Security

To Pay or Not to Pay? Facing the Government Ransomware Threat

While paying a ransom can restore citizen services more quickly, it’s important to remember the costs amount to more than just dollars and data.

John Zanni

Prior to becoming CEO of Acronis SCS, John Zanni held such positions with Acronis as President, CMO and SVP Channel and Cloud Strategy. John previously served as CMO, Service Providers, at Parallels, overseeing the company’s global service provider marketing function.

You’d have to be pretty out of touch to miss ransomware’s domination of recent headlines on government. From attacks on the city of Lodi, Calif., the Georgia Department of Public Safety and the Lincoln County Sheriff’s Office in North Carolina to a coordinated attack on 23 local governments in Texas, state and local governments are under siege with no sign of the ransomware threat abating anytime soon.

As this form of malware continues to morph and metastasize, we must focus on mitigating its effects. That brings us to the No. 1 ransomware conundrum facing leaders when an attack inevitably strikes: to pay or not to pay?

While it’s important to weigh the consequences of each option, giving in to an attacker’s demands may be the worst way for governments to fight back.

The Pros of Paying After a Ransomware Attack

For many public sector organizations eager to restore services back to citizens and continue mission-critical work, paying the ransom may seem like the best option. In fact, agencies that purchase cyber insurance policies with protection from online extortion — an increasingly prevalent phenomenon — are often persuaded that paying up is the right way to go.

Jackson County, Ga., for example, gave in to its attacker’s demands for $400,000 for decryption keys in March 2018. While risky at the time, the gamble ultimately paid off.

Leaders in Lake City, Fla., opted to let their insurer pay a $460,000 ransom on the city’s behalf. The insurance company argued that paying up would save both the city and its insurer hundreds of thousands, if not millions, of dollars in crippling downtime costs. But for another Florida city – Riviera Beach – the answer wasn’t so simple. Despite paying almost $600,000 in ransom, the city still had to spend an additional $900,000 in damages.

Paying Following a Ransomware Attack Comes with Its Own Price

As examples like Lake City show, paying up is not one-size-fits-all fix to today’s ransomware epidemic. There are troubling downsides to the pay-up approach that cannot, and should not, be ignored.

First, paying ransom guarantees nothing. According to CyberEdge Group’s “2019 Cyberthreat Defense Report,” more than 17 percent of organizations that chose to pay a ransom never regained access to their encrypted data or infected systems. Current strains of ransomware, such as LockerGoga and MegaCortex, demand a ransom yet wipe systems regardless of whether a payment is received or not, leaving victims without their data and down thousands (or hundreds of thousands) of dollars.

While this trend is disconcerting enough, it’s also important to remember the costs of paying a ransom amount to more than just dollars and data. A recent survey of U.S. adults found a whopping 86 percent believe organizations that make ransomware payments only encourage cybercriminals to continue such attacks, while another 66 percent argue government organizations shouldn’t be permitted to make payments.

And if public opinion isn’t enough to sway you, consider the warnings of both the FBI, which strongly discourages ransom payments, and the U.S. Conference of Mayors, which passed a 2019 resolution opposing any payments relating to attacks on local government entities.

In short, paying up may seem like the best near-term solution, but it actually paints a target on you — and other government entities like yours — for future attacks.

VIDEO: What keeps state CISOs up at night?

5 Ways to Mitigate a Ransomware Attack

Despite the looming threat of ransomware attacks, there is good news. By taking the following five steps, state and local governments can set themselves up for success — and avoid the question of paying up altogether:

Implement a backup solution. Performing regular full-image backups and storing them in both onsite and secure off-site locations (i.e. the cloud) are critical elements for ensuring fast recovery.
Update your operating systems and applications. Ransomware attacks like the 2017 WannaCry outbreak often exploit software vulnerabilities that can be eliminated by installing the latest operating system and application patches and updates.
Keep your anti-virus software’s signature database current. With increasingly complex ransomware strains at cybercriminals’ fingertips, anti-virus software should never be your organization’s sole defender. However, keeping your anti-virus software signature databases up to date is a key first line of defense against better-known strains.
Adopt a least-privilege framework. Because ransomware variants often spread laterally from one compromised machine to other servers, subdividing your LANs via technologies like Access Control Lists, private virtual LANs and context-aware secure network segmentation can contain any attack from the outset and limit its impact.
Instill a culture of security within your organization. Train those in your organization to regard every email with suspicion. Sensitize employees to the serious risks associated with clicking on email links and opening email attachments.

Ultimately, victims (and their insurance companies) should resist the urge to cave to ransomware demands. For state and local governments, this may seem like a tough pill to swallow when payment seems like the only option for retrieving sensitive data or getting critical services back online, but this is a false choice. Applying the above practical steps today, before an attack occurs, ensures your organization can avoid costly downtime, maintain public trust and safeguard data — all without paying a ransom.

WhataWin/Getty Images