Here’s a direct question: Should you pay a ransom to get stolen data back? To pay or to not pay for stolen data is a conflict many organizations face. Within the Paubox blog, we have talked at length about ransomware but have yet to explore this question specifically. But this query is pertinent today, especially for healthcare covered entities (CEs) working with sensitive protected health information (PHI). The healthcare industry remains one of the most heavily targeted industries for cybercrime. And many hackers believe most CEs will pay to retrieve stolen PHI and/or to get back into their systems. Especially during a health crisis. RELATED: Coronavirus Cyberattacks: How to Protect Yourself Let’s explore the issue of paying for stolen data after a ransomware attack and how CEs should focus on prevention and protection first.
What is ransomware?
Ransomware is malware (or malicious software) used to deny a victim access to a system until a ransom is paid. Victims typically download malware through phishing emails that can include malicious attachments or fraudulent links. Once a victim opens or clicks on the malware, hackers have access to a system. For ransomware, a hacker typically encrypts data and then demands a ransom. Over the past year, however, there has been a growth in exfiltration (where a hacker steals data before encryption). RELATED: Maze Ransomware Group Publicly Releases Stolen Data A breach is frustrating but the costs (and problems) that develop from a ransomware attack can be detrimental. Such damages include unrecoverable data, upset patients, shut down services (including during emergencies), damaged reputation, fees related to closures or cybersecurity changes, possible investigation by the U.S. Department of Health & Human Services (HHS) Office for Civil Rights, possible HIPAA violations, and of course, the ransom payment. RELATED: HIPAA Stands For . . . And exfiltration adds even more complications with the possibility of publicly exposed PHI. Accordingly, ransomware is the biggest threat to email security today. RELATED: INTERPOL Warns of Increased Ransomware Attacks on Hospitals The costs of both refusing to pay and paying a ransom can be high depending on the type of ransomware, the threat actor, and the CE itself.To pay or to not pay after a ransomware attack
There may be benefits to paying a ransom, but unfortunately, the benefits are not always guaranteed.
| Possible Benefits | Possible Problems |
| Decryption key provided | Time-consuming negotiations |
| Data deleted by hackers | Released data (before or after ransom paid) |
| Shorter data recovery time | Fake decryption key provided |
| Traded, sold, or held data | |
| Demand for more money | |
| Word spread about willingness to pay |
In 2019, Hackensack Meridian Health paid a ransom for access to its stolen PHI. Shortly thereafter, a spokesperson stated, “We believe it’s our obligation to protect our communities’ access to health care.” And this year, Champaign-Urbana Public Health District was forced to pay $350,000 for access into its system. The district met the demands because it wanted a shorter recovery time. Furthermore, its cyber insurance could cover most of the ransom. RELATED: The Influence of Ransomware on Insurance In both cases, no issues seemed to arise after payment, but this isn’t always the case. For example, Kansas Heart Hospital was hit in 2016, paid a ransom, and then was ordered to pay more. And recent research suggests victims often see exfiltrated data published if kept or sold by the cyberattackers:
- Sodinokibi: re-extorted weeks later
- Maze/Sekhmet/Egregor: posted accidentally or willfully before a theft was known
- Netwalker: posted after organizations paid
- Mespinoza: posted after organizations paid
- Conti: used fake files to show proof of deletion
RELATED: Hackers Release Healthcare Data in Double Extortion Attacks In other words, paying a ransom does not always guarantee security.
So should I pay to get stolen data back?
A recent joint alert—between HHS, the Federal Bureau of Investigation, and the Cybersecurity and Infrastructure Security Agency—does not recommend paying ransoms:Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.
But such statements, while emphatic, are not always helpful on their own. Each CE should also contemplate five questions when considering to pay or to not pay:
- Can you legally pay?
- Does paying solve the immediate problem?
- Does paying solve the longer-term problem (for you)?
- Does paying solve the longer-term problem (for everyone)?
- Is paying "cheaper" than the alternative?