When it’s personal: Dueling attitudes emerge toward paying ransomware demands

  • Kaspersky Lab in 2014. (Alexxsun, CC BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0, via Wikimedia Commons)

    Roughly three in four individuals assert that companies should not submit to the demands of ransomware gangs in the event are infected, says one survey report. Yet roughly three in four parents say that school districts should pay up if they are impacted by an attack. So which is it?

    It could very well be both, as respondents’ sentiments likely vary depending on what they personally have at stake, how important they view the security of their data, how hypothetical the attack scenario is, and what kind of organization is affected.

    This week, researchers at Kaspersky revealed that 72% of more than 1,000 parents of school-aged children in the U.S. said in response to a survey that they would support their district’s decision to pay up if a ransomware were to impact their schools.

    Of that group, some were willing to let their districts part with sizable amount of money, even though local taxpayers would be (at the very least indirectly via cyber insurance costs) taking a hit as well. Indeed, 29% said they were okay with payments of more than $100,000, 5% said they’d accept payments exceeding a million and 11% said they’d acquiesce to whatever amount was requests. The remaining 28% said schools should never pay.

    “Given the sensitivity around protecting young students, parents and authorities are unfortunately likely to cave into financial demands in the event of a wide, distributed breach of data,” said Ali Hirji, research and project lead at the AI Hub & Centre for Cybersecurity Innovation at Durham College, which partnered with Kaspersky on the research. “With our virtual delivery format and heightened anxieties, teachers and admins are expected to deliver instant responses and this ultimately presents a major vulnerability.”

    But respondents to a different survey from Menlo Security felt very differently: 79% of 8,571 respondents said they think organizations hit by ransomware should not pay.

    So why the disparity?“Ransomware attacks create a disconnect between private interests and the long-term public interest,” said Michael Daniel, president and CEO of the Cyber Threat Alliance (CTA) and co-chair of the Ransomware Task Force (RTF). “No one wants to pay ransoms, but in many cases, paying a ransom can make rational, economic sense from an individual or private company’s point of view. If the company’s existence is at stake or the disruption is very direct and personal, just paying the ransom might be the rational short-term choice to address the immediate threat.”

    “However, from the long-term public interest standpoint, paying ransoms creates enormous problems,” Daniel continued. “It fuels the criminal economy, encouraging more attacks and funding other malicious activities, even outside of cyberspace. These attacks impose a drain on the economy, endanger public health and safety, and threaten national security. Looked at from a national-security point of view, therefore, refusing to pay ransoms makes sense. Most people can understand both points of view and can hold both viewpoints simultaneously. That’s one reason why different surveys might pick up different sentiments.”

    Indeed, an individual might believe that organizations should stick to their principles and not pay… until their own data or their family’s data or convenience is at stake. Case in point: According to Kaspersky, 43% of polled parents said their greatest concerns is the compromise of their kids’ sensitive data, while only 11% worried most about a ransomware attack’s cost to taxpayers, or the increased tuition that would ensue.

    “People may think about schools a little differently than they think about businesses, especially if their own child’s data is potentially involved,” said Kaspersky researcher Kurt Baumgartner. “Our survey shows that a majority of parents have experienced cyberattacks on their kids’ schools, so they may feel this threat more acutely, and may favor making the payment out of an urgency they feel to protect their kids.”

    Mark Guntrip, Menlo Security’s senior director of cybersecurity strategy, concurred: “I would think that the emotional link between a parent/child in terms of what their school should do to protect or retrieve potentially sensitive information is a different decision than businesses at large,” he said. “A parent would want to make sure that their child’s data is secure, and whatever is required to make that happen should be done. I would agree that if you remove the emotional piece, and propose a scenario in which a company to which they have no connection [is impacted,] that the outcome would be different and a more logical thought process [would take hold].

    “With that said, schools should not be paying ransoms,” Baumgartner noted. “We recommend they invest in security and backups to better defend against the threat.”

    Doug Levin, national director of school district threat-sharing organization K12-SIX, cautioned not to read the Kaspersky survey results entirely at face value and infer that school parents are largely in favor of paying cybercriminals – an attitude that would only further embolden malicious actors, he said.

    “Rather, I suspect parents are expressing their views about the value of school for their children and the potential challenges involved – both for them and their children – when school is disrupted unexpectedly,” he said. “I also read the results as demonstrating public support for increased spending to shore up K-12 cybersecurity practices. After all, an ounce of cybersecurity prevention is worth a pound of cure, especially when the ‘cure’ being held up is as odious as paying extortion.”

    But to what extent does consumer sentiment or local residents’ sentiments actually influence whether an organization ultimately chooses to pay or not? After all, many victimized or inconvenienced individuals won’t think twice about launching into a social media tirade, which can only exacerbate the negative PR an attack can generate. In such cases, can the voice of the people prove to be more coercive than ransomware experts and law enforcement authorities who roundly advise victims to avoid payments?

    “I don’t believe that consumer sentiment would drive an organization to pay or not pay a ransom, as there is never going to be a decision that makes everyone happy,” said Guntrip. “The business needs to make their own decision based on their own criteria and how they can best resolve the issue.”

    “Obviously, the goodwill – or not – of customers is very important, regardless of the scenario,” Guntrip continued. “However… the most important thing in reality is learning from the event and making sure it doesn’t happen again. A customer who has lost service or data in the attack should really assume that data has been stolen and potentially sold already… An organization who is impacted should look to show their customers how they have made improvements to prevent this from happening again. Then consumer opinion can start to be built again as they feel more secure that their service or data is not at risk.”

    Baumgartner doesn’t think school districts are easily influenced by public sentiment either – or by law enforcement for that matter. “District executives are concerned about getting teachers and staff paid, keeping classes on track and operating continuously,” he said. “Those are their priorities – not necessarily taking a principled stand on ransoms. But if they can avoid paying, they will try restoring backups and dealing with small delays. It’s a balancing act.”AS