Ransomware: Why “To Pay or Not to Pay” Isn’t the Right Question

Many Western countries maintain strict and swift policies of not negotiating with terrorist organizations, especially when it comes to paying ransoms. Experts in the field will tell you that this is due to a policy of deterrence: if we eliminate or reduce the incentive, then, in theory, the threat actors have little reason to risk the operation.
In the wake of gas pipelines, national health services and the global food supply having been recently disrupted or completely shut down, a simple cost-benefit analysis shows why a deterrent approach is not always achievable. Nations need fuel to stimulate economic activity, people need life-saving procedures, and everyone needs food and other supplies to survive.
Unfortunately, when organizations fall victim to ransomware, they often feel like they have no choice but to pay. Yet “to pay or not to pay” establishes a false dichotomy. Rather than asking if people should pay the ransom, we should ask ourselves how we can prevent organizations from becoming victims in the first place. So organizations should ask themselves what they can do to detect these threats as early as possible.
Cyber ââWarfare: a cat and mouse game
In the aftermath of the attacks on the Colonial Pipeline and Irish Health Services, we have seen another form of critical infrastructure hit by ransomware: the global food supply chain, with food processing giant JBS revealing to have paid 11 million dollars in ransom.
What is worrying is not whether, but when, we will see more major attacks on critical infrastructure and services nationally and internationally.
A recent, never-before-seen event, however, throws a wrench into the work of attacker-victim dynamics. The FBI and DOJ recently managed to recover part of the bitcoin ransom paid by Colonial Pipeline to the (now defunct) DarkSide cybercriminal gang. While we are not sure what precedent this sets for attackers and victims, it certainly demonstrates that there may be a way to recover the ransom funds – perhaps removing the primary incentive for attackers.
But does that really remove the incentive or does it just displace the goals? It is important to keep in mind that many groups of cybercriminals operate much like businesses. They are agile, adaptive and innovative, and often use partner models that generate more profit. Upon learning that the FBI recovered part of the ransom, the attackers will certainly have pivoted almost instantly. The result will likely be a shift to a more anonymous form of payment like Monero, and a rapid elimination of the use of Bitcoin to receive ransoms.
This “cat and mouse game” between attackers and defenders has been around for a long time. For example, when companies started backing up their data as a proactive measure against ransomware, attackers started making copies of victims’ data so that they could threaten to post it online, a process known as of “double-extortion ransomware”. This ensures a firm grip on the victim and in many cases exerts enough pressure to secure payment.
To pay or not to pay: that is not the question
While the recent recovery of a portion of the Colonial Pipeline ransom is the first officially confirmed case of its kind by the FBI and DOJ’s New Ransomware Task Force, many are probably wondering if it is reasonable to do so. expect this process to continue in the future. Yet we must not lose sight of the more important problem of detecting and reacting as early as possible (and in some cases as quickly as possible) in order to reduce the incentive of criminal organizations to strike.
Many Western countries maintain strict and swift policies of not negotiating with terrorist organizations, especially when it comes to paying ransoms. Experts in the field will tell you that this is due to a policy of deterrence: if we eliminate or reduce the incentive, then, in theory, the threat actors have little reason to risk the operation.
In the wake of gas pipelines, national health services and the global food supply having been recently disrupted or completely shut down, a simple cost-benefit analysis shows why a deterrent approach is not always achievable. Nations need fuel to stimulate economic activity, people need life-saving procedures, and everyone needs food and other supplies to survive.
Unfortunately, when organizations fall victim to ransomware, they often feel like they have no choice but to pay. Yet “to pay or not to pay” establishes a false dichotomy. Rather than asking if people should pay the ransom, we should ask ourselves how we can prevent organizations from becoming victims in the first place. So organizations should ask themselves what they can do to detect these threats as early as possible.
Cyber ââWarfare: a cat and mouse game
In the aftermath of the attacks on the Colonial Pipeline and Irish Health Services, we have seen another form of critical infrastructure hit by ransomware: the global food supply chain, with food processing giant JBS revealing to have paid 11 million dollars in ransom.
What is worrying is not whether, but when, we will see more major attacks on critical infrastructure and services nationally and internationally.
A recent, never-before-seen event, however, throws a wrench into the work of attacker-victim dynamics. The FBI and DOJ recently managed to recover part of the bitcoin ransom paid by Colonial Pipeline to the (now defunct) DarkSide cybercriminal gang. While we are not sure what precedent this sets for attackers and victims, it certainly demonstrates that there may be a way to recover the ransom funds – perhaps removing the primary incentive for attackers.
But does that really remove the incentive or does it just displace the goals? It is important to keep in mind that many groups of cybercriminals operate much like businesses. They are agile, adaptive and innovative, and often use partner models that generate more profit. Upon learning that the FBI recovered part of the ransom, the attackers will certainly have pivoted almost instantly. The result will likely be a shift to a more anonymous form of payment like Monero, and a rapid elimination of the use of Bitcoin to receive ransoms.
This “cat and mouse game” between attackers and defenders has been around for a long time. For example, when companies started backing up their data as a proactive measure against ransomware, attackers started making copies of victims’ data so that they could threaten to post it online, a process known as of “double-extortion ransomware”. This ensures a firm grip on the victim and in many cases exerts enough pressure to secure payment.
To pay or not to pay: that is not the question
While the recent recovery of a portion of the Colonial Pipeline ransom is the first officially confirmed case of its kind by the FBI and DOJ’s New Ransomware Task Force, many are probably wondering if it is reasonable to do so. expect this process to continue in the future. Yet we must not lose sight of the more important problem of detecting and reacting as early as possible (and in some cases as quickly as possible) in order to reduce the incentive of criminal organizations to strike.