After a spate of ransomware attacks on government organizations, the FBI has come up with a new stance on paying up ransomware demands.
The latest groups to be targeted by high-value ransomware attacks are hospital organizations in Alabama, USA, and Victoria, Australia. Both resulted in hospitals turning away non-critical patients as employees worked to restore IT systems.
The attacks on government and healthcare providers have forced victims to question whether it is better to restore systems that may not have been adequately backed up or just pay the attackers. The question is particularly acute when the cost of downtime is greater than the ransom demand.
Individually, it may make sense to pay an attacker, but in a collective sense, paying just encourages more attackers to try their luck.
So many local governments have paid huge sums to attackers that a group of 225 US mayors in July signed a resolution not to pay ransomware attackers.
So what should victims do if their IT network is held captive by ransomware? The FBI’s Internet Crime Complaint Center (IC3) has now offered updated and nuanced advice on that question.
The FBI says it does not advocate paying the ransom. Paying up doesn’t guarantee restored access to data and “paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals”.
But the FBI says it also understands that executives running businesses that have become crippled by ransomware “will evaluate all options to protect their shareholders, employees, and customers”.
In other words, sometimes it pays off to just pay up, even though paying comes with risks and could worsen things for others.
The advice is more nuanced than the view expressed by one FBI agent at a conference in 2015, when ransomware was more often deployed indiscriminately, as opposed to today’s targeted attacks. As Security Ledger reported at the time, the agent said: “To be honest, we often advise people just to pay the ransom.”
The FBI also noted that “since early 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information”.
While the FBI stance has clearly changed in that time, it is encouraging executives, whatever choice they make, to report the incident.
“Regardless of whether you or your organization has decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement,” the FBI said.
“Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks.