The United States Conference of Mayors recently adopted a resolution against paying hackers' ransomware demands.
What’s interesting about this is it’s creating what is essentially a vertical front of communities against ransomware. It may well disincentivize attackers from targeting U.S. towns and cities. I’m hopeful and encouraged by this action, but I worry that this resolution is a dismissal of culpability and should have been about investing in cybersecurity before a ransomware outbreak, instead of advertising that we’d rather jump on a sword than pay a ransom.
I’ve been writing about the need for ransomware victims to prioritize their self-interest and consider paying ransom if they can establish that the actor will credibly provide decryption keys and that recovery would be discernably less costly in doing so. One of the common responses I’ve received in this regard is that I’m encouraging the creation of a ransomware market because the act of paying ransoms encourages more actors to get involved in this space — supply and demand.
From a purely economic perspective, this makes sense. After all, if relatively few organizations pay ransoms, then there’s a certain point where it becomes unprofitable to spend time harvesting companies for such a limited return. The shortcoming of this approach is that it requires organizations to prioritize societal benefit, potentially in the face of catastrophic losses. I would argue that this is an unreasonable expectation for organizations that are fiscally responsible to private individuals and not protected/insured by the state.
This question of fiscal responsibility becomes even more complicated when looking at cities and governments, which have a singular role to provide services that benefit their constituents (their local society). If your Aunt Emma passed away because of a lack of emergency services, then I expect your concern about the greater market impact of your local township paying a ransom would be marginalized. There is an ethical argument here, and while the cost may not have been in lives yet, quality of life certainly has been affected for the people who lost their jobs due to companies going out of business or less directly for the people of Atlanta, who will have to accept additional taxation or sacrifice other city services to offset millions in losses. Who are you responsible for?
Another critical question I’ve asked myself regarding ransomware payment is, “Has the market already been established?” I think it has. Ransoms are getting paid, and I’m regularly in contact with organizations that have either paid a ransom or have a recognized contingency where an attack would be so impactful they would immediately pay the ransom — regardless of internal policy.
If you, like me, believe that it has been established, then blanket arguing against payment to avoid contributing to the creation of the market is no longer justified. Sure, every payment increases the capitalization of the ransomware market, but if you have an established market, your individual contribution just isn’t moving the needle in the same way.
The Reason They Put Locks On Doors Is To Keep Honest People Honest
There is a significant financial opportunity for victimizing any company with weak credentials on exposed services such as RDP, poor vulnerability management practices, or employees who are vulnerable to phishing. Yep, that’s many of us. What’s interesting about ransomware is that it commoditizes an intrusion directly. There’s no sale of the data, so the valuation is based on loss — the value of the data and interrupted services to the victim organization and its constituents. It’s no accident that we’re seeing cities become targets. These organizations are traditionally viewed as being slower than the herd, but as an analyst, I can tell you that there’s also plenty of commercial entities that are struggling with best practices. The long-term impact of this ransomware trend has to be commitment to best practices. Let’s start by not leaving the door unlocked.