To pay or not to pay: responding to ransomware
During the pandemic, ransomware has itself gone viral. Consulting group Chainalysis estimates that in 2020, ransomware attackers received around US$350 million in ransom payments, more than three times as much as in the previous year. Kennedys Special Counsel Nicholas Blackmore and Associate Martin Yarwood discuss the issues facing ransomware victims when deciding whether to pay a ransom.
Ransoms are hardly a modern problem: in 75 BCE, a 25 year old Julius Caesar, on his way to study oratory in Rhodes, was taken hostage by a band of pirates in what is now southern Turkey. The pirates set his ransom at 20 talents of silver, the equivalent of around US$400,000 today. Caesar’s response became legend: he demanded the pirates increase their ransom to 50 talents of silver, and swore to return after his release and have the pirates crucified. The ransom was paid after 38 days, and Caesar made good on his promise by returning with an army to capture and crucify the pirates.
Today’s digital pirates appear to be having more success than Caesar’s captors did. Modern ransomware threat actors are not only demanding larger ransoms than the Turkish pirates of old, but are doing so with far less risk of prosecution (or indeed crucifixion). So how should their victims go about responding to a ransomware attack?
Is it necessary to pay the ransom?
The first stage of a forensic response to a ransomware attack is usually to determine whether it will be necessary for the victim to pay the ransom.
Most forms of ransomware seek to extort money by encrypting the data held on a computer system, in order to make it inaccessible to the user. While decryption tools are available for some older ransomware variants, modern ransomware produces encrypted data that can only be recovered with decryption keys, keys which can only be obtained by paying the ransom.
The first step in determining whether it is necessary to pay the ransom is to identify the ransomware and confirm that it has successfully encrypted the victim’s data. Ransomware, like any software, sometimes fails, and there are cases in which a victim finds that their critical data remains unencrypted.
The next step is to determine whether the victim has backups of their data, and whether these backups have been encrypted by the ransomware. Most ransomware variants attempt to encrypt any accessible network shares and cloud storage in order to encrypt backups. This makes it important to maintain regular offline backups of IT systems that cannot be accessed by ransomware. If the victim has up-to-date backups of the encrypted data which have not been encrypted, then it is often possible to recover the affected systems in a matter of hours.
Sometimes a victim will find that their unencrypted backups are not up-to-date – they may be from a week or a month ago - meaning that they can largely restore their systems from backup, but may need to reconstruct recent data manually from other sources. This can be a lengthier process, and at some point the victim will need to consider whether paying the ransom may be a cheaper option.
If a victim has no backups of their encrypted data, and cannot readily manually reconstruct their data, then they may find themselves with no other practical option to recover their systems, other than to pay the ransom.
Deciding whether the pay the ransom
Deciding whether to pay a ransom is a difficult decision, and requires careful consideration of the consequences of making or not making the payment. There is no right or wrong answer, and the decision will always depend on the circumstances of the attack and of the victim.
While paying the ransom promises to give the victim access to the decryption keys which are necessary to decrypt their files, it is important to bear in mind that paying a ransom does not guarantee that decryption keys will be provided, or that the keys that are provided will work.
In some cases, the threat actor may decide to ask for a second ransom, or just disengage completely once the victim has paid. It is important to bear in mind that ransomware threat actors are inherently not to be trusted. However, it is also important to note that this happens much more rarely than it used to. A few years ago, it was difficult to recommend paying a ransom under any circumstances, because it was common for ransomware threat actors to refuse to provide decryption keys after payment. The more sophisticated ransomware threat actors began to realise that this unreliability was affecting their victims’ willingness to pay, and today many ransomware groups have a reliable track record of providing decryption keys upon payment.
In other cases, the threat actor may be unable to provide decryption keys even if they want to. The advent of “ransomware-as-a-service” means that victims are not always dealing with a threat actor who has experience with their chosen variant of ransomware. These threat actors may simply lack the technical expertise to provide working decryption keys. For this reason, most ransomware threat actors will allow the victim to submit test files for decryption as proof that they have working decryption keys – it is important for victims to take advantage of this offer, with a variety of test files from each affected system.
Ransomware threat actors have also started to adopt other tactics to encourage, or put pressure on, victims to pay. Sophisticated threat actors research their victims before making contact, and calibrating their ransom demands based on the size and nature of the victim’s business. While the threat actor has unauthorised access to the victim’s network, they may look for financial and insurance records to use as evidence that the victim can afford to pay the amount they are demanding.
It is now relatively common for ransomware actors to exfiltrate data from the victim’s systems, so that the threat actor can then threaten to publish it on the dark web. Threat actors may threaten to contact a victim’s customers or even regulators if the victim does not pay. Threat actors may even threaten further disruption to the victim’s business, through denial-of-service or other attacks, until a ransom is paid.
Some threat actors also offer incentives to pay the ransom, promising to provide a full details of their attack and a list of files which were encrypted or exfiltrated once the ransom is paid, to assist in any data breach notification the victim is required to make. Needless to say, any details they provide should be independently verified.
Both paying and refusing to pay a ransom can result in further attacks. Paying a ransom will often result in a victim becoming known as a “soft touch”, and their details being shared around the hacker community. Even if the original threat actor is satisfied with their haul, the victim is more likely to be attacked by another threat actor. By contrast, refusing to pay a ransom can encourage retribution from the original attacker.
Similarly, both paying and refusing to pay a ransom can result in negative public relations for the victim. Refusing to pay a ransom can be portrayed in the media as a moral stance not to reward criminal activity – but it can also been seen as not doing everything to protect your customers’ and employees’ personal data.
