Today a major beef supplier, JBS, announced they paid 11 million in ransom after the systems that managed their meat plants were breached by ransomware hackers. Their CEO, Andre Nogueira stated, “This was a very difficult decision to make for our company and for me personally. However, we felt this decision had to be made to prevent any potential risk for our customers.” This story is becoming all too common.
A month ago Colonial Pipeline suffered a malware attack that caused a shutdown of a major part of the fuel supply to the East Coast for several days. They chose to pay a $4.4 million ransom the day after they detected the ransomware attack. Their CEO, Joseph Blount, stated “I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible. I kept the information closely held because we were concerned about operational safety and security, and we wanted to stay focused on getting the pipeline back up and running.” This week the FBI announced that they were able to get back $2.3 million. What would have happened if Colonial Pipeline hadn’t paid? The pipeline could have been shut down a lot longer if they hadn’t paid. They could have been forced to pay in the end anyway and, of course, it is possible that they could never have retrieved any of the money they paid out.
So does this mean that you should pay?
The FBI says, “Never pay ransom.” Some would argue that if we all didn’t pay, ransomware would just stop. Whenever an organization pays they are encouraging future ransomware attacks. In fact, your payments could be supporting other criminal activities.
But what if you are a hospital and your patients are depending on the infected systems to live? What if the 911 system of a city is hit and lives will be lost if the system is down? Aren’t the human lives at risk more valuable than the amount of the ransom being demanded? Shouldn’t the risk of losing human lives be a strong reason to ignore what the FBI says and pay the ransom?
How about when crucial parts of our infrastructure are at risk? Food supplies? Electricity? Water? Fuel Pipelines? Colonial Pipeline controlled a major part of the fuel supply to the East Coast. Just being shut down for a few days triggered severe fuel shortages and fuel hoarding.
Should we agree that if human lives are at risk or if the attack could affect millions of people we should always pay the ransom? Where do we draw the line? According to a Kaspersky study last year, 56% of ransomware victims paid the ransom but a quarter of those never got their data back. Should you pay the ransom if there is a 1 in 4 chance that it won’t do any good and you will never recover your data?
So should you pay or not? The answer for many is “it depends.” You need to take multiple factors into account and make the best decision for your organization.
- Are lives at risk?
- If you can recover the data, how long will it take?
- Would the cost of downtime to recover data cost more than the ransom demand?
There is no easy answer to the “Pay or Nay?” question when it comes to ransomware. The FBI says to never pay. When the ransom is paid you are encouraging the attacks to continue and could be contributing to larger criminal enterprises. However, if the loss of data could cause the loss of human lives or affect millions of people by disrupting the food supply chain the decision is not so easy. By shutting down meat plants as in the JBS case and by cutting off fuel supplies as was the case with Colonial Pipeline, these ransomware attacks are affecting millions of consumers. We can understand why these organizations decided to pay; the cost of not paying was far greater than the price of the ransom. Hopefully, we can all learn from these attacks and prioritize putting resources into cybersecurity prevention and detection.