Ransomware: To Pay or Not to Pay

We’ve all seen the movie: the steely eyed law enforcement officer draws a deep breath and says firmly “we don’t negotiate with terrorists. Ever.” But the fact is, we do. It might be appealing to have a clear-cut, black-and-white measure for when to talk or when to shut down talks; but the nuances of when it makes sense to enter into negotiations and when it makes sense to pay ransoms for hostages or not is not as straightforward as a five-word policy.

That brings us to ransomware and whether to pay or not, and it’s neither simple nor straightforward for policy makers. New York State is deliberating two bills on ransomware: S7246 introduced by Sen. Phil Boyle, (R), and S7289, introduced by Sen. David Carlucci (D). Both would make it illegal to pay ransoms, one for the government and one more generally. While the sentiment here of “enough is enough” and taking a strong stance is important, it has to be more than virtue signaling or these laws and others like it have the potential to do real damage to the victims.

Before continuing, let’s make clear the differences between ethical and legal frameworks. An ethical framework is a mechanism for determining right and wrong: religious frameworks for instance believe that right aligns with divinity while frameworks like utilitarianism believe that right aligns with the most good for the most people. This is not an endorsement of any framework, but rather an important difference to highlight because laws codify what will be encouraged or discouraged, sometimes harshly in a society; and we want to pass laws that align with the ethical framework we’ve chosen.

The spirit of “never pay ransoms” seems to say crime must be stopped at all costs. The ethics here suggest crime is the ultimate evil and must be stopped. To fund the dark side is not acceptable, and we should rally not to do so in a tight, disciplined, unforgiving-of-errors manner. The problem is the “at all costs” part of that statement. Do we really mean that?

Imagine ransomware in a nuclear power plant or in the middle of a busy day in a surgical center... or twelve surgical centers in a state like NY. Lives are in the balance here, and we run into another ethical framework: that which promotes life and human life is the most important thing. If the law was written in a way that made it illegal to pay ransoms and too bad for a nuclear incident or 12 lives waiting for surgical data and equipment to return to functional status, would you break the law? Would the penalty make you pause, and if you decided the penalty was too much and something terrible happened, would you then face potential civil damages for your choice?

Right and wrong are not necessarily aligned with the law (for a further example, see apartheid), so I would encourage legislators to tread carefully when legislating and to understand the technology and all the cases and trade offs with extreme care. Don’t rush into this one! However, let’s get pragmatic here and helpful to the presumable well-meaning legislators in New York and elsewhere considering something similar now or in the future. 

Guidelines for ethical consideration and for public safety are essential, which demands a weighing of ethics. At the moment, we have no laws on the books regarding payment or non-payment of ransomware demands. We can say with certainty that, generally speaking, it's right to minimize all funding to ransomware gangs, but at what point is that not true? What is the price to keep subways running, to avoid being locked out of a nuclear control system or to enable a brain surgeon to finish a delicate tumor extraction? Decide how the corner cases will be handled, set the penalties accordingly and provide the public and the courts with more than just “thou shalt not pay ransoms.”

Laws can be written that provide exceptions and guidelines or even require an independent board to consult before payment is considered rather than an absolute moratorium on payment. Ideally, such a law will do no (or least) harm and will strangle the ransom gangs of funding, while encouraging funding for critical infrastructure and new innovation in the areas we collectively find most vital to maintain in operation. We are a society of laws and, once written, we need to respect them or overturn them within the system. We can not afford an unethical or unjust law simply to telegraph frustration over ransomware, especially when it means that the victims of ransomware will only suffer more as a result.

If you're looking for a deeper dive on ransomware threats, check out our ransomware resources page.

Sam Curry
About the Author

Sam Curry

Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.

All Posts by Sam Curry