SANS Institute Recaps Ransomware Debate - To Pay or Not To Pay?

In a webcast last week, SANS Institute, a globally recognized cybersecurity training, research, and certification organization, hosted a debate on whether organizations that fall victim to ransomware should pay attackers or not. Ransomware incident responders and infosec experts included Jake Williams, founder of Rendition Infosec and SANS Instructor; Matt Toussain, founder of Open Security and SANS Instructor; Ryan Chapman, Principal Incident Response and Forensics Consultant and SANS Instructor; and James Shank, Team Cymru. The panelists represented both sides of the debate and discussed how organizations should strategize to prepare and help prevent ransomware attacks.

In 2020, 51% of businesses were targeted by ransomware and attacks have increased in 2021. The threat landscape has grown increasingly complex, as cyber attackers take advantage of an expanding attack surface. The recent Colonial Pipeline attack demonstrated the fragility of U.S. critical infrastructure when it halted oil production. In contrast, the JBS Foods ransomware attack shut down meat production at multiple sites worldwide. President Biden signed an executive order to strengthen U.S. cybersecurity defenses in response, which included creating a standardized playbook and set of definitions for the federal response to cyber incidents. On the heels of these developments, panelists analyzed the ethical debate around whether organizations should pay the ransom, whether stolen data is even returned after payment, and the risk that society becomes complicit as more organizations continue to make payments and incentivize cybercriminals.

The panelists argued that due to the lack of government retaliation against these criminal groups, many of which reside in “safe haven” countries like Russia, bad actors lack any adverse consequences. Panelists provided critical insights on how organizations can better defend themselves from inevitable compromise, including whether cryptocurrency should be used to help safeguard company funds. The majority of panelists ruled against stockpiling cryptocurrency as a defense strategy due to its volatility. While most panelists favored not paying criminals the ransom, some argued that without paying, there were highly detrimental societal and economic impacts, including an adverse effect on lower-income workers who lose out on critical wages when systems are under fire. Despite differing perspectives, the panelists agreed that each situation requires a nuanced response and risk calculation.

From weighing the risk of paying attackers to the reality that stolen information is sometimes never returned, panelists shared that dealing with ransomware is complex. The pervasiveness of these types of attacks showcases the need for ransomware preparedness across all industries.


###