EXECUTIVE SUMMARY:
When experts cannot crack the code, should organizations pay up?
In hostage situations, the United States maintains blanket policy bans on concessions; no bargaining, no ransom payments. The policy sparks fierce debates, and has led to deaths, but the counterargument rationalizes that a ‘no negotiations’ policy will dissuade terrorists from taking American hostages in the future. Should the country implement a ‘no ransom payments’ policy when it comes to data being held hostage?
“I would not be surprised if a significant amount of ransomware both funded terrorism and also organized crime,” stated an expert in the field.
It’s bad form, and frowned upon by the FBI, but around 17% of federal agencies do pay ransoms. Doing so is typically less expensive than the cost of lost productivity, combined with potential loss of intellectual property, consulting fees, legal fees, and recovery fees. Atlanta’s ransomware attack last year is estimated to have cost the city $17 million. The hackers only wanted $52,000. Should they have paid?
When public sector groups hire private companies to assist with decrypting the data, in the attempt to steer clear of shady hackers and any resulting political fallout, it turns out that at least a few private security companies do not have the capabilities advertised. They mislead clients, and pay the ransom demands themselves.
Of course, even if organizations choose to directly concede to the hackers’ demands, there is no guarantee that the hackers will return the hijacked data, at all.
Get more on this story from The Guardian.