Observed in July, Ransomware Awareness Month seeks to raise awareness surrounding the threats of ransomware, and the extent to which cybercriminals may exploit sensitive personal or organisational information.

In simple terms, ransomware is a type of malicious software, or malware, designed to block access to a computer system or computer files until a sum of money known as ransom has been paid.

Most ransomware variants encrypt the files on the affected computer – usually by way of a malicious link or ad clicked, rendering the system and/or files inaccessible, and then demanding a ransom payment to restore access.

In March 2018, the city of Atlanta refused to pay a US $51 000 ransom, which resulted in an encrypted mess, and city employees working off a single clunky personal laptop. The attack required Atlanta to restructure its 2019 budget. More than one-third, or 424, of the city’s software programs, were fully or partially taken offline. Every day the city found more mission-critical applications impacted by the cyber attack because they bled into other systems. The first month of recovery cost Atlanta $3 million. A few months later in June, the city’s then-interim CIO, Daphne Rackley, asked for another $9.5 million.

The value of a ransom is calculated with intention by hackers, making it high enough to make it interesting for them, but low enough so the victim can afford to pay.

Should you pay the ransom?

Law enforcement does not encourage, endorse, nor condone the payment of ransom demands. If you do pay the ransom:

• there is no guarantee that you will get access to your data or computer

• your computer will still be infected

• you will be paying criminal groups

• you're more likely to be targeted in the future

Attackers will also threaten to publish data if payment is not made. To counter this, organisations should take measures to minimise the impact of data exfiltration.

Critics say that paying ransom funds an enemy’s business and could also set a precedent for others. But if there’s a concern about creating a market for paying bad actors, it can be argued the market already exists.

There’s a tendency for people to jump to the moral high ground pretty quickly. Entities either choose the economic or ethical route and it’s either one or the other. Appeasing both sides becomes a near-impossible task, especially when the "never negotiate with terrorists" is a defensive U.S. default. But no one has been prosecuted for paying a ransom.

It’s always a gamble to trust the enemy but after a compelling event like a ransomware attack, you tend to learn fairly quickly.

Criminalising ransomware payments?

A bad solution for a bad problem. In 2019, the Washington Post proposed a simple solution for the ransomware problem that is plaguing the U.S. critical infrastructure in general, and municipalities in particular. The Post opined that the solution to malicious ransomware was for Congress to "pass a federal law barring ransomware payments". Not banning ransomware, mind you; banning ransomware payments. The Post also suggested that the DHS (Department of Homeland Security) "set up a digital Ghostbusters task force to help municipalities come back online after an attack. Those that had implemented adequate defenses could get aid from the feds in footing the bill. Those who surrender to hackers would face fines sufficiently larger than the ransom".

Certainly, ransomware, extortion-ware, and threatened denial-of-service attacks that are motivated by financial gain could be discouraged if everyone around the world refused to pay a ransom. This would mean paying tens or hundreds of millions of dollars in ransomware "cleanup" costs to avoid paying thousands of dollars in ransom.

There are reasons not to pay ransom wholly apart from economics. Hackers, governments, terrorists, and others may use ransomware payments to finance other attacks, terrorism, or other criminal activity, or to blunt the impact of economic sanctions. Companies that pay ransom risk inadvertently supporting these activities. The decision of whether to pay should be based on a broad-ranging risk/reward program and not simply because it's "cheaper to pay". Entities of all types should be encouraged to cooperate with (and rewarded for doing so) law enforcement agencies, government cyber security centres, and cyber security and forensic companies that can share information about threat actors, their motives, tools, and tactics.

The problem includes extortion-ware - threatening to release stolen files or emails, threatening to turn over secrets to governments, selling trade secrets, threatening distributed denial of service attacks, doxing, revenge porn attacks, reputation-based attacks, and even "pump and dump" SEC trading scams that rely on manipulating the reputation of a company with either accurate or inaccurate information. Any of these attacks - or threatened attacks - can be weaponised through the demand for extortionate payments.

The Post concluded that "an anti-ransom law would be a dramatic step, but it’s the route to a dramatically positive result".

If you were on the operating table when the robot performing your surgery was shut down because the hospital refused to pay $500 to get it up and running, I’m not sure you would agree with the "dramatically positive result".

Enjoyed the read? Download and share our infographic on this vital topic, below.

GoldPhish educates end-users on the cyber threat and helps build more secure organisations with awareness training and phishing simulation

Get in touch for more information: info@goldphish.com