Renee Dudley and Jeff Kao report that two firms that advertised technology solutions to responding to ransomware incidents — Proven Data Recovery of Elmsford, New York and Florida-based MonsterCloud – were really just paying ransom to the attackers.
Read more on ProPublica.
I suspect that ransom payments have been the dirty little secret for the past three years or so. Once the FBI came out at one point and said it didn’t recommend paying ransom, I think firms were more hesitant to disclose that they had paid. Who wants to be named and shamed as a company encouraging attackers by paying them, right?
But payment seems to be happening a lot more than we might have guessed. As a lawyer from a prominent law firm that handles hundreds of breaches every year told me, it’s an economic/business decision. What is it going to cost you if you don’t pay? That law firm also claims that in 94% of their cases, working decryption keys are obtained when victims pay the ransom. Both that law firm and a whitehat from an intel firm tell me that these days, they are seeing 7-figure ransom demands in some cases.
At this rate, I think that paying ransom may become the first option – instead of the last resort option – for firms that don’t have backups that are usable or can’t afford what could be a lengthy disruption to their business or patient care. So is every firm looking at their cyberinsurance policy to see if they have coverage to pay ransom in the event of a ransomware attack? Do they know how to obtain BTC in a hurry if they don’t have an incident response firm already on board and ready to react?
The times, they are a-changing.