As ransomware attacks escalate, organizations face the controversial decision of whether to pay hackers to prevent data leaks. Security experts express concern about the normalization of ransom payments as companies like Grafana and Instructure adopt different approaches to recent extortion attempts.
The cybersecurity landscape continues to evolve with ransomware operators increasingly adopting a 'pay or leak' strategy, forcing organizations into difficult decisions that could set dangerous precedents. Troy Hunt, renowned security expert and founder of Have I Been Pwned, recently highlighted this concerning trend in his Weekly Update 504, noting how companies are navigating these extortion attempts with varying approaches.
The debate gained traction following incidents involving Grafana and Instructure, two prominent organizations that chose different paths in response to ransomware attacks. Grafana publicly declared they would not pay the extortionists, while Instructure reached what they termed an 'agreement' with the unauthorized actor involved—language that security experts criticize as deliberately obscuring the reality of ransom payment.
"I'm concerned about the normalisation of ransom payments, and using language that deflects from the criminal nature of it is a big part of that," Hunt stated in his update. "Instructure's exact words were that they 'reached an agreement with the unauthorised actor involved,' which really waters down the severity of the whole thing."
The Language of Ransom Payments
The terminology used by organizations becomes particularly significant in this context. When companies describe ransom payments as 'agreements' or 'settlements,' they inadvertently legitimize criminal behavior and may encourage further attacks. Security professionals argue that clear, direct language acknowledging the criminal nature of these transactions is essential for maintaining appropriate perspective.
The phrase "the data was returned to us" has also drawn criticism, as it creates a false equivalence suggesting some form of legitimate transaction occurred. In reality, organizations are retrieving their own data that was stolen through illegal means.
Expert Perspectives on Ransom Decisions
Cybersecurity experts universally advise against paying ransoms, citing several compelling reasons:
- Encouraging Further Attacks: Payment creates a financial incentive for attackers to target more organizations
- Funding Criminal Operations: Ransom payments directly fund cybercriminal enterprises and their activities
- No Guarantee of Data Recovery: There's no assurance that attackers will actually delete or return the data
- Potential Legal Repercussions: Organizations may face legal consequences for making payments to sanctioned entities
"Paying ransoms is a short-term solution that creates long-term problems," explains Dr. Jessica Barker, cybersecurity psychologist and co-CEO of CybSafe. "It's like feeding a wild animal—yes, it solves the immediate problem, but you're conditioning it to return and expect more food."
Grafana's Stance: A Model for Resistance?
Grafana's decision to resist payment represents one approach to these extortion attempts. By refusing to pay, they avoid directly funding criminal operations and send a message that such tactics won't be rewarded. However, this approach comes with its own risks, including the potential public exposure of stolen data.
"Grafana's approach demonstrates that organizations can resist extortion without capitulating to criminals," notes Hunt. "While the risk of data exposure remains, the alternative of funding further attacks creates a more dangerous ecosystem for everyone."
Practical Advice for Organizations
For organizations facing ransomware decisions, security experts recommend the following approach:
- Preparation is Key: Implement robust backup and recovery systems before an attack occurs
- Engage Law Enforcement: Contact cybersecurity agencies immediately upon detection
- Assess the Situation: Determine what data was stolen and the potential impact
- Consult Security Experts: Seek guidance from cybersecurity professionals before making decisions
- Consider All Options: Evaluate restoration from backups, negotiation tactics, and potential legal avenues
"Organizations need to understand that they're not just making a decision about their own data," warns cybersecurity consultant John Kindervag. "They're making a decision about the broader ecosystem. Each payment increases the incentive for more attacks against everyone."
The Path Forward
As ransomware continues to evolve, organizations must develop comprehensive strategies that address both prevention and response. This includes investing in security measures, employee training, and incident response planning.
The cybersecurity community also calls for greater collaboration between organizations, law enforcement, and security vendors to collectively combat ransomware operators. Information sharing about attack patterns and tactics can help organizations better prepare and respond to these threats.
Ultimately, the decision of whether to pay a ransom extends beyond immediate organizational concerns to impact the broader cybersecurity landscape. As Hunt notes, "it looks like, for the time being, 'pay or leak' is the new norm," but this normalization represents a dangerous trajectory that requires collective resistance.
For organizations seeking guidance on ransomware prevention and response, resources are available from CISA and NIST. Additionally, No More Ransom provides tools and information for victims of ransomware attacks.
Comments
Please log in or register to join the discussion