Is It OK to Pay a Ransomware Demand? Depends Who You Ask

The U.S. Department of the Treasury issued a pair of advisories last week that could potentially shake up how organizations respond to ransomware attacks.

The guidance, issued by units of the Treasury’s Office of Terrorism and Financial Intelligence, warns that victims and the businesses that assist them could run afoul of sanctions and anti-money-laundering rules by making payments to blacklisted entities—including hacking groups linked to Russia, North Korea and Iran.

The advisories are perhaps the strictest statements from the federal government discouraging organizations from paying ransomware demands, and they come as attackers have taken increasingly brazen actions, including targeting schools, municipalities, and hospitals that are dealing with a surge of patients due to the COVID-19 pandemic. But they also potentially clash with positions taken by other federal agencies in recent years.

One thing is clear: There are no unified federal rules that address how organizations should handle the rapidly growing problem of ransomware attacks. Departments and agencies including the FBI and Department of Homeland Security have issued a patchwork of guidelines in recent years on how to approach the issue. Many of the advisories fail to mention whether or not companies should consider paying a demand.

“There doesn’t seem to be good guidance because there is no good guidance to give,” said Allan Liska, a ransomware specialist at Recorded Future. “The answer from a security perspective is you should never, ever pay the ransom. But ultimately what we find is it’s not a security decision—it’s a business decision. And security doesn’t run the business.”

Few victims like talking about their decision to funnel money to criminals in order to recover their data. But a recent survey of 5,000 IT managers commissioned by cybersecurity firm Sophos found that 26% of ransomware victims decided to make a payment—only 1% of those organizations didn’t get their data back. 

The Treasury Department notices will likely make organizations think twice about paying up. But they also will probably lead to head-scratching. That’s partly because there are significant challenges around attributing cyberattacks—in client guidance shared with The Record, lawyers at BakerHostetler wrote that “attribution is extremely difficult and always has been in the cybersecurity space,” and that victims should retain a third-party to assess if a payment is being made to a group linked to sanctioned individuals. Additionally, victims will likely be confused by the hodgepodge of advisories that other government agencies have issued. Here’s a breakdown of what they’ve said in the past:

The FBI and Internet Crime Complaint Center

The FBI and its IC3 unit have generally been more outspoken than other federal agencies on ransomware payments—though its guidance hasn’t been consistent.

In 2015, an agent at FBI’s Boston office was quoted at a security conference saying: “To be honest, we often advise people just to pay the ransom.”

More recently, the Bureau has clarified that it “does not support paying a ransom to the adversary,” because it does not guarantee that a victim will regain access to their data and it incentivizes criminals to continue ransomware attacks. However, the FBI also tacitly condoned payments in the same guidance, stating that it “recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.”

In separate guidance to CISOs, the FBI also tiptoes over the issue. “Whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup,” the agency said. The FBI has not mentioned sanctions in its advice to ransomware victims.

Department of Homeland Security

DHS’s Cybersecurity and Infrastructure Security Agency, as well as its Computer Emergency Readiness Team, have typically focused on prevention in their guidance to victims. For example, in a September ransomware guide issued by CISA and the Multi-State Information Sharing and Analysis Center, said that organizations that maintain offline backups wouldn’t need to consider the pay-or-not-pay dilemma.

The guidance goes on to say that CISA and MS-ISAC don’t recommend paying a ransom, but also suggested that organizations share with federal agencies whether or not a ransom was paid and, when applicable, details about the cryptocurrency wallets used to pay the demand.

Department of Health and Human Services

Ransomware attacks against hospitals are particularly serious, because they can be a life-or-death issue. A patient at a German hospital reportedly died last month after a ransomware attack caused treatment delays. A couple weeks later, Universal Health Services—one of the largest hospital systems in the U.S.—had its IT network knocked offline by a ransomware attack.

HHS, which administers HIPAA and other health-related digital security rules, issued ransomware guidance in 2016 that was notably mum on the issue of payments.

“What the guidance does not address, however, is the answer that may be most important to a HIPAA-covered entity that is subject to a ransomware attack: whether to pay the ransom demanded by the cyber-attacker,” Patterson Belknap lawyers wrote in an analysis of the guidelines.

Securities and Exchange Commission

Like HHS, the SEC has also managed to issue guidance and dodge the payment issue. Despite issuing ransomware warnings to the public companies it oversees, it hasn’t broached the subject of whether firms should or should not pay a ransom.