Data Recovery Firms Add New Layer of Complexity to Ransomware Decisions

May 28, 2019

Baltimore City Hall | Kenneth K. Lam via the Baltimore Sun

Deciding whether to comply with ransom demands poses a difficult choice for victims of cyberattack. Agencies and organizations whose files have been locked down must balance the need to regain control of their files quickly against the strategic and moral aversion the FBI and others have to paying ransom.

ProPublica recently published a piece that sheds a new light on this choice. Private “Data recovery” firms promise to assist victims in regaining access to their files. While these firms claim that they have the ability to break encryption and recover files without paying ransom, cyber researchers found that these firms often comply with cyberattackers demands and pay the ransom. It turns out that most ransomware is impenetrable.

The official line from law enforcement is that we should refuse to succumb to ransom demands. This makes sense because rewarding extortion just encourages more hackers to do the same thing. But when recovering data access quickly is critical for public safety, paying the ransom may be the most sensible option. Victims may not be able to ensure that paying the ransom will get their files back in useable form, but recovering or rebuilding files can be even more expensive than the initial ransomware demand. After Atlanta refused a $100,000 ransom demand in April 2017, the city spent over $17 million recovering and restoring its network.

One of the firms mentioned by ProPublica, Proven Data, notes that over numerous interactions with the same hackers, the firm convinced the attackers to extend payment deadlines. The hackers even suggested that victims get in contact with the firm, who became a regular intermediary. Setting aside the ethics of running a firm that profits from negotiating payments to criminals, this dynamic is striking. It confirms that negotiation is indeed possible in ransomware situations, even when there is no direct contact between the attacker and the victim.  Negotiation could be a useful tool for de-escalating conflicts.  

The dynamic between law enforcement agencies and private firms operating as intermediaries illuminates an ethical grey area. Ultimately, regaining control of their data is the most important objective for most organizations that have been hacked. Federal agencies have a different objective. They are trying to put a stop to future cyberattacks. Private firms, siding more with the victims than the government, may nevertheless help law enforcement achieve its ends by keeping quiet about ransoms being paid by victims of cyberattack. 

Whether or not to pay the ransom depends on the situation and players involved. The addition of quiet intermediary between victim and hacker adds a new level of complexity that policymakers will need to factor into the practices they promote. Is it ethical for city agencies to spend taxpayer funds on contracts with private companies who quietly pay ransom demands – even if this might save taxpayer money in the long run and preserve public safety? Would it be preferable for agencies to pay ransom directly and make clear that it has done so? And who should decide whether ransom should be paid in a particular situation? 

Critical urban infrastructure operators and city government would be well-advised to take whatever preventative measures they can and seek to enhance their resilience in the face of cyberattack, for example, by purchasing insurance. insurance. By planning for cyber resilience and maintaining offsite, back-up servers, agencies and organizations can recover from attacks more quickly.