Security Experts:

Economics of Ransomware - To Pay Or Not To Pay?

Ransomware

In school, I always loved economics. That is, of course, the absolute opposite sentiment of 97% of people.  The reason I have the feelings towards economics that I do is the fact that economic principles drive the world around us, something that I am reminded of frequently. The Laffer curve, supply-side economics and Keynesian philosophies are all over the news, but there are countless additional clues around us of how economic theory drives everyday decisions.  Like whether to pay to free yourself of ransomware.

Why?  Well, first, you can’t “win.”  There is no winning, not unless you possess unlimited resources and patience.  But you don’t, and you’re not smart enough to outwit them.  I can imagine some folks thinking that their back-up schema is so clever they can just endure the loss of one system or set of systems.  Are you sure those data sets are not infected as well?  

Prevention is key, but after the ransomware has been released, there’s little that can be done.  Prevention in this context means all the same tactics and strategies often written about here in SecurityWeek and elsewhere: identity management, password hygiene, employee training (e.g., avoidance), data back-up best practices, etc.  It’s all much the same – in this case, all we are dealing with is a different payload on a seemingly infinite list of vulnerabilities.

There are technologies in the area of ‘detection’ / prevention – but I’m not going to mention them here because they are currently either (1) generally ineffective (yes, despite vendor promises), (2) are so performance-intensive that they are virtually unusable, or (3) from a small number of vendors you probably you don’t do business with. I have seen some hardware-level assisted technologies in experimental stages that take actions at the lowest level of the stack – but despite their true promise, they’re not quite ready.

Second, paying the ransom is not prohibitively expensive, especially compared to the damage / costs associated with having the payload of the ransomware detonate. Criminals have embraced the art and science of pricing – finding the point where marginal cost equals marginal return.  As an economist at heart, that is a beautiful thing. The criminals behind ransomware are also amateur economists.

While the success of “commodity” ransomware attacks may be declining, more targeted and sophisticated attacks are on the rise against businesses and government organizations across the U.S. and costing many of these entities millions in damages.

A side note on “just pay”: you must actually have money on hand in the format of the day in order to be capable of paying. Think of this like the “petty cash drawer” – quick currency on hand to take care of urgent issues. The bottom line is you can’t pay if you don’t have the right currency.  I’m not going to, in this static column, prescribe a currency to have on hand because the currency frequently changes.  So, your advisors will have to stay on top of this.  Sometimes it’s gift cards, but often it’s cryptocurrencies.  If your organization is a hospital, you must have a robust amount of varied payment methods ready to go in my opinion.  If your organization is of a less time-sensitive nature, you can be less aggressive here.  Think through this though because the key advice here is this: get back to work as quickly as possible. 

You have to think about this as a speeding ticket. You did something wrong (and you probably did), received a fine, and should just pay it. Fighting it is too expensive, too time-consuming, too much of downside risk. The cost and embarrassment stings a bit, but the alternative is much worse.  The important thing is to understand your mistake – and that’s exactly what this is when it happens, a ‘self-inflicted injury’ – and make sure it doesn’t happen again.

At the end of the day, I encourage businesses and organizations of all sizes to leave the moral judgments regarding ransomware to the government.  Leave the “fight” to the companies that are paid to fight, that are equipped to fight. Just pay. Just pay and go on with your life. And in the future focus your energy on that ounce of prevention as frequently described by SecurityWeek.

view counter
Jim Gordon is GM of Security Ecosystem Strategy & Development at Intel Corporation. He is an Intel veteran of 20+ years and has held a variety of roles over this time. He has held leadership positions in Intel’s channel product, influencer, and software & services groups. Most notably he served 3.5 years as Chief of Staff and Technical Assistant to Intel’s then President Renée James. He currently is GM of the Ecosystem & Business Development Intel’s Platform Security Group. He holds a BS in economics from the University of California at Davis as well as an MBA from Purdue University. Jim is also a self-motivated and very active contributor to diversity and inclusion (D&I) efforts at Intel specifically and in general across tech – even though he does not work and has never worked in HR. For Intel in D&I he has served as a top leader in its internal “Inclusive Leaders” program – a program dedicated to engaging, training, activating and supporting those influential “male majority” business leaders to take responsibility for and take proactive actions towards full inclusion.