RSA Conference Panelists Split on Question of Paying Data Ransoms

A panel of experts recommended different ways of hardening companies against ransomware attacks, including better backups, insurance and perhaps even paying.

ransomware

SAN FRANCISCO—Ransomware will continue to cause pain for companies in 2017, but there continues to be no single successful strategy to prevent or reduce the damage caused by this disruptive malware.

For many companies, backups will provide a reliable fall-back measure if the company’s data is encrypted via ransomware. Yet, recovering data from backups is expensive and not always successful, according to a panel of security experts at the RSA Conference.

There is no single measure to prevent a ransomware attack and no single product at the conference that will save a company from a ransomware infection, Gal Shpantzer, CEO of Security Outliers, told attendees.

“Everybody is all about ransomware all of the sudden in 2017,” he said. “They have the ransomware silver bullet and they are going to sell it to you this week at the conference—and we all know that is not going to happen.”

As ransomware continues to be the great bogeyman in 2017, companies will have to develop a strong security strategy to protect their businesses against disruption. If they don’t, they may find themselves relying on the good will of cyber-criminals holding critical data for ransom from half a world away.

The panel of three experts essentially split on the question of whether even to pay the ransom.

Cyber-criminals who have built up the illicit business of ransomware have an incentive to reliably deliver data back to the victims who pay, Michael Duff, CISO of Stanford University, told attendees.

“This is a business, and the adversaries are incented to give you the key if you pay the money,” he said. “We also might not want to blame the adversaries, because—yes, it is an illegal activity—but what has really happened is that they have exposed a weakness in your security.”

Yet, other panelists pointed out that relying on cyber-criminals to be trustworthy and competent is not a recipe for success.

“Paying a ransom is not a guarantee that you are going to get back access to the system,” said Neil Jenkins, director of the Enterprise Performance Management Office (EPMO) at the U.S. Department of Homeland Security. “And we highlight that paying a ransom is no guarantee that the criminals are not going to hack you again.”

In addition, companies that pay also fuel the business model, Jenkins said.

For companies worried about getting their business back up and running, the larger question of giving criminals long-term reasons to keep ransomware going is completely irrelevant, said Gal Shpantzer, CEO of Security Outliers.

“Ask for time, negotiate the rates and ask for proof-of-life,” he said. “You want to know the QA on their software actually works, because encryption is actually really easy—decryption is hard.”

Companies may also want to have someone who has some facility with bitcoin, because that is generally the method of payment for ransomware. When the clock is ticking down, trying to navigate the unfamiliar waters of the Bitcoin economy can slow down payment and potentially lead to data loss, Shpantzer said.