Should you pay a hacker’s ransom?

Carl Herberger of Radware writes:

If someone locked down your pacemaker, what would you pay to regain control? If hackers took over a cockpit or locomotive, what would you pay for restitution?

This is the future of ransomware that we’ll almost certainly see if the evolution of these threats holds course. Any time human safety enters the mix, it’s a ripe opportunity to extort money. As more ransomware victims pay, the kind of threats that put lives at risk will be even more incentivized.

 Herberger seems to be generally advising against paying ransom, unless you’re willing to keep paying.

Playing into ransom attacks is akin to negotiating with terrorists. Do you have a tolerance for negotiations, or do you draw a line in the sand? If you reward certain behavior, you’ll get more of it. If you show yourself willing to pay, hackers will be knocking on your door.

That said, he seems to acknowledge that paying is sometimes the only real option in the short-term. Small businesses, for example, could be especially vulnerable. But in the long run, he argues, the only way to slow the flood of ransomware is to stop paying. You can read his commentary on Quartz.

The article doesn’t address non-ransomware ransom demands, such as we’ve seen recently with hacks in the healthcare sector by “TheDarkOverlord,” and it’s not clear what Herberger would advise there. When entities pay TheDarkOverlord’s ransom demands – and it appears that at least some of them do – they are likely doing so for one or more reasons, such as:

  • trying to protect their patients’ protected health information and sensitive information from being sold on the dark net;
  • trying to protect proprietary information like source code (cf, the hackers’ newest revelations about a technology firm); or
  • the hackers have uncovered other information about the entity that the entity would not want revealed, such as previous unreported breaches or other types of possible wrongdoing.

I’m only going to address the first motivation above, though: should entities pay ransom to keep their patients’ information from being sold or exposed?

As Herberger suggests, what prevents the hackers from selling it anyway or coming back for more ransom? Will the entities’ insurance cover the ransom payment? Will the patients’ be more upset if they learn that the entity didn’t pay a ransom to protect their information? Keep in mind that even if an entity pays the ransom, they are still obligated to report the breach to HHS because the PHI was acquired. I cannot imagine any risk assessment that says, “We feel a low or zero risk of misuse because we trust these unknown hackers to keep their word and delete all the data.”  So ransom should not result in a coverup of a breach (if I find out it does, look out!), and patients are still going to find out about the breach. But how will patients respond if they know there was a ransom demand and the entity didn’t pay?

When I communicated with the hackers known as Rex Mundi last year, they claimed that more than 50% of their targets paid their ransom demands. At one point, they even issued a public statement about their motives and methods. Their business model and plan seems to be strikingly similar to that of TheDarkOverlord. While the latter doesn’t always name targets while negotiating with them, they have occasionally named entities to put pressure on them. In contrast, Rex Mundi often immediately and publicly named their target.  Whether there is any overlap between the bad actors in both groups is unknown to me.

In any event, as much as I find the extortion abhorrent, I think a case could actually be made for paying ransom to protect patient information. One could view it as just paying the piper for what you didn’t invest to adequately secure the PHI to prevent this (like having login credentials in plain text or using ridiculously easy passwords to your patient management database like “123456” or a hard-coded password that anyone could know).  Interestingly, it appears that TheDarkOverlord approached SRS about their software, but the vendor did not respond. How many other SRS EHR clients may we learn have also been hacked by TheDarkOverlord, and at what point will patients and entities become angry at SRS for not trying to discover what TheDarkOverlord found in their system that is being exploited?

And what is Microsoft’s role here? InfoArmor and others have suggested that the 0day that TheDarkOverlord reportedly uses may be the same 0day that was up for sale in the past. Assuming, for now, that they are correct and that the 0day previously offered for sale by “Arnie” is the same 0day currently in use by TheDarkOverlord, should Microsoft have paid the selling price back then? How many of the current hacks might have been prevented?  Yes, this could be a new 0day and not the old one, and yes, hackers could have come up with something new anyway, but should Microsoft have paid?

Maybe we should just view any ransom payment as the cost of doing business when you collect and store sensitive patient information.  Whatever. I get sick inside at the thought of sensitive patient information being sold or dumped. And yes, I blame the hackers. But I also hold the entities responsible if they didn’t adequately secure the information by 2016 standards. Maybe paying ransom will be a wake-up call to invest in better security?  I can only hope.

I anticipate some of my readers will strongly disagree with me. That’s what the Comments section is for. Feel free to sound off and tell me why you think I’m totally wrong.



About the author: Dissent

4 comments to “Should you pay a hacker’s ransom?”

You can leave a reply or Trackback this post.
  1. Bombero - July 14, 2016


    Why should I suffer because of the incompetence of careless business entities?

  2. Ray - July 14, 2016

    If your data gets loose in the wild, for any reason, it should be reported. Compartmentalization of breaches is a bad idea. Shining a bright light on the issue is the only good approach. Rasonware is an example of ‘pay for it now’ or ‘pay for it later’. Those entities who cut corners in the first place (knowingly or unknowingly) will eventually be paying those costs.

  3. Anonymous - July 14, 2016

    Ransomware is working because people are paying. It doesn’t cost the hackers anything more than time.

    TALOS is reporting a new ransom scam where the files are deleted and unrecoverable, and provokes the victim into paying, and believing the files are recoverable, when they are not.

    The reason most of these ransomware attacks work is plain and simple. Its the failure of the operating system to prohibit such actions. A user can surf a legitimate site, or get redirected to a bad site and their files, and any networked files they have permissions to may be affected.

    Its the hackers fault for writing the code, but in the end, its a vicious cycle of errors by everything in that cycle. Each has a piece in the puzzle/cycle and you cannot point fingers at just one entity since each ransomware case can be different.

    Good security awareness

    Surfing with least privileged accounts, or on a workstation that is not on the main network which could be virtual in nature.

    Determine if the software on your load is up to date. Determine if it is REALLY needed. Reduce footprints of software and open ports.

    Firewall, router and proxy whitelists which allow communication only to specific websites.People are supposed to WORK at work, not surf for pleasure. Allow kiosks for public surfing that have no direct ties to the main network. That way if the workstation gets infested with adware, spyware, RATS, Ransomware or other nasty items it can be slicked. Some organizations will use a DVD based operating system which when rebooted produced a new Operating system with no need for a hard drive.

    Its the willingness for people to take charge of what they are responsible for. Just because some one creates a software related issue on the internet does not mean you have to fall victim to it. If the users want to sit there and be exposed to this sort of attack without attempting some sort of risk mitigation, then they are potentially asking for the opportunity to become a victim.

    For those that do nat have a incident plan for ransomware, they may not know that several variatios of the ransomware out there have been cracked and tools have been made to generate a key for free and you don’t need to pay anyone.

    Payment boils down to time and effort required to replace existing files and folders if they are even available. For some companies, hours off line means millions of dollars lost and the potential to be sued since the data may no longer be available. If the backup files are old and untested, or do not exist, then the corporation’s hands may be tied.

    This is a topic that is beaten like a dead horse on the internet – it does not have one answer for the myriad of possibilities that exist when referencing payment of ransomware. Each case is unique and thus it’s up to the owner to decide if payment is an acceptable solution.

    • Dissent - July 14, 2016

      I think the issues in paying a ransomware demand are a tad different than the issues in paying a ransom demand where data have actually been acquired/exfiltrated. It’s not clear to me that paying a ransom demand in the latter situation actually reduces any other potential costs. Unless, of course, there’s no current backup and/or the hacker managed to wipe everything on their way out.

Comments are closed.