By Gregory Hale
An attacker comes in takes over your system and holds it for ransom for $10 million. By sneaking in and taking over the system, they have already committed a crime, and by announcing they will gladly give you back your system once you fork over the $10 million, they have committed another crime.

So, then, when they say “when you pay us, we will give you the decryptor key to unlock your system,” at what point should you start to believe and trust these criminals?

Security professionals, law enforcement and government officials always say, don’t pay the attackers because it only emboldens them to keep on attacking.


However, you are a business that needs to stay up and running, and your security is not that great to begin with, maybe negotiating the ransom down to $7 million from $10 million would be the most prudent way to go.

That is where trusting the bad guys becomes part of the deal.

A Question of Economics
“There is honor among thieves,” said Eric Byres, chief technology officer at aDolus a software bill of materials (SBoMs) provider. “Just because people are doing bad things, it doesn’t necessarily mean that it is economically smart for them to be untrustworthy. It is really an economics question.

“Take any of the large ransomware operators, it is in their interest to communicate they are good ransomware operators, but they are also super trustworthy. That will encourage their victims to pay up. You look at all the large ransomware operators, they really work hard to project that image. Ransomware operators try not to be difficult to work with,” Byres said.

The economics and word of mouth plays a big factor.

“If word gets out if you pay the ransom and you don’t give them the key, victims won’t pay,” said Mark Carrigan, senior vice president at Hexagon PPM. “Attackers have motivation to get you back online.”

“The criminal groups behind ransomware do act like normal businesses in some respects, some of the time,” said Andrew Ginter, vice president of industrial security at Waterfall Security Solutions. “In particular, branding and reputation is important to many of these groups. Many (but not all) ransomware groups invest in high quality ‘customer service’ personnel and processes. They negotiate ransoms in good faith. They provide decryption keys reliably when paid. A reputation for this kind of behavior increases the likelihood that victims will trust the criminals enough to pay them. Also, the most sophisticated ransomware groups have technology to decrypt affected systems selectively. A victim will be encouraged to purchase keys for a ‘test set’ of 5 or 10 systems to demonstrate that the ransomware group has the ability to carry out the decryption. Or the criminals may even decrypt an example system or two for free to demonstrate their capabilities.

These are Criminals
“All that said, these are criminals and there is no legal recourse if they lie to you. And the ‘behave like a business’ concept applies to only some of these criminal groups, not all of them,” Ginter said.

“There is no government regulations on truth in advertising in ransomware,” Byres said. “Look at their economic model. For the large operators that want to run it like a business, it just makes economic sense for them to develop a reputation to be honest and fair. They try to pick the ransom to pay so it is an easy executive decision. The ‘good ones’ are very aware of price sensitivity. They are running a business that is illegal, but they are running a business. Any of the ransomware as a service operators are trying to make a sustainable model for their victims.”

“The majority of ransomware attacks are being conducted by large-sized threat actors well-known within the world of law enforcement and cybersecurity researchers,” said Dewan Chowdhury, chief executive and founder of security provider malcrawler. “The ransomware actors need to maintain their ‘reputation’ of fulfilling their commitment to their ‘customers’ (aka victims) by providing the decryption key. Like an online seller, these criminals need to maintain a ‘good’ reputation so victims know they can be trusted to provide a decryption key after the ransom is paid.”

With all that said, it would be easy to say manufacturers are sitting ducks when it comes to a ransomware attack. But that is not necessarily the case, according to Joel Langill, founder and managing member of the Industrial Control System Cyber Security Institute LLC.

“We need to address the root cause. You have no recourse and no assurance that you will get your data decrypted,” Langill said. “The solution is so easy. Virtualization is as cheap and as affordable as it has ever been. I don’t know why everyone is not virtualizing. The ability to create daily, even hourly snapshots is insignificant.”

Network Segmentation
Also, Langill said, “If ransomware is spreading that kind of widespread impact, there is some significant problems with network segmentation. There should be a true least privilege network design. If there are two computers that have no business talking to each other that end up talking to each other, there needs to be controls in place that prevents them from doing that. I have never, ever seen that done. It is not hard. There has been resistance to do things differently than what we have been doing for decades. The switch is supported, the host and server are supported, but no one wants to implement it.”

“One way an organization can fight back is to invest in their cybersecurity infrastructure, especially in cybersecurity awareness training to prevent employees from opening malicious email attachments,” Chowdhury said.

The old way of thinking is protecting against the attack versus building in resiliency.

“People are still failing to think past attack initiation,” Langill said. “Everyone tries to protect the machine from compromise. If you are able to breach that, very few people have anything in place for containment. It is all about impact. I am a firm believer if somebody attacks you and as long as you can manage consequences and control impact, you have the situation under control.”

Understanding the consequences and being able to prepare for them is vital.

“We are all focused on ransomware right now, we are trying to get out to the marketplace, it is ransomware now and tomorrow it will be something else, but the bad guys are smart, they will find something else that will cause a problem,” Carrigan said. “When you are defining your cybersecurity strategy, sit down and take a deep breath and accept the following, you are going to get hit. I don’t care what you do around preventing, training people, firewalls, and intrusion detection, accept you are going to get hit. The best thing you can do is not just eliminate probability; you have to look at consequence. How do you minimize impact? I have been hit, I have the right procedures in place, and we are prepared and will get back up and running. We have to focus on the consequence side of the equation.”

In the end it all is about creating a resilient environment that can handle all kinds of different attacks.

Control of Your Network
“You have got to get control of your network,” Langill said. “Everything depends on your ability to handle traffic on your network. The new wave on zero trust will go a long way, however it all depends on the boundaries we establish on zero trust zones. In order for this to work, trust has to be controlled.”

“The idea of trusting and negotiating with the bad guys is totally ridiculous and stupid,” Carrigan said. “How you fight back is I look at two things. Business is not in the position or the ability to go on the offense. The businesses job is to protect and be as resilient as possible. Fighting back, that is the government’s job. Industry needs to be on defense, and government needs to go on offense. There is no repercussion for these guys.”