Op-Ed: To pay, or not to pay… That is the existential ransomware question

And, faced with operational disruptions and the very real risk of the personal data of millions of minors being shared online, Instructure made one of the hardest decisions a company can make.

While it is not confirmed, Instructure likely paid up. It weighed up the cost, the trustworthiness of the ShinyHunters hackers, and its duty to its stakeholders – not to mention the waves of press the incident was generating – and made its decision.

The entries listing schools and student numbers on ShinyHunters’ leak site went away, and – for now – the risk of a catastrophic, global data breach has been averted.

But has it really?

Pay or leak?

Allison Nixon is the co-founder and chief research officer at US-based threat intelligence firm Unit 221b, and somewhat of a ShinyHunters expert.

VIEW ALL

She’s been following the group since its days as Scattered Lapsus ShinyHunters, and outlined the group’s tactics in detail in a February blog post that saw her fielding death threats from the hackers and a highly organised harassment campaign.

And, according to a recent social media post, ShinyHunters is once again targeting her over her no-pay stance.

“Reacting to our advice about the downsides of paying the ransom, [ShinyHunters] are encouraging victims to pay. They contacted media outlets to issue 'corrections' that no one believes,” Nixon said.

“They want you to forget past behaviour that caused victims to stop taking them seriously. They are also flooding our email to make it more difficult for journalists to reach us.”

However, despite the ongoing harassment, Nixon still believes that ransomware actors and cyber extortionists simply cannot be trusted.

“The value proposition for paying rests entirely on how much confidence you have that promises will be kept,” Nixon said.

“Immediate lack of harm does not guarantee future lack of harm. ‘Pay or Leak’ groups often keep the data, and re-extortion can happen later, or after the arrest of a group member.”

Nixon’s correct, too. Some actors, posing as legitimate ransomware operators, have been known to simply republish old datasets in the hope of making a second payday out of the one data breach. Hackers know the data they have is valuable, and if a company has paid for it not to be published once, they may well be induced into paying a second ransom at some future date.

And the fact is, criminals are inherently untrustworthy.

“Promises should be understood in the context that most extorters are drug addicts and/or mentally unstable,” Nixon said.

“Ask yourself what matters more to them: their reputation, or more cocaine?”

The other thing that organisations need to consider is that groups like ShinyHunters are experts or forcing their victims to act emotionally, not rationally.

“Be wary of psychological tactics,” Nixon said.

“Spreading fear, rushing you, media pressure, dragging children into it, are all tactics of scammers that don't want you to act rationally.”

Ultimately, Nixon asserts, the question of whether to pay a ransom or not should not be made in the middle of an incident, while negotiations may be ongoing or threat actors are engaging in pressure tactics.

Nixon clearly believes paying a ransom is not a solution, and at best a delaying tactic until the same actor – or a second one – makes another extortion attempt.

However, whether or not you agree with her, she is correct – this is a decision that all organisations need to consider well ahead of any actual incident. It should be an essential part of any incident response playbook, based on a detailed understanding of risk appetites, data held, and the consequences of business disruption.

And the time to make that decision is now.