The Case for Paying the Ransom

On May 7, a ransomware attack made itself known to Baltimore City workers. A version of RobinHood Ransomware had been installed on thousands of computers throughout the city’s network. The attackers, at the time, were asking for about $79,000 worth of BitCoin.

The attack touched multiple city agencies across Baltimore, and the city took action. It shut down its networks. All baltimorecity.gov email addresses stopped working. Much of the city’s phone system, now internet-based, also went down. With computers and networks down, city workers scrambled to figure out how to perform their jobs. Some offices were able to set up temporary email addresses and figure out paper-based workarounds. Other city services simply stopped. (Officials hope, perhaps optimistically, that most city employees will be back online by the end of the week.)

Unable to collect water bills or property taxes, and unable to record real-estate sales, the city seems to be digging in for a long-term crisis. But it should’ve paid up on day one.

Mayor Bernard “Jack” Young—only a week into his official mayorship, and already on the heels of another scandal—stated clearly that the ransom wouldn’t be paid.

As a citizen of Baltimore and a technologist who has worked on secure systems and networks, I see just how strong support for this opinion is, both inside and outside the city. More than that, it’s generally the preferred stance of most of the cybersecurity industry, based on two main arguments.

The first argument, the one favored by security professionals, stresses that paying ransoms encourages more attacks against an ever-broader range of targets, all while quite possibly going to fund organized crime, terrorist organizations, and hostile nation states.

The second argument, and the one that Mayor Young has made multiple times, is one of moral hazard. Simply put, if we pay the ransom, there’s no guarantee that we’ll actually get our data back.

Underscoring the second argument are a series of casual assumptions about the nature of cybercrime and ransomware. The big one is assuming that cybercriminals intentionally seek out their targets. In the imaginations of many, the selection of Baltimore as a target was a specific choice made before the first city computer was compromised.

But most of the time, that’s not how these kinds of situations work.

You may imagine someone sitting down behind their keyboard and saying to themselves, How can I get into Baltimore’s network? The mundane reality, though, sounds more like someone sitting down behind their keyboard and saying, What computers have I found on the internet that are running software with known vulnerabilities? The targets are most often the result of an automated scan—not a personal choice. While an attacker may later pivot to using a more hands-on approach, they may not even know where a computer is or who owns it until after they already control it.

It’s hard to know for sure what the case may be; the city has been tight-lipped about the details of this attack. But despite the attention that high-profile targeted hacks get, it’s the statistical likelihood that this attack wasn’t targeted. Getting into Baltimore’s networks was a happy accident made possible by sloppy systems administration.

Like most criminal enterprise, there’s an economics to ransomware. Assuming the attacker isn’t enacting a personal vendetta, their goal isn’t to cause the city maximum pain or expense. Their goal is to inflict enough pain to make the BitCoin ransom seem worth paying. An intelligent ransomware attacker doesn’t actually want the city’s data—they don’t even want to destroy it. What they want is for the city to pay up. It’s a money-making scheme above all else.

Consider a 2017 Kaspersky study, which found that only one in six people who paid the ransom never recovered their data. Put another way, somewhere north of 80 percent of the time, paying the ransom actually results in data recovery, making it the more likely outcome. This is a reliable enough outcome that two data-recovery companies were recently found to be making a healthy business of paying the ransom, while calling it the “latest technology,” and charging a hefty markup for their efforts.

In addition, data-recovery specialists are expensive, and there’s no real guarantee that they’ll be able to recover all the data (or even that they won’t just pay the ransom themselves and still collect for their services). Those specialists will bill taxpayers millions of dollars even if they fail. All this costs orders of magnitude more than the ransom.

Yes, paying the ransom is rolling the dice. But the gambler’s odds are in our favor. With the total cost of this attack now expected to exceed $18 million, it seems unconscionable that the city wouldn’t have taken the chance. If we got nothing, yes, we would’ve spent $80,000 on nothing. And while that does sound like a lot, Baltimore manages to spend money on nothing all the time.

Just last week, taxpayers spent $50,000 rebuilding a block of bike lane that had just been installed, bringing it out of compliance with our own newly passed Complete Streets law. All that to restore 12 on-street parking spots. If the city can spend $4,000 to build a single street parking space, it can find the money for a ransom payment, particularly when the cost of not doing so is much higher.

Which brings me back to the first argument—the slippery slope/funding-bad-actors problem. I’m far more sympathetic to this argument. There’s a real ethical question here that I struggle with. However, one really important fact in all this is that this attack could’ve been prevented, and for that reason ransomware is a mostly solved problem.

More specifically, it could’ve been prevented using the same piece of general IT security advice I give anyone who asks me for it: Make good backups, and apply security patches as soon as they come out.

Saying ransomware is a prophylactically solved problem is certainly cold comfort for Baltimore. But there’s a lesson to be learned from a Baltimore crisis from 115 years ago.

At a little before 11am on February 7, 1904, a fire started. It spread quickly eastward, burning around 140 acres and destroying nearly 1,500 buildings. Fire companies from all over the region arrived by train to help fight the blaze, but most were helpless because their hoses couldn’t connect to Baltimore’s fire hydrants. By the time the “Great Baltimore Fire,” as it would come to be called, was under control, it had demolished much of downtown.

Baltimore’s was just one of a string of large urban fires that occurred throughout the country in the late 19th and early 20th centuries. Chicago, San Francisco, Atlanta, Boston, and Seattle all experienced massive city-transforming blazes between 1870 and 1920.

In the aftermath of the fire, Baltimore passed more rigorous building codes. The fire also popularized a national movement around standardizing firefighting equipment.

While it took the fire to actually get these things done, the ideas that could lessen such devastation in the face of a fire had actually existed for a long time. For instance, New York City had enacted building codes in response to a series of large fires there in the late 18th and early 19th centuries.

In its own way, ransomware, and a whole lot of other cybercrime, falls into a category with great fires. It’s a real, costly, and destructive problem. However, the solutions are available and effective.

Looking ahead, I want us to take this opportunity to start having real policy conversations about how the city government approaches IT. But to get there, we have to put out this fire as fast as possible, and get the city fully up and running again. It’s a tough call, but given the real human consequences of keeping the network down, this might just be a time to hold our noses, pay the ransom, and think about what building codes will be necessary to prevent another fire like this.