Ransomware: To pay or not to pay

Nothing perhaps could cause a board greater distress than the news that its company has just been hacked and its systems locked up until a ransom is paid. While most major cyber security incidents have to be reported, ransomware puts the board on the spot - as the decision to pay or not ultimately lies with it.

It can be an existential question and a moral dilemma, as giving in to hackers' demands could encourage more cyber attacks.

Understanding ransomware

Ransomware is the encryption of a victim's files and disabling of access to its system, such that the company is unable to regain access or control until a ransom is paid and a key is (supposedly) provided. Over the years, it has evolved into exposing private confidential information on the web, creating other problematic legal issues involving data privacy.

Several international organisations and research cite ransomware as the number one cyber crime globally. Over half of such attacks target banking, utilities and retail services, according to Trellix.

The popularity of social media has made such attacks much easier. Using email as a primary tool of intrusion into a secure computer system, the cyber criminal can entice gullible users to click links, open files and grant access to malware that goes behind the wall of security to do its damage. The culprit is not so much an unsecured system but the authorised users fooled into opening the network doors to outsiders.

Why companies pay

Survey reports indicate that over 80 per cent of companies pay up. The company almost always assesses that it has no choice. As the business rolls steadily towards the cliff edge, the board gravitates to the conclusion that it would be better to pay the ransom or be damned for resisting.

Cyber criminals know that too. Ransomware is lucrative because many victims can afford it. Rob a company of a huge sum of money but not to the point of bankruptcy. Acer was extorted for US$50 million (S$67 million), but refused to confirm reports of the ransomware attack. CWT Global paid US$4.5 million after 30,000 computers and two terabytes of data were compromised. Colonial Pipeline paid US$4.4 million for a decryption tool that restored oil operations.

According to Palo Alto Networks, the average ransomware payment was a record US$570,000 in the first half of 2021, a rise of 82 per cent over 2020.

Singapore is not spared this scourge. According to the Cyber Security Agency of Singapore, 68 cases of ransomware attacks were reported in the first six months of 2021, more than double the 31 cases reported in the first half of 2020.

Despite the high incidence of companies giving in to ransomware demands, reports indicate that only 65 per cent of companies get their data back. Paying up does not guarantee that companies will get their data back intact, as the decryption tool may corrupt data and cause data loss, as happened in the case of the ProLock virus - in which victims lost both money and data.

The law

US laws make it illegal to pay ransom. Therefore, organisations could incur penalties for paying ransomware actors operating out of countries subject to US sanctions. An advisory from the US Treasury Department's Office of Foreign Assets Control states that paying ransom is funding cyber terrorism and enables criminals to continue their work.

While there are no specific prohibitions against the payment of ransom in Singapore, obligations and/or offences under laws and regulations relating to sanctions and terrorism financing (such as the Terrorism (Suppression of Financing) Act, and the United Nations Act) and money laundering (such as the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act) are relevant considerations.

However, if personal data is compromised or stolen, regardless of whether a ransom is demanded or whether data is lost, the Personal Data Protection Commission may, and indeed has in many cases, fined companies that have been found to have failed in properly securing their systems.

What boards can do

The obvious answer is implementing and enforcing robust cyber security measures, including user education. The recent attack on OCBC Bank customers in Singapore underscores the ingenuity of cyber criminals in forcing everyone to rethink what was once considered solid security. Even two-factor authentication is not as bullet-proof as once thought.

Current literature suggests that one of the best defences against ransomware is a robust backup strategy. But it is not easy to completely create a mirror system untouchable by malware. Restoring a backup from ground up untouched by ransomware to its pre-attack state can be extremely difficult.

Off-loading corrupted systems, restoring backup software and data, getting computers reimaged, installing new software, and reconfiguring and patching systems all require expertise, investments and time. Security companies report that the average time to recover systems from ransomware varies from five to 21 days, depending upon the company.

The decision and aftermath

Faced with a ransomware attack, it will take a very brave board to invoke ethical, moral and even legal reasons to refuse payment. The authorities are aware of this. As far as we know, no ransomware victim has been prosecuted yet for paying off a ransom. All said and done, the board will undoubtedly, with hindsight, reassess its priorities and budgets for cyber security improvements and resilience. The challenge is striking a good balance between security, contingency planning and cost. Being attacked is unavoidable. To recover and live another day is not.

The writer is a former council member and a member of the Boardroom Matters committee of the Singapore Institute of Directors.