To Pay or Not to Pay (Ransomware)
By Heath C Renfrow, CISSP, C|CISO, C|EH, C|NDA
The recent ransomware attack on the City of Atlanta cost the city an estimated $2.7 million, and raises the question, do you pay or do you not pay?
Ransomware has exploded over the last few years and has been especially hard on the healthcare industry – who can forget the Hollywood Presbyterian Hospital event and the WannaCry outbreak in the summer of 2017. Ransomware has become a billion-dollar industry, that shows no signs of slowing down anytime soon.
Let’s take a look at the Hollywood Presbyterian Hospital scenario.
February 5, 2016 ransomware takes hold, demands $17,000 in bitcoins. The hospital does not inform law enforcement, and original decision was not to pay the ransom.
From February 5, 2016 – February 15, 2016 hospital staff are unable to bring systems back online, determine that they need to pay the ransom, are unsure how to pay the ransom, and struggle setting up a bitcoin account and funding it.
February 15, 2016 – Hospital pays ransomware, received decryption key and services are turned back on.
An interesting fact about this story is that just the MRI department being shut down was costing the hospital an estimated $100,000 a day in revenue loss alone, for a total of $1M in lost revenue. This is just one department in the hospital being shut down, so you can imagine the economic impact on the whole hospital over the ten-day period.
So should an organization pay a ransom should they fall victim? This is a powder keg of a question, and in our opinion, there is no right or wrong answer.
Potential Benefits of Paying
- Decryption Key provided (hopefully)
- Reduce loss of revenue from operational downtime
- Resume patient care
- Reduce company liability
- Minimizing adverse impact on reputation
Potential Risks of Paying
- Thieves might not provide the decryption key
- The attackers may not even have the ability to decrypt your files even after you pay
- You make yourself look like a piggy bank and open yourself to future attacks
Some will say that proper backups and procedures minimize the impact of a cyber attack (ransomware). Though backups and procedures are a must and are industry best practice, there are times that paying a ransom is a better business decision due to the speed of recovery from just paying for the decryption key. For example, an Indiana Hospital paid $55,000 in bitcoins despite having backups. It comes down to senior leadership making the best business decision for the organization (not cyber professionals).
This, however, is not a black and white issue and boils down to senior management making decisions that are best for the business. Our opinion is that ransomware scenarios should be part of all incident response plans, business continuity plan, and a company should have an established bitcoin purse – or access to a trusted partner that can facilitate the quick exchange on their behalf. An organization must be prepared for both “Pay” and “Not Pay” scenarios.
We do not believe there is a straight answer to the question: “To Pay or Not to Pay?”. However, we do recommend being prepared, with policy and exercised scenarios. Cyber security professionals must educate senior leadership on different cyber crisis scenarios, including ransomware, and recommend the proper mechanisms be put in place, that will foster timely and educated cyber crisis management responses.
Contact LEO Cyber Security for a no-cost consultation on how to prepare your organization to properly mitigate a ransomware attack.
Mr. Heath Renfrow has served the Chief Information Security Officer for multiple global organizations, and most recently as the CISO for United States Army Medicine, where he was awarded the 2017 Global CISO of the year by EC-COUNCIL, the largest cyber training body in the world. Mr. Renfrow has 19 years of global cyber security professional experience and is considered one of the leading cyber experts in the world. He holds Bachelors in Science in Information Technology and a Master’s of Science in Cyber Studies. He also serves on the following boards: National Cyberwatch Center Foundation, Association for Executives in Healthcare Information Security, University of Indiana Cyber Advisory Council, and Cyber Patriot Program Advisory Council.