Writings from the intersection of law enforcement and the Internet

Ransom and Rats

There is no doubt that small and medium business owners are caught between the proverbial rock and a hard place when confronting a ransomware attack on their network. Unlike large businesses and expansive corporations, they are unlikely to have a dedicated security team. In fact, they are lucky to have a person there just to keep the Internet-connected and the printers online. A dedicated IT security person is an abstract luxury. And back-ups? John the Office Manager copied an excel spreadsheet of the client listing to a USB thumb drive a few months ago. It is on his desk. Or maybe his winter coat pocket.

It is completely understandable why any business leader chooses to pay the ransom payment. In most cases, they are out of options and desperate. Obviously, they wouldn’t pay thousands or hundreds of thousands of dollars if they had some alternative choice. But they don’t, so there they are.

In some cases, an insurance company is in the driver’s seat and they have analyzed the options down to an actuarial decimal point. The decision is calculated on a cost to benefit analysis based on dollars and cents not right or wrong, or what is best for the business or society.

Why is paying the ransom so bad? Why are law enforcement and security professionals so adamant that ransom demands never get satisfied if it’s a quick and easy fix that is in the best financial of the business?

On the face of it, paying the ransom rewards the bad guys for engaging in deviant anti-social behavior.

On a deeper level, paying the ransom perpetuates the problem. Ransomware operators are no different than Skinner’s rats. In the late 1930s, psychologist B.F. Skinner proposed his theory of Operant Conditioning. This has become a method of learning that occurs through rewards and/or punishment for behavior. The process results in an individual (or animal) making an association between a particular behavior and a consequence. Skinner famously demonstrated this through an experiment using rats and a specially designed box that later became known as the Skinner Box. The box had a lever that could be pushed by a rat. When the lever was pushed the rat was rewarded with a piece of food. The rats quickly learned to associate pushing the lever with food. The more they pushed the lever the more they were fed.

The more ransoms that are paid the more ransomware operators are going to infect additional victims. When a business pays the ransom they have rewarded the rat and conditioned them to push the lever again. And again, and again, and again.

In October of 2020, the United States Department of Treasury Office of Foreign Asset Control (OFAC) issued a warning that businesses who make payments to ransomware operators face sanctioning for violating established OFAC standards. Many of the ransomware operators are located in countries that are on the “Malicious Cyber-Enabled Activities” sanction list. These countries include Ukraine, Russia, North Korea, Iran, and Syria. The agency specifically called out cyber-security and insurance companies by noting that “facilitating payments on behalf of a victim” may also result in sanctions.

Your network becoming infected with ransomware is bad. Paying the ransom is worse. Ransom payment rewards the bad guy, perpetuates the negative behavior, and can subject you to sanctioning by the federal government.

Make back-ups, train your employees, properly secure the network, and keep the rats in the gutter where they belong.

#ransomware #cybersecurity #infosec