With ransomware, pay up if you want to keep paying

ransomware payA hospital CEO is contacted in the middle of the night with a dire warning. Hackers have taken control of computer systems used for patient care, CT scans, and lab work.

The hacker wants money. Rather than pay the ransom, the hospital CEO enlists several experts to try to break back into the system. It fails.

Time is wasted, and the CEO has a choice. He could pay the ransom, about $17,000. Or he could put in danger hundreds of patients whose medical records and testing are now inaccessible, blinding doctors and nurses to patient history, medicine dosages, and other information critical to care.

And that’s the problem when it comes to ransomware. Not paying a ransom could easily be much more damaging than paying it.

A growing threat

The ability to take control of a hospital’s entire IT infrastructure isn’t a hypothetical. It happened to Hollywood Presbyterian Medical Center in Los Angeles in 2016. And on nearly any day, news reports turn up new details of attacks in other sectors. Ransomware has evolved past desktop computers and corporate data centers. These attacks can cripple businesses and even public infrastructure.

Most executives have at least a passing knowledge that ransomware is a threat, but many aren’t aware of all of the avenues ransomware attacks can take. Ransomware code can be hidden in email, in images on an infected webpage, in SMS text messages, and in videos. And even those who are aware of the large number of paths a ransomware virus can travel don’t think it can happen to them.

Hackers, however, are attacking companies big and small. Dentist’s offices, college students, and large hospital systems can be targets, with ransoms ranging from $50 to tens of thousands of dollars. When it hits, executives in all types of businesses are often woefully underprepared.

And then there’s an added layer of unpredictability. Hackers want payment in Bitcoin – the cryptocurrency that is believed to be both anonymous and untraceable. But the price of Bitcoin fluctuates on the open market, sometimes radically. Large price swings could leave some victims paying far more than they expected.

Pay up or refuse?

So there you are, staring at a locked computer screen demanding a ransom. Do you pay? There are powerful reasons not to.

Paying a ransom fuels a criminal enterprise, one that is fairly sophisticated – some of them run help desks to teach victims how to buy bitcoins to pay ransoms. They clearly have the funds for research and development, so paying not only propels more attacks on other businesses, it encourages hackers to adapt to new security measures and to develop attacks on new entry points.

It could also lead to more attacks on your business. By paying, you put a target on your back, showing hackers you’re a fruitful mark. Like any smart businesspeople, hackers looking to earn a quick dollar will target those who have shown they are vulnerable and are willing to spend money to recover their systems.

The answer then, is simple: Pay if you want to keep these criminals in business. Pay if you want to provide funds to design new attacks. Pay if you want to keep paying.

Why paying ransomware should never be a question

The only way to slow the flood of ransomware is to stop paying. By removing the financial incentives for hackers, you’re removing the reason ransomware exists.

But that scenario presents us with a collective action program. If 99 percent of all businesses decide they won’t pay, those that remain could still be a fairly lucrative target.

That means building strong defenses, with an eye for prevention first. Backups can, in many cases, reduce the destruction and downtime after an attack. Executives should also focus on strengthening the basics: strong passwords, regularly installing updates to patch security holes, whitelisting applications, and training employees not to click on suspicious links.

We started this article with a question: Would you pay a ransom? Those with strong defenses might never have to find out.