Ransomware Victims’ Rights

Recently, the town of West Hartford disclosed that they paid a $2,000 ransom to hackers who encrypted machines belonging to the town’s operational center. Even though the town heeded advice from both private security and government professionals, the disclosure launched a new round of debate around the contentious Never Pay ransomware issue.

At Coveware, our stance has been molded by listening to our clients think and act during a crippling ransomware attack. Organizations pay ransomware because the alternative is bankruptcy. It really is that simple. If backups are available, they are restored. If backups are not available or have become encrypted as well, the organizations must decide if the recovery of their data is critical to their business. We live in a ‘big data’ ‘information age’ so when an organization loses their data it is generally an existential risk. On occasion, there is a middle ground where the business value of the encrypted data is less than the cost of paying and the company recovers without their data.

Despite our opinion, we believe that the Never Pay debate is healthy as it encourages discussion and collaboration. However, the public stigma that Never Pay creates leads victims that need to pay to not report the incident. It is estimated that only 10% of cybercrime is ever reported. Moreover, ransomware victims often end up contacting data recovery firms that may take advantage of them. Many of these data recovery firms have business practices that are dishonest and predatory. Organizations who are victim to ransomware should not be taken advantage of by the companies they hire to help them recover.

Victims of ransomware should hold service providers to common standards

In accordance with our own corporate values of honesty, transparency & collaboration, we’d like to share our Ransomware Victim Rights. Victims of ransomware that engage a service provider for recovery assistance, should hold that service provider to the below minimum standards, regardless of size or circumstance. We offer our reasoning with each and encourage any reader of this post to respond with feedback. The more collaboration, the better.

1. Right to Decryption Truth: Any victim of ransomware deserves to know, free of charge, whether the type of ransomware they have observed, can be decrypted without paying the hacker.

Why this is important: The ability to decrypt ransomware is binary. Either the ransomware type has been decrypted by a member of the security community OR the only way to decrypt it is by purchasing a key from the hacker. There is no middle ground. There are simply too many cases of data recovery firms claiming to decrypt ransomware using ‘proprietary technology’, when they are quietly paying the hacker without the victim knowing. This is unethical and plain wrong.

2. Right to Negotiate: Any victim of ransomware that is forced to pay a ransom deserves the opportunity to negotiate a price they can afford.

Why this is important: Ransomware disproportionately affects small businesses. The capacity to pay a ransom, regardless of the lost data, can be an existential risk in itself. Victims deserve the opportunity to negotiate or have a service provider negotiate on their behalf. With average enterprise ransom amounts in excess of $5,000 per incident, there are many businesses that simply can’t afford to pay. Helping them negotiate a lower amount is mandatory in a lot of cases. Suggesting otherwise infers that certain victims deserve to fail simply because they can’t afford it. No business deserves to fail because of ransomware, and certainly not because they can’t afford the initial demand of a hacker.

3. Right to cost and process transparency: Any victim of ransomware has the right to understand how much a service provider will charge, how the process will work, and access documentation that supports and justifies both.

Why this is important: In conjunction with right #1, we see too many service providers deceiving victims - often charging 5x the actual ransom amount, when they are quietly paying the hacker behind the companies back. Charging a ransomware victim $25,000 to decrypt files on a $5,000 ransom is predatory. It depletes funds that the victim might otherwise use for better backup and security infrastructure. Depleting these funds keeps the company in an insecure state, much like predatory interest rates keep consumers in a state of debt. It also preys upon the emotion of avoiding the Never Pay stigma, and it needs to end. Even hackers warn victims about data recovery firms IN the actual ransom notice:

When the hacker is recommending ways for a victim to not get extorted, it is an obvious sign that industry practices need to change.

We encourage you to share or submit feedback on these rights. We value it, and the industry will benefit from collaboration.