4920 Constellation Drive
White Bear Township, MN 55127-2218
email@example.com | 651.407.8555
Colonial Pipeline Company recently paid $4.4 million dollars to get its data back after a ransomware attack, rekindling the debate of whether companies should give in to cybercriminals’ demands. Find out why some companies decide to pay the ransom while others do not.
Most people never heard of the Colonial Pipeline Company before May 2021, even though it transports 45% of all fuel consumed on the US East Coast. This company works behind the scenes, moving 100 million gallons of refined gasoline and jet fuel through 5,500 miles of pipeline each day. However, that all changed in early May when the fuel stopped flowing for several days. Numerous reports about gas pumps running dry and people panic buying gas made Colonial Pipeline a household name.
A ransomware attack was to blame for the fuel stoppage. The DarkSide ransomware gang had infiltrated the IT systems in Colonial Pipeline’s corporate network. Besides having its IT systems offline, the company shut down certain systems in its operational network as a precautionary measure. The operational network uses automated systems to monitor and control the fuel that flows through the pipeline. Taking those systems offline prevented the infection from spreading to the operational network. However, it also resulted in the shutdown of all pipeline operations.
The company paid $4.4 million to the DarkSide ransomware gang to get the key needed to decrypt its data. While paying the ransom enabled Colonial Pipeline to get its pipeline operations online sooner, security experts are concerned that it will encourage other cybercriminals to try similar attacks. And their concerns may be well founded. Just weeks after Colonial Pipeline paid the hefty ransom, one of the largest meat producers in the world, JBS, announced that it was the victim of a ransomware attack.
These events are rekindling the debate about whether companies should pay the ransom if their data is being held hostage. Answering this question, though, is not as simple as it seems, especially given the new tactics that cybergangs are using. Even the Ransomware Task Force — a group that recently developed a strategic framework for combating the growing ransomware threat — could not agree on an answer. “The Ransomware Task Force discussed this extensively,” said one of its members. “There were a lot of important things that the group came to a consensus on and payment was one where there was no consensus.”
So, it is up to businesses to decide for themselves whether it is a good idea to pay ransomware gangs. Here are some of the reasons why companies do and do not pay up when they fall victim to a ransomware attack.
Why Companies Pay the Ransom
Paying the ransom to get data back is a fairly common occurrence among companies. “The State of Ransomware 2021” study by Sophos found that 32% of the companies whose data was encrypted by ransomware in 2020 paid the ransom.
Colonial Pipeline also decided to pay the ransom after it discovered some of its files were encrypted. “I know that’s a highly controversial decision,” said the company’s CEO Joseph Blount. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this. But it was the right thing to do for the country.”
Blount said he authorized the payment because, at that time, no one knew how badly the company’s systems were breached. Therefore, he did not know how long it would take to repair those systems and get the pipeline back online.
As the Colonial Pipeline example illustrates, some companies pay the ransom to minimize the disruption to their operations, especially when the disruption significantly affects the lives of other people. In other cases, businesses pay the cybergangs because doing so is easier or quicker than reconstructing their data from backups. Or organizations might find that their only option is to pay. Perhaps they did not create any backups or the ransomware encrypted both the original data and the backup files.
Additional pressure tactics used by ransomware gangs can also prompt a company to give in to their demands. Those tactics include:
Why Companies Do Not Pay Up
About two-thirds of the companies whose data was encrypted by ransomware in 2020 did not paid the ransom, according to “The State of Ransomware 2021” study. They were able to recover their data from backups or through some other means (e.g., using a decryption tool provided by a third party), thereby eliminating the need to pay up.
Most security experts recommend that ransomware victims follow in these companies’ footsteps. The experts believe that giving into ransomware gangs’ demands encourages them to carry out even more attacks. It also lures other cybercriminals into carrying out this type of attack. The newcomers do not even need to know how to create a ransomware program. Some gangs let other cybercriminals use their ransomware programs for a share of the profit, a practice referred to as the Ransomware-as-a-Service business model. In 2020, two-thirds of the ransomware attacks were carried out by cybercriminals using this model, according to Group-IB’s “Ransomware Uncovered 2020/2021” report.
Besides encouraging more ransomware attacks, there are other reasons why security experts do not recommend paying the ransom. Here are a few of them:
Only the Start of the Long Road to Recovery
Deciding whether or not to pay the ransom is a difficult decision that companies need to make if they fall victim to a ransomware attack. No matter their decision, they will face many challenges while recovering from the infection. Besides having to restore their data and systems, they will need to find and fix the security hole that allowed the cybercriminals to access their networks so they do not get attacked again. And they will need to determine how to absorb the losses (e.g., lost revenue from downtime) and additional costs (e.g., cost of bringing in forensic experts) resulting from the attack.
For Colonial Pipeline, the recovery will take months and cost the company millions of dollars, according to Blount. However, there is one loss the company won’t be able to recoup — the company’s anonymity. “We were perfectly happy having no one know who Colonial Pipeline was,” said Blount. “Unfortunately, that’s not the case anymore. Everybody in the world knows [us now].”
Money flickr photo by 401(K) 2013 shared under a Creative Commons (BY-SA) license