Paying Ransomware Ransoms: Decision Guide
Key Points
- The episode pivots from prevention to response, asking “Should you pay a ransom?” and exploring what victims can realistically do once ransomware has encrypted their data.
- Ransomware attacks range from unsophisticated, high‑volume scams that target anyone (like the friend’s laptop) to elite, targeted operations that use zero‑day exploits against high‑value “keys to the kingdom.”
- The Colonial Pipeline incident illustrates a high‑profile case where attackers crippled the billing system, forcing the organization to pay the ransom to resume normal business operations.
- Paying a ransom can lead to three possible outcomes: restoration of data, no guarantee of decryption, or potentially encouraging further attacks—highlighting why the decision must weigh risk, backup availability, and the attacker’s credibility.
Sections
- Should You Pay Ransom? - The segment introduces a discussion on responding to ransomware attacks, exploring whether to pay the ransom and outlining the practical options and considerations for individuals and organizations facing encryption incidents.
- Avoid Paying Ransom: Proactive Measures - The speaker explains how paying ransoms marks an organization as a soft target, and advises viewers to prevent such victimhood by implementing reliable backups, multi‑factor authentication, and other pre‑emptive security controls.
- Backup, MFA, and Ransomware Mitigation - The speaker outlines how to secure data by downloading and locally backing up files (e.g., via email replication) and then reinforces protection by explaining multi‑factor authentication as a barrier against password theft and ransomware attacks.
Full Transcript
# Paying Ransomware Ransoms: Decision Guide **Source:** [https://www.youtube.com/watch?v=s1Y_U0YLNX8](https://www.youtube.com/watch?v=s1Y_U0YLNX8) **Duration:** 00:09:18 ## Summary - The episode pivots from prevention to response, asking “Should you pay a ransom?” and exploring what victims can realistically do once ransomware has encrypted their data. - Ransomware attacks range from unsophisticated, high‑volume scams that target anyone (like the friend’s laptop) to elite, targeted operations that use zero‑day exploits against high‑value “keys to the kingdom.” - The Colonial Pipeline incident illustrates a high‑profile case where attackers crippled the billing system, forcing the organization to pay the ransom to resume normal business operations. - Paying a ransom can lead to three possible outcomes: restoration of data, no guarantee of decryption, or potentially encouraging further attacks—highlighting why the decision must weigh risk, backup availability, and the attacker’s credibility. ## Sections - [00:00:00](https://www.youtube.com/watch?v=s1Y_U0YLNX8&t=0s) **Should You Pay Ransom?** - The segment introduces a discussion on responding to ransomware attacks, exploring whether to pay the ransom and outlining the practical options and considerations for individuals and organizations facing encryption incidents. - [00:03:29](https://www.youtube.com/watch?v=s1Y_U0YLNX8&t=209s) **Avoid Paying Ransom: Proactive Measures** - The speaker explains how paying ransoms marks an organization as a soft target, and advises viewers to prevent such victimhood by implementing reliable backups, multi‑factor authentication, and other pre‑emptive security controls. - [00:07:27](https://www.youtube.com/watch?v=s1Y_U0YLNX8&t=447s) **Backup, MFA, and Ransomware Mitigation** - The speaker outlines how to secure data by downloading and locally backing up files (e.g., via email replication) and then reinforces protection by explaining multi‑factor authentication as a barrier against password theft and ransomware attacks. ## Full Transcript
Welcome to Tech Talk. And today's topic is about phishing and ransomware. We want to answer the question:
Should you pay a ransom? And so you've talked about this in a prior video about how to
defend yourself against it. But now we want to say, let's assume it's already happened.
That's bad news. Where do we go with that?
Yeah, this is the problem, because every one
of us could potentially be a target. So we need to understand what we're going to do, if in fact it occurs.
The funny thing is-- and maybe not the funny thing that happened is -- is I have
a friend who was hit by a ransomware attack. And they demanded money, just like you always hear.
And they had encrypted his database-- or his laptop. In the end, he decided not to pay.
And I want to really understand better from a security perspective, what were his options?
What were the things that he could or should have done to make that decision easier?
Yeah, absolutely. Well, first of all, so I feel bad for your friend, but your friend is not alone. A lot of people get
hit by this. And we've got cases where it's an individual. So it's an individual person who gets
hit. And then we've got cases where organizations get hit, and it could be everything in between.
We've got attackers who are very unsophisticated and they send out an attack to just snag anybody
that they possibly can. And that's probably what happened to your friend.
So they're a small fish they're going after, but there's a lot of them.
Exactly. They make it up in volume. Or you've got the others that may be trying for very specific targets, high-value targets. And they may be
very elite hackers that are doing this. And they're breaking into systems using zero-day attacks and
things like that in order to get in to go after what they know are the keys to the kingdom.
Well, there have been some cases in the news that are really gotten a lot of play. I think you mentioned
one of those before we started recording.
Yeah, exactly. There was one with the Colonial Pipeline
organization which shut down gas production and distribution-- I guess probably just distribution
for much of the Southeast for a number of weeks. And that was as a result of an attack related to ransomware.
But they were using --were they attacking the control systems or some other?
What was their strategy for that?
Based upon the information we have from public sources, it was a case where they attacked the billing system. So actually, the oil could still be
distributed, technically, but if they couldn't charge for it, they had no records for it. And nobody wants
to run a business like that. So they had to wait until they could get that system recovered, until
they could go ahead and start operating again.
