To pay or not to pay: CISOs weigh in on the ransomware dilemma
“The biggest issue they had [was] that they couldn’t pay their people, and it was like on a weekly or fortnightly basis. And if you’re not paying your drivers and stuff, that business stops, right?” says Haigh. “The person that was under the most stress was the CFO. [He] could see themselves going into a bankrupt state. … I think they only had like a month to run.”
When an organization faces insolvency, most of the C-suite would be in favor of paying a ransom so they can continue with operations.
“Because now you’re talking about essentially an existential threat to your business. And it is the CEO, CFO, [and] the board’s responsibility to not let that happen. So it’s almost like you add a juxtaposition here. Because for the greater good, you should not pay the ransomware. But for your immediate micro view of keeping this business alive, you should. That is a hard one,” he says.
Buying time with third-party experts
To make the best decision, businesses should check whether their data can be restored from backups and whether their cyber insurance covers operational expenses in the event of prolonged business disruption. Both would give enterprises leverage to avoid paying the ransom.
With ransomware getting “faster, smarter, and meaner,” some ransomware operators are increasingly threatening to leak the data, which may cause the enterprise to take additional action. “You’re going to [have to] use a third party that’s going to scour the dark web, find the data, and be able to either retrieve it or take it down. And that’s the best you can do in that case,” he says.
Such is the cat-and-mouse game of modern ransomware. Ransomware operators continually innovate new techniques to exert more pressure on the C-suite and board to pay. Kleinman says that some ransomware operators are targeting information that may hit closer to home.
“[Ransomware operators are] quite creative. They’ve started to dox a lot of executives, senior board members. So that is releasing personal sensitive data on the individual — like the chairman of the board or something like that, or their family — again, to further incentivize the payment,” he says.
Kleinman says this trend is in line with the rise of non-encryption ransomware, a threat built around data leakage.
Suppose a company decides to give in to the pressure. In that case, Gooh says they should consider bringing in a third-party expert to interface with the ransomware operator and, more importantly, buy time to look for decryption keys (which are available for some ransomware strains), coordinate with authorities, and negotiate for a lower price.
Gooh says that every enterprise’s incident response plan should provide this kind of professional help. “Knowing what to do and knowing who you can call when this kind of thing happens is certainly one of the things that companies need to be prepared for,” he says.
Newton says that it is a relief that the ultimate decision to pay a ransom does not rest on his shoulders as a CISO, but he would still make a strong case for non-payment.
“If I was asked if I would pay a ransom, I would talk about the ethics of it,” he says. “And sometimes ethics is painful. Being ethical is painful.”