Paying cyber ransoms sets a bad precedent but happens often

Michael Riley and Kartikay Mehrotra
Bloomberg

The U.S. government's fight to choke off ransom payments collected by hackers hit a major snag Thursday, following news that Colonial Pipeline Co. paid a hefty sum to hackers who for several days this week effectively shut down the country's largest fuel pipeline and created gas shortages along the East Coast.

The decision went against FBI and Treasury Department warnings that such payouts will only spread pain down the line by encouraging more hacking, raising questions around the ethics of paying the ransoms.

Cybersecurity experts, lawyers and insurers say those pleas run up against the hard logic faced by many ransomware victims. Often the quickest way to restore their debilitated computers systems is to pay, and victims typically have insurance to cover the cost. And, for those who resist, hackers have found new ways to increase the pain.

A storage tank stands at the Colonial Pipeline Co. Pelham junction and tank farm in Pelham, Ala., on on Sept. 19, 2016.

"It's just a cold calculation by the policy holder and the carrier," said Robert Cattanach, who works on cybersecurity litigation at the law firm Dorsey & Whitney. "As unfortunate as this dynamic is, at the end of the day, the insurance company is going to do what's going to mitigate its exposure."

"If they were running the math and said they were losing $3 million a day, and we can get rid of this for five, where do I sign?," Cattanach said, referring to the $5 million in cryptocurrency that Colonial paid the hackers.

But others worried about that Colonial's payment would embolden other criminals. "It's a terrible precedent to set and disappointing," said an oil trader who wasn't authorized to discuss the topic publicly so requested anonymity. "But Colonial is a high-profile company. And it's faster and cheaper to pay and then buy some better firewalls."

Ransomware is a variation of malware that encrypts a victim's computers, rendering them useless. The hacking group then demands a payment in exchange for a decryption key.

Adrian Nish, head of cyber for BAE Systems Applied Intelligence, said his firm currently tracks around 20 major ransomware groups, most based in Russia or Eastern Europe, and many of them have the capacity to hit scores of victims per month.

It's difficult to come across definitive data on ransomware victims because most prefer to keep the matter quiet. Ransoms demanded by hacking groups vary widely, and can reach tens of millions of dollars. However, the initial demand is often whittled down during negotiations, cybersecurity experts say. The original ransom demand from the Colonial hackers -- suspected to be a group called DarkSide -- isn't known.

A 2020 survey of senior IT and security decision makers by the cybersecurity firm CrowdStrike Holdings said 27% of those surveyed paid the ransom, and the average payment was $1.1 million. In March, the cyber firm Kaspersky said 56% of victims paid the hackers.

A ransomware task force, in a report prepared by the Institute for Security and Technology, said ransomware victims paid $350 million in 2020, a 311% increase over the prior year, and it listed the average payment in 2020 as $312,493.

Although the Colonial attack was especially serious because of the impact on U.S. energy supplies, there have been other major ransomware attacks in recent weeks. The victims include the Washington D.C. metro police department and Scripps Health, a major hospital system in the San Diego area. In the case of the D.C. police, the hackers eventually released what it said was personnel files on nearly two dozen people after the department didn't meet the ransom demand.

The logic against paying ransom is simple: It makes the crime less profitable and discourages would-be hackers from joining in. There's also no guarantee a victim's files will be returned, according to the FBI. After news of Colonial's ransom payment broke, however, White House spokeswoman Jen Psaki noted the FBI's position, and added, "What I'm here to do is just convey the policies of the United States government, and it doesn't feel particularly constructive to call out companies in that manner at this point in time."

Tyler Hudak, the head of incident response at the cybersecurity firm TrustedSec, said the calculation a company makes about whether to pay or not really comes down to just a few variables. The most important of them is whether the company has backups of the hijacked data, which would be necessary to restart its systems without help from the hackers.

But even that may not save a victim. Many ransomware groups have begun to steal sensitive data before locking up a company's computers, providing them with a second point of leverage. "Like many groups, DarkSide uses a double-extortion scheme, which means they also steal data and threaten to leak it. Even if you don't need to pay because your data is backed up, you might decide to pay to stop the leak," Hudak said.Even if they pay, companies may still struggle to restore their computers.

In the case of Colonial, the decrypter tool the hackers provided to help restore their systems was so slow that it had to restore machines using existing backups anyway, according to a person familiar with the investigation. "Across the board, the decryption programs are not as well-written as the encryption programs, which is what makes the hackers money," said Hudak. In a recent case involving DarkSide, Hudak said it took his team 12 hours to restore a single server using the hackers' tool.

In almost every case, victims must decide if paying the attacker is legal. In October 2020, the U.S. Treasury Department created legal roadblocks for ransomware victims considering payment to attackers on the U.S. sanctions list.

But the challenge is, it may not always be clear who the hackers are, where they are located, or if cryptocurrency addresses they assign for payments are covered by sanctions.

"It's all about risk versus reward," said Alex Holden, founder and chief information security officer at Hold Security. "Can you ensure that you're not breaking the law by paying, and what are the repercussions if you do break the law. Is it worth it?"