Ransomware: To Pay or Not to Pay
Last week, we covered the ransomware attack on the Colonial Pipeline. The Russian Ransomware-as-a-Service (RaaS) gang called DarkSide were responsible for the attack. As a RaaS gang, DarkSide developed ransomware for affiliates to purchase and use against targets. Ransom payments would be shared between the two groups. According to the Colonial Pipeline Company, the restart of the pipeline was initiated in the evening of Wednesday, May 12. A day later, William Turton, Michael Riley, and Jennifer Jacobs of Bloomberg reported that the Colonial Pipeline Company paid a 75 bitcoin ransom to DarkSide. The ransom was worth $4.4 million. According to Dr. Tom Robinson of Elliptic, a blockchain analytics company, DarkSide made over $90 million in Bitcoin from 47 different victims. However, their actions have not gone unpunished. Cybercrime intelligence provider Intel 471 reported that on May 13, DarkSide announced that some of their infrastructure and cryptocurrency funds were seized, and that they would immediately cease their ransomware operations. Intel 471 also reported that ransomware advertising has been banned on “one of the most popular Russian-language cybercrime forums.” Overall, ransomware has attracted more negative publicity following the Colonial Pipeline attack.
According to Collin Eaton of the Wall Street Journal, Joseph Blount, CEO of the Colonial Pipeline Company, was the one who authorized the ransom payment. Joseph Blount told the Wall Street Journal that Colonial Pipeline Company executives were unsure of the extent of the damage and the time needed to restore operations. Despite being uncomfortable with the thought of paying cybercriminals, Blount authorized the payment because of the high stakes of shutting down the pipeline, which provides 45% of the fuel used by the East Coast. After paying the ransom, the Colonial Pipeline Company received a decryption tool to restore their data, but they ended up using backups because the decryption tool was too slow. In an ideal world, they would not have paid the ransom. They could have started restoring their data through backups instead. However, this information was not available to them at the time. They were put into a position where they felt pressured to pay the ransom for the sake of stakeholders.
The Colonial Pipeline incident is a new case study for an ongoing debate about ransomware; specifically, a debate over whether victimized organizations should or should not pay ransoms. Those who are not strictly opposed to paying ransoms approach the situation from a business perspective. They may justify a ransom payment if it is the least costly option to restore business operations. Their perspective uses act utilitarianism. When faced with a choice, they try to make the best choice for everyone impacted by the decision. Those who are strictly opposed to ransomware payments approach the situation from a rule utilitarian perspective. They try to make a choice that, if enforced as a rule, would make society better off in the long run.
Organizations in control of services that are vital to society—including supply chains, healthcare, education, government, etc.—are likely to be pressured into paying ransoms for the sake of avoiding disruptions to their operations. Note that there are exceptions. As reported by Daphne Leprince-Ringuet of ZDNet, Ireland’s health services refused to pay the perpetrators of recent ransomware attack on their IT infrastructure. Overall, these types of organizations may be targeted precisely because they are vital to society. As demonstrated by the public’s reaction to fuel shortages in the U.S. following the pipeline attack, stakeholders suffer from the consequences of halted supply chains and services, and this burden is placed onto the shoulders of officials and executives. Those in charge often perform cost-benefit analyses for everything, including ransom payments. They authorize ransom payments if they result in the least damage for everyone. However, law enforcement agencies such as the FBI discourage the payment of ransoms. They note that paying ransoms does not guarantee the restoration of data, and that it also encourages and incentivizes future ransomware attacks. As long as RaaS gangs and their affiliates receive money, they will continue to operate, and other cybercriminals will be encouraged to turn to ransomware. If ransomware victims around the world stopped paying ransoms, ransomware would no longer be a lucrative strategy for cybercrime. Theoretically, if ransomware was no longer profitable, ransomware attacks would no longer be incentivized and there would be far less attacks in the wild. As a result, the business operations of critical infrastructures and institutions would no longer be threatened. Although individuals and organizations would still have to worry about other forms of malware, society would be better off in the long run without ransomware.
However, there would be logistical problems with enforcing the non-payment of ransoms. As reported by Lily Hay Newman of Wired, Katie Nickels of the security firm Red Canary noted that if a ransom boycott was enforced, victimized organizations may just pay the ransoms in secret. A better solution would involve prevention. Although it is far easier said than done, organizations should take the steps to ensure that their IT infrastructures are as secure as possible. They should adopt good cyber hygiene and make backups of their data. They should also invest in services and technologies that help them prevent or recover from ransomware infections. If organizations do not need to pay ransoms—either because the attacks failed or because of backups—they could not be pressured into choosing between security for everyone or the well-being of stakeholders.