Should you pay a hacker’s ransom?

Carl Herberger of Radware writes:

If someone locked down your pacemaker, what would you pay to regain control? If hackers took over a cockpit or locomotive, what would you pay for restitution?

This is the future of ransomware that we’ll almost certainly see if the evolution of these threats holds course. Any time human safety enters the mix, it’s a ripe opportunity to extort money. As more ransomware victims pay, the kind of threats that put lives at risk will be even more incentivized.

 Herberger seems to be generally advising against paying ransom, unless you’re willing to keep paying.

Playing into ransom attacks is akin to negotiating with terrorists. Do you have a tolerance for negotiations, or do you draw a line in the sand? If you reward certain behavior, you’ll get more of it. If you show yourself willing to pay, hackers will be knocking on your door.

That said, he seems to acknowledge that paying is sometimes the only real option in the short-term. Small businesses, for example, could be especially vulnerable. But in the long run, he argues, the only way to slow the flood of ransomware is to stop paying. You can read his commentary on Quartz.

The article doesn’t address non-ransomware ransom demands, such as we’ve seen recently with hacks in the healthcare sector by “TheDarkOverlord,” and it’s not clear what Herberger would advise there. When entities pay TheDarkOverlord’s ransom demands – and it appears that at least some of them do – they are likely doing so for one or more reasons, such as:

  • trying to protect their patients’ protected health information and sensitive information from being sold on the dark net;
  • trying to protect proprietary information like source code (cf, the hackers’ newest revelations about a technology firm); or
  • the hackers have uncovered other information about the entity that the entity would not want revealed, such as previous unreported breaches or other types of possible wrongdoing.

I’m only going to address the first motivation above, though: should entities pay ransom to keep their patients’ information from being sold or exposed?

As Herberger suggests, what prevents the hackers from selling it anyway or coming back for more ransom? Will the entities’ insurance cover the ransom payment? Will the patients’ be more upset if they learn that the entity didn’t pay a ransom to protect their information? Keep in mind that even if an entity pays the ransom, they are still obligated to report the breach to HHS because the PHI was acquired. I cannot imagine any risk assessment that says, “We feel a low or zero risk of misuse because we trust these unknown hackers to keep their word and delete all the data.”  So ransom should not result in a coverup of a breach (if I find out it does, look out!), and patients are still going to find out about the breach. But how will patients respond if they know there was a ransom demand and the entity didn’t pay?

When I communicated with the hackers known as Rex Mundi last year, they claimed that more than 50% of their targets paid their ransom demands. At one point, they even issued a public statement about their motives and methods. Their business model and plan seems to be strikingly similar to that of TheDarkOverlord. While the latter doesn’t always name targets while negotiating with them, they have occasionally named entities to put pressure on them. In contrast, Rex Mundi often immediately and publicly named their target.  Whether there is any overlap between the bad actors in both groups is unknown to me.

In any event, as much as I find the extortion abhorrent, I think a case could actually be made for paying ransom to protect patient information. One could view it as just paying the piper for what you didn’t invest to adequately secure the PHI to prevent this (like having login credentials in plain text or using ridiculously easy passwords to your patient management database like “123456” or a hard-coded password that anyone could know).  Interestingly, it appears that TheDarkOverlord approached SRS about their software, but the vendor did not respond. How many other SRS EHR clients may we learn have also been hacked by TheDarkOverlord, and at what point will patients and entities become angry at SRS for not trying to discover what TheDarkOverlord found in their system that is being exploited?

And what is Microsoft’s role here? InfoArmor and others have suggested that the 0day that TheDarkOverlord reportedly uses may be the same 0day that was up for sale in the past. Assuming, for now, that they are correct and that the 0day previously offered for sale by “Arnie” is the same 0day currently in use by TheDarkOverlord, should Microsoft have paid the selling price back then? How many of the current hacks might have been prevented?  Yes, this could be a new 0day and not the old one, and yes, hackers could have come up with something new anyway, but should Microsoft have paid?

Maybe we should just view any ransom payment as the cost of doing business when you collect and store sensitive patient information.  Whatever. I get sick inside at the thought of sensitive patient information being sold or dumped. And yes, I blame the hackers. But I also hold the entities responsible if they didn’t adequately secure the information by 2016 standards. Maybe paying ransom will be a wake-up call to invest in better security?  I can only hope.

I anticipate some of my readers will strongly disagree with me. That’s what the Comments section is for. Feel free to sound off and tell me why you think I’m totally wrong.



About the author: Dissent