(Almost) Never Pay the Ransom

This article originally appeared in Future Tense, a collaboration among Arizona State University, New America, and Slate.

For more than two weeks now, Baltimore has been battling a major ransomware attack on its city government infrastructure. The city government’s email, voicemail, property tax portal, and water bill and parking ticket payment systems have all been affected, and more than 1,000 pending home sales have been delayed. (To add insult to injury, the Baltimore Sun reported Thursday that “Gmail accounts created by Baltimore officials as a workaround while the city recovers from the ransomware attack have been disabled because Google considers them business accounts that should be paid for, the mayor’s office said.” Update, May 23, 2019: As of Thursday evening, Google says access to the Gmail accounts has been restored.) The cause of these problems is a relatively new strain of malware called RobbinHood, which, like other ransomware programs, encrypts infected systems so that they cannot be used or accessed until a payment is made and the attackers provide the necessary decryption key. It’s a deeply frustrating type of cybersecurity incident because it interrupts operations so completely. Even if a victim is perfectly prepared with full offline data backups, it still requires time and resources to reboot all of the infected computers.

So far, Baltimore’s response appears to have been admirable, if slow. It’s taking systems offline to prevent the malware from spreading and setting up an offline alternative to the online system for processing home sales, for instance. But in an interview on Monday, Baltimore Mayor Bernard Young hinted that he might be considering the worst possible response: giving in to the attackers’ demands for a payment of 13 bitcoins, or roughly $100,000.

Young didn’t say he would authorize the payment, but he showed signs of caving to the pressure, telling reporters, “I am thinking. Right now, I say no, but in order to move the city forward? I might think about it. But I have not made a decision yet.”

From a financial perspective, it makes perfect sense that Young would consider acquiescing to the ransomers’ demands—after all, it will cost the city far more than $100,000 to restore the systems that have been compromised. But long-term, that cost-benefit analysis looks very different. Every time a victim pays up in a situation like this, it simply allows the perpetrators to continue with this line of cybercrime—and, more than that, encourages others to follow in their footsteps, because it reinforces the idea that this is a viable and lucrative business model.

Even Young just publicly stating that he is considering making such a payment may be enough to encourage future such attacks on Baltimore, by signaling to would-be attackers that the city has not ruled out the possibility.

When the city of Atlanta experienced a similar ransomware attack in 2018, media coverage noted the irony of the city’s spending $2.6 million to recover from the incident rather than paying the demanded $52,000. But while Atlanta’s recovery spending was perhaps excessive (the consultancy fees it paid for “incident response consulting” and “crisis communications services” were ludicrous), they had exactly the right idea in refusing to give in to the ransom demands.

There are multiple reasons it’s a bad idea—both financially and ethically—to pay a ransom in any circumstances short of life and death. However frustrating the Baltimore situation may be right now, the inability to pay parking tickets or purchase a house does not reach the bar of, for instance, a hospital unable to administer care to patients because of ransomware.

From a purely self-interested perspective, there’s a real risk that Baltimore could pay and then find that the attackers do not actually restore their systems—or demand more money before doing so. According to a 2016 study by Kaspersky Lab, roughly one in five ransomware victims who pay their attackers are still not able to retrieve their data. (As a sort of insurance against that risk, the Baltimore hackers have allegedly offered to decrypt three files at no charge to show they are “honest,” according to the New York Times.)

Even if the RobbinHood perpetrators restore Baltimore’s computer systems upon receiving payment, that’s still no guarantee they won’t return to attack the city again in the future. They may even leave traces of malware or backdoors on the city’s systems to ensure their ability to do so. And even if those particular perpetrators move on to other targets, other attackers will know that the Baltimore government is a promising target, liable to give in to demands if the attack is sufficiently severe.

Beyond just opening itself up to more trouble and future ransom demands, Baltimore also stands to put the rest of us in greater danger by paying the ransom. For the most part, cybercriminals only continue to spread ransomware because it is a profitable business—one 2017 study found ransomware payments over a two-year period totaled more than $16 million.

So, yes, it’s important to make regular, automated backups of all your systems; it’s important to segment your network so that it’s hard for malware in one part to spread to all the others; it’s important to have offline alternatives to online systems; it’s important to be careful about suspicious websites and email attachments. But none of those things, on its own, is going to drive ransomware out of business. The only two things that have the potential to really dramatically drive down the frequency of ransomware attacks are a global crackdown on regulating cryptocurrency exchanges (which does not appear to be imminent) or a widespread refusal to pay ransoms that forces cybercriminals into another line of work to pay their bills.

No one should be paying ransoms, but public entities, like city governments and police departments, have a particular responsibility to protect the public good by doing the slow, hard, expensive work of restoring and securing their systems rather than taking the easy way out—which will, in the end, only make everything harder.