Security

Ransomware: To Pay or Not to Pay?

With attacks on the rise, universities face a tough question with no easy answer.

Mike Chapple is a teaching professor of IT, analytics and operations at the University of Notre Dame.

The high-profile Colonial Pipeline breach that crippled gasoline distribution across the East Coast in May was only the most recent in a string of cyberattacks that have plagued organizations across industries for more than a decade. Ransomware attacks have shut down police departments, hospitals, mining companies, elementary and secondary schools, and even major research universities.

These attacks use traditional malware techniques to gain access to systems by exploiting vulnerabilities in technology or human behavior. Once they gain a foothold, bad actors use strong cryptographic algorithms to encrypt all the data that they encounter, rendering it inaccessible to legitimate users. The attackers then demand payment of a ransom through an anonymous cryptocurrency transaction before they will release the decryption key. Attackers have recently also added an element of extortion, advising victims that they will release sensitive information online if the ransom isn’t paid.

In a recent report, researchers at the cybersecurity firm Sophos cite some alarming statistics. In a survey of 5,400 IT decision-makers, Sophos found that 37 percent of respondents’ organizations were hit by ransomware within the past year and that 54 percent of those attacks succeeded. The costs of these attacks were staggering. In addition to paying ransoms that averaged $170,404, organizations that succumbed to these attacks experienced average losses of $1.85 million. This includes the cost of paying the ransom, the impact of system downtime on the business, equipment, consulting and recovery costs.

When a ransomware attack strikes an educational institution, leaders find themselves facing a crucial question: Should they give in to the attackers’ demands and pay the ransom? Or should they stand their ground, refuse payment and risk losing critical educational records?

MORE ON EDTECH: Learn how to prevent ransomware during remote learning.

The Case for Refusing To Pay Ransomware

Security thought leaders make a strong case for refusing to pay ransomware demands. Their case is pretty straightforward: Paying the ransom encourages the attackers to continue waging ransomware attacks. As long as ransomware is profitable, attacks will continue to plague organizations around the world.

Unfortunately, such attacks do continue to be profitable for hackers. The Ransomware Task Force, a group of industry experts dedicated to battling this scourge, recently released Combatting Ransomware: A Comprehensive Framework for Action, a set of recommendations for a national anti-ransomware strategy. The report cites statistics showing that almost 2,400 U.S. schools, government agencies and healthcare facilities fell victim to ransomware in 2020, and that ransomware authors netted up to $350 million in payments. Each time an organization pays a ransom, the criminals’ profit ticks up, increasing the likelihood of future attacks.

There’s also another potential downside to paying the ransom: There’s no guarantee that such a payment will end the crisis. Ransomware authors are incentivized to release encrypted data once they’re paid because their reputations are on the line. If they fail to release encrypted data, word will spread, and organizations will be far less likely to pay future demands. However, holding data ransom is a criminal activity, and there are no guarantees in the criminal world. Paying a ransom is expensive, rewards criminal behavior and creates its own risk.

When Dealing With Cybercriminals, There Is No Simple Refusal

Although the theoretical case against paying the ransom is strong, any organization that has actually suffered a ransomware attack knows that the decision to refuse isn’t a simple one. When educational and technology leaders have their backs against the wall, paying a six- or seven-figure ransom to end the crisis is tempting. That’s exactly what happened when leaders at one large university paid a $457,059 ransom in 2020.

Educational institutions considering payment should consult with their legal teams to determine whether paying a ransom might violate the law. If an institution decides to move forward and pay, it’s a wise move to demand proof that it is communicating with the legitimate attacker and not a well-informed imposter. One common technique for this is to request the decryption of a particular file impacted by the incident as proof that the individual demanding payment has access to the required decryption key.

Initial demands made by ransomware authors should be viewed as the starting point of a negotiation. It’s often possible to haggle with the attacker and agree on a reduced amount. That’s what happened when ransomware attackers struck one West Coast university demanding $3 million, only to eventually agree to a reduced payment of $1.14 million.

Finally, schools considering paying a ransom should consult with their insurance carriers to determine whether they are covered for these attacks. This is particularly likely if the school carries a policy that specifically covers cybersecurity risks. If insurance coverage applies, the carrier may send in ransomware specialists to take control of the incident and negotiate a successful resolution.

Every institution should have a ransomware strategy as well as a robust stable of cybersecurity solutions, regardless of whether it has already experienced a breach. The Sophos study showed that educational institutions are the most frequent victims of ransomware attacks and that they’re among the least likely to regain data access without paying the ransom. That’s a stark reality, but it is the current state of ransomware in the educational sector.

blackred/Getty Images