Ransomware Payments Are A Tricky Topic
Reading a Register article on the ransomware incidents in Las Vegas this morning.
The topic of ransomware payments is a tricky one. There is a push to ban such payments, but that is mostly discussion at this point.
While paying a ransom in the event of a ransomware attack is not explicitly illegal in the U.S., it is heavily discouraged due to legal complexities, especially if the payment is to a sanctioned entity.
The EU has taken a stance similar to the U.S. regarding payments to entities involved in ransomware attacks. Especially for essential services. EU member states can impose fines for paying ransoms under the NIS Directive.
I will never forget the ransomware incident that happened at a hospital system here in Indiana. In the end, they paid the ransom to restore systems because they were focused on patient care, and it was cheaper to pay the ransom than it was to pay for recovery and restoration.
In the purist sense, it was a smarter business decision to comply with the criminal’s demands. Heartbreaking.
Source: The Register
Two high-profile Las Vegas casinos, Caesars Entertainment and MGM Resorts, faced ransomware attacks by the same cybercrime group, leading to different outcomes. Caesars, which disclosed the attack in an SEC filing, is believed to have paid a negotiated ransom of $15 million, resulting in minimal disruption. In contrast, MGM Resorts, also targeted via phishing, chose not to pay, leading to a week of operational disruptions and estimated losses of $100 million.
The dilemma of paying ransoms in such situations is complex. Ransom payments fund criminal activities and perpetuate the cycle of attacks. However, immediate business needs and the nature of stolen data often influence decisions. Factors like the type of data compromised, backup availability, and the extortion group’s identity play a role. Additionally, the sector’s criticality, like healthcare, can sometimes make paying ransoms a necessary evil to resume vital services promptly.
Government sanctions and legal implications also affect the decision. For instance, paying ransoms to groups like Evil Corp, sanctioned by the US, is illegal. Such regulations, along with international efforts to increase the operational costs for criminals, are essential in combating the ransomware ecosystem.