both sides of the aisle. For organizations victimized by ransomware, paying the ransom is not an easy choice. As the CEO of Colonial Pipeline mentioned, he did not want to make the ransom payment but the decision came down to how quickly the company could restore services and get the pipeline back online following the attack. It can be expected that the decision will be questioned when he appears to testify before the House Committee on Homeland Security in June.
There is no question that paying ransom payments helps fund cyber-crime activity and certainly does help in encouraging ransomware groups to continue their operations. But unfortunately, for the company that is hit by a successful ransomware attack, the answer to pay or not to pay may not be a simple choice.
Some organizations are faced with the reality that their backups have failed and there is no chance to recover their systems without paying (unfortunately, I have witnessed this realization first hand.) For some, now there is the choice between paying a ransom and going out of business. Some organizations have made the decision to go out of business rather than make the payment, as evidenced by the story of ENT & Hearing Services in Battle Creek, Michigan which suffered a ransomware attack and closed its doors after not being able to recover their systems and refusing to pay the ransom.
Also, on the flip-side, showing that even if you pay the ransom, you might be forced to go out of business is the story of The Heritage Company which closed it doors and laid off its staff of 300 employees just a week before Christmas in 2019 after suffering a ransomware attack that they could not recover from even after they paid several hundred of thousands to a ransomware group.
Some are advocating that ransomware payments should be outlawed, banned, and those that pay should face criminal charges but where does that leave organizations that are truly impacted by an attack with little chance of recovering without the encryption keys? It truly does put those companies between a rock and a hard place.