It cost just under $5 million for Colonial Pipeline, the company that operates the largest fuel pipeline in the US, to pay off a gang of cybercriminals that hacked its servers, shut off the flow of oil and gas, and disrupted fuel supplies across the east coast. The company caved to hackers’ ransom demands within hours of the attack, Bloomberg News reported.
In a ransomware attack, criminals encrypt a company’s data and demand an extortion payment in exchange for a special key that will restore the company’s access to its files. Colonial Pipeline’s decision to pay the hackers flies in the face of most official recommendations. US policy—and the standing advice of many other national governments and intelligence agencies—is clear: Companies should not pay ransoms to hackers.
But in practice, it’s a bit messier than that. From time to time, the FBI will privately tell a hacked company it understands if executives choose to pay off the hackers. At a press conference following the Colonial Pipeline Attack, top White House cybersecurity official Anne Neuberger acknowledged that sometimes companies have no other choice: “We recognize, though, that companies are often in a difficult position if their data are encrypted and they do not have backups and cannot recover the data,” she said.
It’s certainly welcome news that a key piece of US energy infrastructure will soon be back online. But the episode raises a thorny question: Should companies pay ransoms, knowing they may just encourage future attacks?
The standard wisdom from cybersecurity experts and intelligence agencies is that ransom payments only incentivize and fund future cyberattacks. “Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals,” the FBI wrote in an October 2019 public service announcement.
Therefore the best course of action, many experts argue, is for companies to refuse hackers’ demands. “If you want to stop ransomware attacks, you need to make the cashflow dry up, which means companies need to stop giving in to these shakedowns,” said Brett Callow, a threat analyst at the cybersecurity firm Emsisoft.
Putting aside the ethical and long-term strategic qualms a company might have about funding criminal organizations, there’s also the question of whether firms can trust hacking groups to be reliable business partners. In some cases, even after a company has paid a ransom, hackers failed to send the decryption key that would allow the firm to restore its data. Other times, hackers have demanded a second ransom after receiving the first. “You’re paying for a pinky promise from criminals,” Callow said.
In recent years, ransomware groups have become increasingly sophisticated and professional, just as their annual revenues have ballooned into the billions. (The hackers made at least $18 billion during a crime wave in 2020, according to an estimate from Emsisoft.) On the one hand, this trend provides evidence that ransom payments have, in fact, allowed hackers to reinvest their profits in expanding their operations with the same ruthless efficiency as Amazon.
But on the other hand, the hackers have become less amateurish, which may lead more businesses to feel that they can trust the criminals to hold up their end of the bargain after a ransom payment. Most of the time, the hackers do keep their word and send decryption keys to companies that pay. Many ransomware groups even offer live chat support to walk companies through the process of restoring their data.
It’s hard to estimate how many ransomware groups are now operating, but the ransomware identification service ID Ransomware identified more than 500,000 confirmed incidents in 2020. In a survey of 600 companies in Australia, France, Germany, Japan, Spain, the UK, and the US by cybersecurity firm Proofpoint, two-thirds of companies said they had experienced a ransomware attack in 2020.
It’s easy to say in the abstract that companies shouldn’t pay ransoms, but for any individual organization, it’s a very hard choice. Often, it’s much cheaper to pay off a hacker than it is to recreate your company’s IT infrastructure from scratch. The city of Baltimore refused a $76,000 ransom payment in May 2019, and then paid $18 million to rebuild its IT network. The city of Atlanta refused a $51,000 ransom in march 2018 and went on to pay $17 million to rebuild its infrastructure.
“You’re the CEO of a company, and your choice is to pay or go out of business,” said Jim Lewis, senior vice president of the Center for Strategic and International Studies, a US national security think tank. “Which are you going to pick?”
That dilemma sets up a collective action problem: One business may refuse to pay a ransom for the sake of starving cybercriminals of cash—but its sacrifice won’t have any impact unless the rest of the business world follows suit. And that’s a dubious prospect. According to the Proofpoint survey, just over half of companies targeted by a ransomware attack give in and pay the hackers.
Callow believes the only way out of this impasse is for governments to step in and make ransom payments illegal, even if that would create worse financial outcomes for some companies that have been targeted. “Companies would undoubtedly feel the pain as a result,” he said. “Some may even be forced to close. But attacks have forced some companies to close anyway and, really, what choice do we have here?”
In the private sector, at least one major insurance company has already declared it will no longer cover digital ransom payments for its clients. AXA, one of Europe’s biggest insurers, swore off the practice at the behest of the French government.
But Lewis says it doesn’t make sense to tell businesses not to make ransom payments if it’s in their economic interest to do so. The root of the problem isn’t that companies are paying ransoms, he said. It’s the fact that businesses don’t have adequate cyber defenses, and that the international community hasn’t adequately confronted Russia and other countries that harbor hacking groups to force them to crack down on cybercriminals.
“Until we get this under control, and that means figuring out a way to deal with the Russians, and figuring out a way to make sure critical infrastructure like hospitals do the right things to make themselves harder targets for ransomware,” Lewis said, it doesn’t make sense to stop companies from paying ransoms.
“People need to think of this as a business, and for the victims it’s a business decision,” said Lewis. “Right now there are so many vulnerabilities and so many inadequately defended networks that not paying isn’t going to mean less ransomware attacks. It’s just going to mean you go out of business… or have revenue loss for some period of time.”