I usually don’t link to podcasts, but this one was especially good, I thought, as an analysis of what happened in Baltimore’s ransomware incident. And I am glad to hear Graham say what I have said a number of times: “Sometimes paying the ransom is a good idea.” You can hear the podcast here.
I recently attended a session at the Privacy + Security Forum in Washington, D.C. that dealt with ransomware response. On the panel were some private sector lawyers (of course), and officials with the FBI, Secret Service, and a consulting firm. I’m not naming them because their identities aren’t particularly important to this point. What’s important is that the government really does not want victims paying ransom because it will encourage more ransomware attacks. But they can’t really tell you NOT to pay ransom, so instead, they issue these PSAs that remind you that there is no guarantee that paying ransom will result in getting a decryption key, and maybe your data will be corrupted anyway…. and maybe they will hit you again, etc.
That day, I decided to throw some questions at the panel. The first was “Is it illegal to pay ransom?”
Their answer was that it might be, depending on whom you were making the payment to — could you, for example, be providing material support to terrorists? But the FBI and Secret Service hastened to make clear that the government has never prosecuted any victim for paying ransom, and the FBI’s policy is not to revictimize victims.
My next question was based on something I had been told months ago by an attorney from BakerHostetler and also by someone from a cyberforensics firm with a lot of experience in ransomware cases. I asked the panel, “Isn’t it true that in about 94% of cases where victims pay the ransom, they DO get the decryption key and their data back?” And every member of the panel wound up acknowledging that was true.
So although the public isn’t told this clearly because the government wants to discourage it, I will repeat what I have been saying for quite a while: for some entities, paying ransom will just be a business decision based on how much money they will lose if they cannot function due to the ransomware attack. For other entities, paying the ransom may be the difference between being able to care for patients and save lives.
As a healthcare professional, I cannot imagine taking risks with patients’ safety or lives. If you’re in that bind, don’t let anyone or our government dissuade you from what you feel you ethically have to do to take care of patients. If you feel you need to pay the ransom, pay the ransom. We can fingerpoint later about whether it all could have been avoided, but at that moment, you may need to just suck it up and pay the ransom so you can get back to caring for patients.
BUT: if you do pay ransom, maybe you shouldn’t go around publicly telling everyone that you paid the ransom and how much you paid. THAT piece might best be kept unpublicized.