After back-to-back ransomware attacks, two Florida cities are challenging the taboo of paying a ransom.
Paying a ransom is never a victim's first choice, but Forrester argues the option should always be considered. Sometimes, it's OK.
No one wants to surrender to the enemy, but the alternative is losing business, money and time.
"It's really a straightforward math problem," said Josh Zelonis, senior analyst at Forrester, in an interview with CIO Dive.
The average ransomware incident lasts 7.3 days, according to Forrester, which includes recovery efforts.
Companies can underestimate their ability to restore their systems after an attack, said Zelonis. In some situations, depending on the strain of ransomware, an entity would need twice as much disk space to run a backup in parallel. If that extra disk space is unavailable, restoration becomes that much harder.
It's also common for organizations to test their backups without doing it to scale, which could result in an unreliable timeframe for how long the backup would take.
Eventually, Zelonis argues, bad actors will be able to overtake backup measures too.
"From an economic standpoint, it does actually make sense most of the time to pay the ransom as opposed to try to go through it and rebuild," Casey Ellis, founder and CTO of Bugcrowd, told CIO Dive.
But math becomes more challenging when ethics are added to the equation.
To pay or not to pay
Ransomware attacks increased by 500% year-over-year from last summer, which can lead organizations to pay the ransom, according to Forrester.
In March 2018, Atlanta refused to pay a $51,000 ransom, which resulted in an encrypted mess and city employees working off a "single clunky personal laptop."
The attack required Atlanta to restructure its 2019 budget. More than one-third, or 424, of the city's software programs were fully or partially taken offline. Every day the city found more mission critical applications impacted by the cyberattack because they bled into other systems.
The first month of recovery cost Atlanta $3 million. A few months later in June, the city's then-interim CIO Daphne Rackley asked for another $9.5 million.
Ransomware hit another big city this year. In May, Baltimore refused to pay a $76,000 ransom and residents still can't pay their water bills, said Zelonis.
The value of a ransom is calculated with intention by hackers, making it "high enough to make it interesting for them," but low enough the victim can pay, said Ellis.
Last month Riviera Beach, FL and then Lake City, FL and each agreed to pay $600,000 and $462,000 in ransom, respectively.
Lake City's hack went on for about two weeks, leaving the city's phone and email systems inoperable, before it decided to pay. The Riviera Beach City Council unanimously voted to pay the ransom after the three-week-long attack encrypted its city records, disabled its email system and disrupted digital payroll and 911 systems.
The Florida cities also have no guarantee the hackers will release their records despite paying the ransom.
Last week a third Florida city, Key Biscayne, was hit by a ransomware attack. It is not yet known whether the community of 12,000 residents will pay the ransom.
What's wrong with paying?
Critics say that paying a ransom funds an enemy's business and could also set a precedent for others. But if there's a concern for creating a market for paying bad actors, it can be argued the market already exists.
There's a tendency for people to "jump to the moral high ground pretty quickly," said Ellis. Entities either choose the economic or ethical route and "it's either one or the other."
Appeasing both sides becomes a near-impossible task, especially when the "never negotiate with terrorists" is a defensive U.S. default. But no one has been prosecuted for paying a ransom, said Zelonis.
It's always a gamble to trust the enemy but after a "compelling event" like a ransomware attack, "you tend to learn fairly quickly," said Ellis. Riviera Beach's city council voted to spend almost $1 million for computer system upgrades following the attack.