Ransomware: to pay or not to pay

This is an opinion piece. The original article was first published on Linked In.

I’ve been reading some recently published articles about ransomware attacks in the United States and they got me thinking tangentially about issues of accountability and transparency.

The Washington Post published an article on 28 May about an attack that paralysed Baltimore’s city government in the USA for almost a month!

Try to imagine South Africa’s title deed property entity being down for a month and no-one being able to register transfers or purchases of properties. It would be a serious situation.

While the The Washington Post article is full of astonishing facts, the paragraph that really got me thinking was this one:

“It is tempting to view cybercriminals as extremely clever, capable of breaking through the strongest defenses put in front of them. The reality is that they often aren’t, if for no other reason than they don’t need to be.”

What they’re saying is that it doesn’t take a lot to launch an attack, and that many entities – public and private – don’t take basic precautions.

Again, quoting from the Baltimore example: “Nonetheless, basic cyber-hygiene, were it in place, could have greatly limited the damage in Baltimore or stopped the attack altogether. The ransomware, called RobinHood, worked only because city computers had not applied freely available software patches and were operating without effective backups.

Baltimore’s mayor has so far refused to pay the ransom of $100,000. Instead the city is trying to work around the problem.

Last year, the Atlanta Municipality spent $2,6 million to avoid paying the $51,000 ransom the attackers were asking.

Recently, Florida Town decided to pay $600,000 to attackers rather than go though the nightmare of work-arounds.

How would you feel if you were a rate and tax paying citizen of the Jhb municipality, and you heard that it paid more than R10-million to have its IT system “un-ransomed” because it was negligent in its cybersecurity approach?

Business is in the same boat

Equally, what about your business? If you experienced a ransomware attack, would you place the blame on yourself or your IT personnel for not taking enough care?

And when would you come clean that you’ve had a ransomware attack, especially if YOU can be found negligent?

Do you even know what you can do to protect yourself against ransomware attacks?

In another article on ransomware The Washington Post says: “The argument for refusing to put taxpayer money into malicious actors’ coffers is stronger. Morally, taxpayer money should not be used to reward criminal enterprises. Practically, if cities collectively stop providing that reward, hackers may pack up their keyboards. Every dollar or, more accurately, every bitcoin that cities turn over to cybercriminals encourages them to continue attacking, and it also gives them the resources to do so more effectively and more often.”

It even suggests passing a federal law to bar ransomware payments: “An anti-ransom law would be a dramatic step, but it’s the route to a dramatically positive result”.

Just imagine!

Are you aware of all the different types of cyber attacks?

Download this list as a PDF to arm yourself

Cyber attacks pdf