Data Recovery Firms Add New Layer of Complexity to Ransomware Decisions

MIT CYBERSECURITY CLINIC

The new MIT Cybersecurity Clinic (11.274 and 11.074) will be offered in both the fall and spring semester at MIT.

The Cybersecurity Clinic will consist of four-modules : Cybersecurity for Critical Urban Infrastructure: Understanding the Problem; How the MIT Cybersecurity Clinic Makes Initial Contact with potential Client Agencies; Onsite Assessment of Cybersecurity Vulnerability by MIT Clinic Staff; and Prepare and Submit a Final Cybersecurity Vulnerability Assessment to a Client Agency. MIT students who want to take on field assignments with the Cybersecurity Clinic (for academic credit) must pass the certification examination offered at the end of the fourth module.

Students who have achieved certification, will work in teams supervised by advanced doctoral and post-doctoral students during the last nine weeks of the spring semester to collaborate with an assigned client agency to prepare a Cyberattack Vulnerability Assessment for a client agency.

WHO WE ARE

We are developing a new class of non-technical strategies against cyberattacks called Defensive Social Engineering. Cyber defenders can use Defensive Social Engineering along with technical tools to defeat or compromise attackers. One technique in the Defensive Social Engineering toolbox is Cyber Negotiation. This research is supported by MIT’s Internet Policy Research Initiative (IPRI).

RESOURCES

Click here for a list of publications and resources

ABOUT THIS BLOG

click above to read more about this blog and watch the short animation below

CIRCIA Proposed Regulations Uncertain Ahead of October Final Rule Publication

April 2, 2025
USA Today: Cyberattacks on Critical Infrastructure Are Increasingly Common

January 10, 2025
CISA Proposed Cybersecurity Incident Reporting Requirements for Critical Infrastructure Companies Opened for Comment

December 18, 2024
Boston Globe: How to Thwart Hackers (Local Cybersecurity)

June 5, 2023
Quick guide to the 6 ways we can regulate AI (MIT Tech Review)

May 30, 2023
World agencies issue cybersecurity guidance for smart cities

April 27, 2023
The Electronic Frontier Foundation Opinion Piece on the U.N. Cybercrime Treaty

April 18, 2023
Cyberattacks on local governments 2020: findings from a key informant survey

February 21, 2023
strategic approach to identify, stop and punish cyberattackers (Third Way Cyber Enforcement Initiative)

December 12, 2022
Cyberattack Causes Trains to Stop in Denmark

November 7, 2022

May 28, 2019

Baltimore City Hall | Kenneth K. Lam via the Baltimore Sun

Deciding whether to comply with ransom demands poses a difficult choice for victims of cyberattack. Agencies and organizations whose files have been locked down must balance the need to regain control of their files quickly against the strategic and moral aversion the FBI and others have to paying ransom.

ProPublica recently published a piece that sheds a new light on this choice. Private “Data recovery” firms promise to assist victims in regaining access to their files. While these firms claim that they have the ability to break encryption and recover files without paying ransom, cyber researchers found that these firms often comply with cyberattackers demands and pay the ransom. It turns out that most ransomware is impenetrable.

The official line from law enforcement is that we should refuse to succumb to ransom demands. This makes sense because rewarding extortion just encourages more hackers to do the same thing. But when recovering data access quickly is critical for public safety, paying the ransom may be the most sensible option. Victims may not be able to ensure that paying the ransom will get their files back in useable form, but recovering or rebuilding files can be even more expensive than the initial ransomware demand. After Atlanta refused a $100,000 ransom demand in April 2017, the city spent over $17 million recovering and restoring its network.

One of the firms mentioned by ProPublica, Proven Data, notes that over numerous interactions with the same hackers, the firm convinced the attackers to extend payment deadlines. The hackers even suggested that victims get in contact with the firm, who became a regular intermediary. Setting aside the ethics of running a firm that profits from negotiating payments to criminals, this dynamic is striking. It confirms that negotiation is indeed possible in ransomware situations, even when there is no direct contact between the attacker and the victim. Negotiation could be a useful tool for de-escalating conflicts.

The dynamic between law enforcement agencies and private firms operating as intermediaries illuminates an ethical grey area. Ultimately, regaining control of their data is the most important objective for most organizations that have been hacked. Federal agencies have a different objective. They are trying to put a stop to future cyberattacks. Private firms, siding more with the victims than the government, may nevertheless help law enforcement achieve its ends by keeping quiet about ransoms being paid by victims of cyberattack.

Whether or not to pay the ransom depends on the situation and players involved. The addition of quiet intermediary between victim and hacker adds a new level of complexity that policymakers will need to factor into the practices they promote. Is it ethical for city agencies to spend taxpayer funds on contracts with private companies who quietly pay ransom demands – even if this might save taxpayer money in the long run and preserve public safety? Would it be preferable for agencies to pay ransom directly and make clear that it has done so? And who should decide whether ransom should be paid in a particular situation?

Critical urban infrastructure operators and city government would be well-advised to take whatever preventative measures they can and seek to enhance their resilience in the face of cyberattack, for example, by purchasing insurance. insurance. By planning for cyber resilience and maintaining offsite, back-up servers, agencies and organizations can recover from attacks more quickly.