Ransomware: To Pay Or Not To Pay

(Credit: Pexels)

Ransomware is a growing threat for utilities, as most recently evidenced by the May attack on Colonial Pipeline, and cybersecurity has been cited as a top ESG concern, according to the RBC Global Asset Management Responsible Investment Survey.

Whether or not to pay large sums of money to attackers is hotly debated. In Colonial’s case, the company ultimately made the decision to pay about $5 million in ransom - out of concern for prolonged pipeline outage resulting in energy shortages - though federal investigators were able to recover more than half of that. Colonial worked closely with government agencies, law enforcement officials, and several consultants, including Dragos, Mandiant Threat Intelligence and Black Hills Information Security, to determine its strategy to address the attack.

Irrespective of the payment decision - each situation is unique - there are clear lessons to be learned from ransomware attacks. Accordingly, the Edison Electric Institute (EEI), which represents U.S. investor-owned electric utilities, has worked with the Electricity Subsector Coordinating Council (ESCC) to develop guidance, including issues to consider before making a payment.

The ESCC recommended preparedness measures are consistent with the NIST Cybersecurity Framework Core, which is separated into five concurrent and continuous functions: Identify, Protect, Detect, Respond, and Recover. 

Additionally, the ESCC guidance suggests the following before making a ransom payment: 

1. Determine the technical feasibility, timeliness, and cost of restarting systems from backup versus payment of the ransom.
2. Engage with law enforcement and/or other subject matter experts to determine if there are known decryption keys or procedures that would eliminate the need to pay ransom.
3. Work with legal, public affairs, and other departments to assess the consequences of paying ransom.
4. Consider that paying the ransom does not guarantee that the affected data will be decrypted and restored:

   1. Some victims have not been provided with decryption keys after paying the ransom.
   2. Some victims who paid the ransom have been targeted again by cyber actors.
   3. After paying the originally demanded ransom, some victims were asked to pay an additional amount to receive the decryption key.
   4. Irrespective of ransom payment, sensitive and/or proprietary data affected by the ransomware attack may be disclosed in various forms on the internet.
   5. Paying the ransom may encourage this criminal business model.