Legal issues in paying a ransom
The first instinct of a victim who is experiencing business interruption due to a ransomware attack is often just to pay the ransom as quickly as possible, to get their business up and running again. However, any decision to pay a ransom needs to involve a careful consideration of the legal implications of making such a payment.
The legality of paying a ransom varies from country to country, so it is important to check the relevant laws in your jurisdiction.
In Australia, it is not illegal to pay a ransom per se. However, there is a risk of committing a criminal offence if you pay a ransom without performing sufficient due diligence.
The Commonwealth Criminal Code 1995 makes it an offence to deal with money if there is a risk that money will become an “instrument of crime” – essentially, will be used to facilitate a criminal offence. This is relevant to ransom payments because there is a good chance that a ransomware threat actor might use the ransom payments they receive to buy new equipment to facilitate further ransomware attacks.
There is a defence available to this offence if the ransom payment was made under “duress”. To establish duress, the victim needs to show that:
- a threat was made that would have been carried out unless the payment is made;
- there was no reasonable way the threat could be rendered ineffective without the payment; and
- the payment was reasonable response to the threat.
In the case of ransomware, there is clearly a credible threat – that the threat actor will not provide decryption keys unless the ransom is paid. The more difficult elements for a ransomware victim to establish are that:
- there was no reasonable way the threat posed by the ransomware could have been rendered ineffective, other than by paying the ransom; and
- in the circumstances, the payment of the ransom was a reasonable response to the threat posed by the ransomware.
It is also an offence under the Criminal Code to make funds available to an organisation if you are reckless as to whether the organisation is a terrorist organisation or will use the funds to facilitate a terrorist act.
Finally, it is also an offence to make a payment to a person sanctioned by the United Nations Security Council or the Australian Government. Lists of persons and entities sanctioned by the UN Security Council and by the Australian Government are available here and here. However, there is a defence if the payor took reasonable precautions and exercised due diligence to avoid committing the offence.
Together, these offences effectively require a victim of a ransomware attack to investigate the situation and perform some due diligence on the threat actor before making a ransomware payment. To avoid committing an offence, they need to be able to show that:
- there was no reasonable way to recover their data other than by paying the ransom;
- in the circumstances, the payment of the ransom was a reasonable response to the threat posed by the ransomware;
- they were not reckless as to whether the threat actor had terrorist links; and
- they took reasonable precautions and exercised due diligence to ensure the threat actor was not on the UN Security Council or Australian autonomous sanctions list.
Paying a ransom
Once the victim has decided to pay a ransom, we would always recommend that they engage a professional negotiator to communicate with the threat actor. Several firms exist who have experience in negotiating with ransomware groups. The advantages of using a professional negotiator include:
- their expertise in the art of negotiating with ransomware threat actors means they can often convince threat actors to settle for a fraction of their initial demand;
- they often have extensive intelligence on known ransomware threat actors, which they use to offer insights during negotiations and to flag sanctions or terrorist links that may make a ransom payment illegal;
- they may be able to perform some of the required due diligence on the threat actor to reduce the risk of committing an offence; and
- they hold reserves of Bitcoin which they can use to quickly make a ransom payment.
Should paying ransoms be illegal?
As ransomware has become a major international scourge, there has been a substantial amount of debate in the media as to whether governments should be passing laws to make the payment of ransoms illegal under any circumstances.
Some countries (such as Malaysia) already have such an offence. Others are considering introducing one. In May, French insurer AXA Group announced it will stop writing cyber policies in France that reimburse customers for ransom payments. AXA Group indicated the decision was in response to concerns raised by French justice and cybersecurity officials during a Senate roundtable in Paris.
It is easy to see the attraction of outlawing ransom payments. Nobody wishes to reward a ransomware threat actor by paying them a ransom. If all victims ceased paying ransoms, ransomware would immediately cease to be profitable for ransomware threat actors, and ransomware might disappear overnight.
However, it is not at all clear that making ransom payments unlawful would necessarily prevent all victims from paying ransoms. There are two classes of victims who choose to pay ransoms: those who could afford to recover or reconstruct their data, or could continue without it, and pay the ransom because it is the cheaper option; and those who could not afford to recover or reconstruct their data, or to continue without it. The latter would still have a powerful incentive for victims to pay the ransom even if it was unlawful, when the alternative is to go out of business.
An alternative to outlawing ransoms is to require businesses who pay ransoms to notify law enforcement authorities when a ransom is paid. A major factor in ransomware becoming such a scourge is that threat actors face very little chance of being caught. Part of the reason for this is that relatively few ransomware victims report their incident to the authorities. If businesses were require to notify law enforcement when a ransom payment is made, authorities could assemble a much better picture of the ransomware threat actors and their money trail. Authorities could also ensure that ransomware victims take the necessary steps to improve their IT security and to make it harder for ransomware attacks to succeed.
In Australia, the federal opposition recently introduced the Ransomware Payments Bill 2021, which would require organisations to inform the Australian Cyber Security Centre before a payment is made in response to a ransomware attack. It will be interesting to see whether that Bill gains bilateral support.
While ransoms have been a problem for thousands of years, ransomware has never made the business of hostage-taking so lucrative and so free of risk. Deciding whether to pay a ransom in response to a ransomware attack is a complex decision that requires careful consideration of the practical and legal consequences. In particular, it is important that victims perform some due diligence on the threat actor before making a ransomware payment, in order to avoid committing an offence. While some commentators have advocated making ransom payments illegal, it is not at all clear that this would be a sensible answer to the scourge of ransomware.