26. 2. 2024

To pay or not to pay? Some facts even without Hamlet

Although 2022 suggested that ransomware as an attack was on the wane, 2023 made it clear that it was the exception rather than the rule.

The drop in attacks in 2022 was probably due to the war conflict in Ukraine and I agree with the security experts’ statement “Whoever expected a long-term trend of a decline in ransomware attacks misunderstood their underlying motivation”.

However, once a company has been the victim of a successful ransomware attack, the question of all questions comes into play: to pay or not to pay?

Since for some companies the ransom issue can be a straightforward Hamlet dilemma, I think it’s worth considering the following facts before resolving it.

Degraded data.

In some cases of ransomware attacks, the majority of files over 64 kilobytes have been degraded. Another survey reports that only half of those who paid got access to all their data. Attackers are not exactly the most consistent when it comes to data manipulation. Why would they be? Their motivation is different.

The motivation of attackers to get commitments is severely limited.

Why would they even do that when they’ve already been paid? As also follows from game theory, as long as it is a “game” with a finite number of repetitions-which in this case is irrelevant-the counterparty has a strong incentive to behave dishonestly in order to maximize its utility in this one-round exchange. The actual virtue of the attackers, I believe, need not even be discussed.

You become a potential target for further attacks.

Information about which companies are willing to pay and which are not is also spreading in the community circles of these now organized groups. Such a payment could easily nominate you to an unwanted league. What’s more, the attackers probably wouldn’t stop at a single transaction.

Multiple blackmail.

If the attackers find that you are willing to pay, the initial payment may be just one of many. Attackers can be creative in this regard, and may ask for additional payments for additional data, or for not disclosing it, since they may have stolen it before encryption. However, economic problems within their own ranks may represent only part of your problems.

Fines by regulators.

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) made its position clear when it added ransomware as a type of cyber threat to the sanctions list. As part of this list, it can thus penalize entities that support attackers. Although this decision is aimed at entities under US jurisdiction, in today’s globalized world, it is necessary to consider this fact as well.

Yet the ransom alone is not the only cost a company must incur to recover from an attack as efficiently as possible. For example, the US giant MGM, in its financial report, quantified the damage caused by the ransomware attack at USD 100 million. It has, of course, refused to pay the ransom and its amount is unknown.

If in cyber security it is obvious that prevention is much cheaper than dealing with the incident later, this rule is doubly true in the case of ransomware attacks.

As with any potential cyber attack, it is advisable to stop it as soon as possible, along with the accompanying vectors. Therefore, it does not hurt to conduct a proactive exercise in resilience against ransomware attacks, for example, using Lockheed Martin’s Cyber Kill Chain model, which defines and describes the different phases of an attack.

Michal Srnec, CISO Aliter Technologies.


SOURCE: Hospodárske noviny