So they paid. [Jeff] They paid.
They paid, and in the end what happened?
Well, so there's really three things that could happen if you pay. One is,
what sounds like the good case, is you get your data back. That's what everybody's hoping for. I pay,
I get my data, end of story. There's another case that can happen here where you get a decryption
tool of some sort. That's what happened in the Colonial Pipeline case, again, based upon the
publicly available information. And the decryption tool turned out to be so slow and so ineffective
that they had to rely on their own backups anyway. So they paid, but they really didn't get much for
what they paid. And then the third option is you get absolutely nothing. The ransomware
attacker takes your money and gives you nothing in return. So now not only have you lost your
precious memories, your photos, or your corporate data, you also lost your money in the process.
And you would think this looks like one possible good outcome because I got what I was after. But
I'll tell you, what this also does is it signals to the bad guys "This is a potential soft target".
Because your system was vulnerable this time, maybe you haven't fixed it for the next time,
and we already know you're willing to pay. So if I get you between the crosshairs again, maybe
you'll pay again. So you've now signaled to the world you're a sucker.
In the case of my buddy, he decided not to pay. And that's because he followed some of your advice. Maybe that would
say how to create really good backups. And so he did have some data lost, but not completely.
What do you think about his approach and what would you advise to our viewers to avoid becoming his sort of victim?
The best thing you can do is make sure you've got good backups-- and
you have to start that now. You can't do that after you've been attacked. It's too late to do a backup then.
So that would be the first thing you could do. The next thing you could do is try to make sure that
the information you have is well protected with multi-factor authentication and things like that
that we talked about in a previous talk. Those are the kinds of things that will help protect you in
advance. But once you've already been attacked, if they evaded those defenses, or you didn't have
those defenses in place, then you're back to the question of "pay or no pay."
There's also a legal and moral question to be considered, too, right?
There definitely is. In fact, if you think about it this way: If I pay this guy, I've basically rewarded him for bad behavior and there's no
incentive for him to stop doing it. He's going to keep doing it and keep doing it and keep doing it
as long as he gets paid. Now, I understand as an individual, though, you're not concerned
necessarily about what happens to everybody else, you just want your data back. If you're
an organization, you need your company running again. But there is that consequence. And then
there's also the legal part. And I'm not a lawyer, so you should consult your own lawyer on this,
but there's some discussion about whether it's even legal to pay a ransom. And why might it
be illegal? Well, because the money you're giving could be going-- well, is going to criminals, for
sure --it could be funding a criminal enterprise. It could be funding terrorists, for that matter.
So we don't know this kind of thing when you pay, but you could be giving money to people that are
literally enemies of the state and therefore you would be complicit.
Wow. One thing before we wrap, I wanted to bring up is that in the case of my buddy, he was looking in an encrypted hard drive.
But there are other cases where ransomware comes into play. For example, someone hijacks
your email and is demanding payment in order to retrieve access. Or say, for example, they have
an image repository and they've done that. What is your advice to avoid becoming susceptible to
that kind of attack?
Again, it's going to be backups. Because in those cases, if I've got a repository and someone hijacks my credentials to that
repository and says, "I'm not going to give you access to your own credentials because I've changed the password now," then the only thing
you could really do to avoid having to pay and end up with all the problems that we talked about,
is make sure you have a way to recover that. If you have stored those in another service,
like maybe another cloud repository, and you've not used the same password for both of them,
then there's a good chance that maybe you could recover from another source. But the
thing you can't rely on necessarily is being able to go to the provider. If it was a free account,
they're obviously not going to help you, because as the old saying goes, "If you're not paying for
it, you're the product, not the customer." And if you didn't pay for that photo site,
that's storing all your photos, then you are not the customer. And products don't get to call up
and complain. So that's really your information.
That's really true. And one thing you can do-- to keep in mind --is that a lot of even the free services have a download capability where you can
download that. You can also use, for example, if you're using email, you can have it replicated to
your laptop and then which you can backup. These are ways that you can recover it locally.
I think that pretty much covers our strategy. Oh, one other thing: Multi-factor authentication. You
mentioned that--could you kind of explain really quickly? For those who haven't seen the video,
you can watch it here.
Yeah. Multi-factor authentication says I'm going to use something more than just your password alone because someone might steal
your password or guess it and then change it and then not tell you. But if I've used a second factor, or even a third factor,
such as something I have like a phone that's been pre-registered and I'm going to send
a text message, or a push notification to that phone. If you don't have that in your possession,
you can't log in, or a biometric like your face or your finger. And the phone uses that
to unlock the account. If you're using these other kinds of things, it's much harder for an
attacker to duplicate those kind of authentication capabilities. So you could guard against that in
the first place. And then there's even yet other types of ransomware attacks where I'm not stealing
your data or your access, but I'm threatening that I'm going to do a denial-of-service on
your network. And in those cases, we need yet different types of defenses to make sure that
that we can block all the extraneous traffic that's coming in and do it at as close to the
source as possible. So there's a lot of different mitigations that happen here, but the number one
thing is to make sure you're prepared.
That's some excellent advice, and I think that's a wrap for us. Thanks again.
And if you have topics you'd like to hear on Tech Talk, be sure and drop us a comment below.
And before you leave, please do us a favor and remember to hit Like and Subscribe.