Pay When You Get Infected by Ransomware? Many Shades of Grey

The Internet is full of articles explaining why ransomware should not be paid. And they are probably right, but if you don’t make a difference between the type of ransomware and who is affected, the reasons given may not make as much sense. It is therefore necessary to explain the circumstances of the person concerned in order to understand why payment should not be made and, above all, to understand the situation well in order to make the right decisions. 

Two Types of Ransowmare  

The first thing is to come clean about the fact that there are two types of ransomware. The first appeared massively around 2012, as a natural evolution of “police virus” malware and affected the average user. Since 2017, it has not disappeared, but its incidence has fallen considerably. They were attacks on unsuspecting random victims who asked for large amounts that could be dealt with by an individual. This type of ‘domestic’ attack has perhaps a more direct response: it should not be paid unless there is a good reason to do so. No one guarantees that the files will be returned (an amusing example is this anecdote in which, despite not having actually infected anything, the attacker still insisted that he should be paid). Nor does anyone guarantee that the victim will be extorted again. And most of the time, it is more than likely that the user can continue to live without his many files, data, etc. But… what if your business, livelihood, clients and future depend on recovering that data? Then the answer turns more complicated. 

When The Attack Is Professional 

Since this is not the time to blame the victim (he has enough already) because his backup was also encrypted, did not work, or simply did not have any. In a professional ransomware attack everything is more complex, we are talking about campaigns that could have involved months of work and study from the attacker, with the sole objective of entering the entrails of the network (sometimes enormous) and, at the right moment, taking control and encrypting everything. By then it is too late. The whole system is encrypted and sometimes it takes months to check not only that the system has been recovered but also that the attackers cannot get in again. Here, every day thousands and thousands of euros are lost because of the frustrating impossibility of running the business. The situation is much more critical and serious, and that is why the attackers are asking for millions of euros for the rescue. In that moment a negotiation begins, because when there is so much at stake, not paying is not something that is dismissed immediately. Just as in real life when kidnapping happens, payment is an option that is always considered. 

But it is always the last option. In fact, it is an option that may end up being officially illegal. In July 2019, the US mayors’ confederation at its annual meeting recommended not to pay. If you pay, you encourage them to keep attacking, they said. In that case, the statement did not go beyond a purely “moral” position, as it was not binding. Then it went further, two proposals by two senators (one Democrat and one Republican) contemplated in January 2020 that it would be forbidden to spend public money on these bailouts. The Republican senator also proposed the creation of a fund to help organisations improve their cybersecurity. 

It keeps going further. The Office of Foreign Assets Control (OFAC) now reports that “companies that facilitate ransomware payments to cybercriminals on behalf of victims, including financial institutions, insurance companies and companies involved in forensic analysis and incident response, not only encourage future ransomware payment claims, but also risk violating OFAC regulations”. The aim would be to fine both, those who pay, the intermediaries and those who receive the money (if they can be identified). 

More Figures Than You Can Imagine 

Actually, the recommendation is that instead of paying, one should collaborate with the law and order forces and not involve “cover” intermediaries on the grounds of already committing something illegal and criminalized. The reason? Many more affected than we think are paying, to the point that the payment process itself has become a business. 

The ransomware business has become industrialised both from the point of view of the attackers (very elaborate techniques, very professional treatment…) and from the point of view of the victims, who are already using intermediaries and other figures as insurers to deal with the crisis. When business continuity is critical, the companies affected set up various channels. Of course, the technical recovery attempt, damage assessment, etc. But other “diplomatic” channels are also initiated, which may include contact with the attackers and other companies.

With the attackers, you bargain and negotiate, establishing a line of dialogue as if it were any other type of transaction. Extortionists may even offer useful advice after the victim has gone through the checkout line. And like any negotiation, it can be delegated. In the light of this murky business of extortion, intermediaries who offer “consulting” services have emerged dealing with the negotiation and the payment of the ransom. In this industrialized scenario, payment usually does guarantee recovery. Even going further, insurers can act as intermediaries. These businesses may find it more rewarding to pay the attackers than the affected party for the damage suffered, depending on what their insurance covers. 

In short, a complex web where not everything is so clear when we talk about figures and above all very distant from the domestic environment where the guidelines are usually clearer. The new laws in the United States seek to strangle the extortionists by preventing their business from being lucrative… but this measure may not be enough because many times the continuity of legitimate businesses is more important. Survival… not at any price, but at the one imposed (unfortunately) by criminals.