The industry consensus today is that the only way to reliably end the threat of ransomware for good is to stop paying ransoms.
Some have even gone so far as to suggest that they should be banned altogether. But because of a lack of public knowledge and transparency, it’s almost impossible to know the full scale of the problem to understand the right solution.
Because the disclosure of a ransomware attack has a reputational impact on the victim, they are often better off downplaying the extent of a breach. Similarly, security professionals who discover such breaches are discouraged from disclosing attacks which are not yet in the public domain, no doubt dissuaded by confidentiality agreements and the threat of legal action.
However, should we really blame them? Blame culture is rife within cyber security, and although it is sometimes justified, it’s rarely helpful in addressing the root cause of the problem and certainly dissuades others from disclosure. The legal and reputational implications of insecure data handling understandably put victims into full damage control mode. But the typical attempts to control the narrative – e.g. overzealous denial of wrongdoing, downplaying of impact, emphasis of the sophistication of the attack – exhibit all the worst traits of the corporate world and often do more reputational harm than good.
At the same time, cyber attackers masquerade as legitimate businesses, operate successful marketing and outreach campaigns, and trade on reliability to generate a degree of trust. Reliability that they will release stolen information unless a ransom is paid, and trust that they will free the victim and not leak stolen data if a ransom is paid.
Many ransomware gangs maintain transparent codes of ethics, and offer detailed security advice upon payment to reduce the future susceptibility of the victim. Some have even attempted to make charity donations.
This creates an environment where interacting with ransomware gangs and paying the ransom can appear to be a credible and legitimate solution to the problem. In the cases where those falling foul of a ransomware attack could have done more to protect themselves and their customers, the line between the good guys and the bad is becoming blurred.