Ransomware: Why ‘To Pay or Not to Pay’ is Not the Right Question

Fibo Quantum

Many Western nations maintain hard and fast policies of not negotiating with terrorist organizations, especially regarding ransom payments. Experts in the field will tell you this is due to a policy of deterrence: if we eliminate or reduce the incentive, then, in theory, the threat actors have little reason to risk carrying out the operation.  

In the wake of gas pipelines, national health services and global food supplies having recently been disrupted or entirely shut down, a simple cost-benefit analysis demonstrates why a deterrence approach isn’t always feasible. Nations need fuel to drive economic activity, people need life-saving procedures and everyone needs food and other supplies to survive. 

Unfortunately, when organizations fall victim to ransomware, they often feel they have no option but to pay. Yet, ‘to pay or not to pay’ sets up a false dichotomy. Rather than ask if people should pay the ransom, we should be asking how we can prevent organizations from becoming victims in the first place. And so, organizations need to ask themselves what they can do to detect these threats as early as possible. 

Cyber Warfare: A Cat and Mouse Game 

Following the attacks against the Colonial Pipeline and Irish health services, we’ve seen another form of critical infrastructure hit by ransomware: the global food supply chain, with food processing giant JBS disclosing that it had paid $11m in ransom. 

Worryingly, it is not a question of if, but when, we will see more major attacks on critical infrastructure and services nationally and internationally. 

A recent, never-before-seen event, however, throws a wrench in the works of the attacker-victim dynamic. The FBI and DOJ recently managed to recapture a portion of the bitcoin ransom paid by Colonial Pipeline to the (now defunct) DarkSide cyber-criminal gang. While we do not know for certain what precedent this sets for attackers and victims, it certainly demonstrates that there may be a way to recover ransom funds — possibly removing the main incentive for attackers.

But does this actually remove the incentive or simply shift the goalposts? It is important to keep in mind that many cyber-criminal groups operate much like corporate organizations. They are agile, adaptive and innovative, and often use partner models that bring in more profit. Upon hearing the news that the FBI recaptured some of the ransom, attackers will certainly have pivoted almost instantly. The result will likely be a shift to a more anonymous form of payment like Monero, and a quick phasing out of the use of Bitcoin to receive ransoms. 

This ‘cat and mouse game’ between attackers and defenders has long been at play. For example, when businesses started to back up their data as a proactive measure against ransomware, attackers began making copies of victims’ data so they could threaten to release it online — a process known as ‘double extortion ransomware’. This ensures a firm hold on the victim, and in many cases applies enough pressure to guarantee a payment.

To Pay or Not to Pay: That is Not the Question 

While the recent recovery of some of Colonial Pipeline’s ransom is the first officially confirmed case of its kind by the FBI and DOJ’s new ransomware task force, many are likely asking whether it is reasonable to expect this process to continue in the future. Yet, we must not lose sight of the greater problem, which is detecting and responding as early as possible (and in some cases as fast as possible) to reduce the incentive for criminal organizations to strike.

Many Western nations maintain hard and fast policies of not negotiating with terrorist organizations, especially regarding ransom payments. Experts in the field will tell you this is due to a policy of deterrence: if we eliminate or reduce the incentive, then, in theory, the threat actors have little reason to risk carrying out the operation.  

In the wake of gas pipelines, national health services and global food supplies having recently been disrupted or entirely shut down, a simple cost-benefit analysis demonstrates why a deterrence approach isn’t always feasible. Nations need fuel to drive economic activity, people need life-saving procedures and everyone needs food and other supplies to survive. 

Unfortunately, when organizations fall victim to ransomware, they often feel they have no option but to pay. Yet, ‘to pay or not to pay’ sets up a false dichotomy. Rather than ask if people should pay the ransom, we should be asking how we can prevent organizations from becoming victims in the first place. And so, organizations need to ask themselves what they can do to detect these threats as early as possible. 

Cyber Warfare: A Cat and Mouse Game 

Following the attacks against the Colonial Pipeline and Irish health services, we’ve seen another form of critical infrastructure hit by ransomware: the global food supply chain, with food processing giant JBS disclosing that it had paid $11m in ransom. 

Worryingly, it is not a question of if, but when, we will see more major attacks on critical infrastructure and services nationally and internationally. 

A recent, never-before-seen event, however, throws a wrench in the works of the attacker-victim dynamic. The FBI and DOJ recently managed to recapture a portion of the bitcoin ransom paid by Colonial Pipeline to the (now defunct) DarkSide cyber-criminal gang. While we do not know for certain what precedent this sets for attackers and victims, it certainly demonstrates that there may be a way to recover ransom funds — possibly removing the main incentive for attackers.

But does this actually remove the incentive or simply shift the goalposts? It is important to keep in mind that many cyber-criminal groups operate much like corporate organizations. They are agile, adaptive and innovative, and often use partner models that bring in more profit. Upon hearing the news that the FBI recaptured some of the ransom, attackers will certainly have pivoted almost instantly. The result will likely be a shift to a more anonymous form of payment like Monero, and a quick phasing out of the use of Bitcoin to receive ransoms. 

This ‘cat and mouse game’ between attackers and defenders has long been at play. For example, when businesses started to back up their data as a proactive measure against ransomware, attackers began making copies of victims’ data so they could threaten to release it online — a process known as ‘double extortion ransomware’. This ensures a firm hold on the victim, and in many cases applies enough pressure to guarantee a payment.

To Pay or Not to Pay: That is Not the Question 

While the recent recovery of some of Colonial Pipeline’s ransom is the first officially confirmed case of its kind by the FBI and DOJ’s new ransomware task force, many are likely asking whether it is reasonable to expect this process to continue in the future. Yet, we must not lose sight of the greater problem, which is detecting and responding as early as possible (and in some cases as fast as possible) to reduce the incentive for criminal organizations to strike.

Wood Profits Banner>