Kip Boyle: Welcome to the Cyber Risk Management podcast. Our mission is to help executives become better cyber risk managers. We are your hosts. I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: I'm Jake Bernstein, Cyber Security Counsel at the law firm of Newman DuWors.

Kip Boyle: This is the show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman DuWors LLP. If you have questions about your cyber security related legal responsibilities ...

Kip Boyle: If you wanna manage your cyber risks just as thoughtfully as you manage risks in other areas of your business, such as sales, accounts receivable, and order fulfillment, then you should become a member of our cyber risk managed program. Which you can do for a fraction of the cost of hiring a single cyber security expert. You can find out more by visiting us at CyberRiskOpportunities.com and newmanlaw.com.

Jake Bernstein: Kip, what are we going to talk about today?

Kip Boyle: All right, Jake, today we're going to talk about whether you should pay a ransomware attacker to get control of your data and systems back.

Jake Bernstein: Well, that raises the very first question, Kip, which is what is ransomware?

Kip Boyle: All right, ransomware is a type of malware. Malware, in case you didn't know, is a shortened version of malicious software. What ransomware does when it gets on your system is it prevents you or it limits you from either accessing your system or your data. It'll lock your screen or it'll actually scramble your files so that you can see that they're there, but they're absolutely unavailable to you. You can't get your data back unless you pay a ransom to the person who attacked you. The ransom is typically paid in Bitcoin, Ethereum, or some other cryptocurrency which allows for anonymous payments.

Jake Bernstein: Well, that doesn't sound very fair. Where did ransomware come from?

Kip Boyle: Ransomware seems like the latest thing. Actually, the first known case of ransomware goes back to 1989. It was called the AIDS Trojan. It's a really interesting story. You can go on the internet and read more about it. What happened was is you would get this on your computer system. Back then, this was something that attacked DOS operating systems. Any of you listening have never touched a DOS machine before, feel lucky. What happened was, this thing would get on your computer and then it would lock you out of your files and then it would display a message saying that, "In order to get your files back, you had to send 189 US dollars to a place called PC Cyborg Corporation." They gave you an address of a post office box in Panama, central America. Can you believe that? 1989.

Jake Bernstein: Shocking.

Kip Boyle: Yes. You sound shocked.

Jake Bernstein: I'm very shocked.

Kip Boyle: That's where it came from. Of course, we're all hearing about it now because in 2013, what happened was is that the modern encryption algorithms and Bitcoin were combined and there was just an explosion of these kinds of attacks. Just to give you some quick examples, there's a ransomware called CryptoLocker. It's stolen about 27 million dollars altogether from people that it's infected. There's another one called CryptoWall. It's stolen about 18 million. By the way, the reason we know how much they've stolen is because we can look at the addresses of the Bitcoin wallets and we can see how many payments are going into them. Even though we don't know who owns those wallets.

Kip Boyle: Then in 2017, so just last year, there were a couple of really notorious ransomware strikes, one called WannaCry and one called NotPetya. Interestingly enough, NotPetya really didn't generate a lot of money for its authors, but it caused about a billion dollars worth of damage. These things are very opportunistic. They mostly prey on people who are on the internet with outdated web browsers and browser plug-ins like Java, Flash, and Adobe Reader. Now, Jake, as an attorney, you follow this stuff pretty closely, at least how ransomware affects companies. Can you tell us about a time when someone actually paid a ransomware?

Jake Bernstein: I sure can, Kip. One question before I answer that one is, why can't I just unencrypt my files? Why should I even have to worry about paying?

Kip Boyle: Well okay, so in order to unencrypt your files, you need what's called a private key. That's the secret sauce for how this thing works. Once your files are encrypted, your private key is in the hands of the person who attacked you. The idea is you've got to pay them in order to get that private key back. Well, the great news is that if you've got a really good data backup system and you get attacked, this becomes nothing more than a speed bump in your life. Because you can wipe your computer clean and you can then reinstall your operating system and your applications and then restore from backup. Obviously, it's not going to be any fun to do that but you won't have to pay the ransom.

Jake Bernstein: Well, and yet we see people paying the ransom. One example is on February 5, 2016, so just about two years ago now, the Hollywood Presbyterian Medical Center was attacked. They were effectively out of business for five days.

Kip Boyle: It was well covered in the press.

Jake Bernstein: It was. What we can presume is that they must not have had any effective data backup system because they did ultimately pay a $17,000 ransom. They were forced to use pen and paper for record keeping. Something I know that more and more hospitals are practicing again, simply because of this problem. They couldn't serve most of their patients and lost I'm sure several millions of dollars in revenue.

Kip Boyle: I guess that's really the issues. If you're the chief hospital administrator and you have a choice between continuing to lose millions of dollars of revenue and turning patients away or paying a $17,000 ransom, I guess in some ways the choice may seem obvious.

Jake Bernstein: Well, I think if you're looking at it as a business decision and that's what we can talk more about that, I think it could seem obvious. Now, one thing I just wanted the listeners to understand is that we're going to be talking about multiple Medical Center ransomware attacks on today's show. It's important to understand that the ransomware isn't hitting life saving equipment at this point. It hasn't happened yet to my knowledge. This is much more about attacking the business side of the hospital. I think that I just want people to understand that it hasn't happened yet, so we're not really talking about what you might do if someone decides to talk offline your respirators and your blood transfusion machines. That really would be a totally different set of circumstances that I think would have many different sets of thinking, different thinking would go into how you respond to that.

Kip Boyle: Absolutely. In fact, it's another whole series of podcasts we can do right on the vulnerability of medical devices and medical equipments, life saving and treating equipment, gamma knives, and IV pumps, implanted defibrillators. There's quite a bit at risk there. What we're really talking about is like scheduling systems and administrative systems. Two years ago they were hit, but things move fast on the internet. Are people still paying ransomware?

Jake Bernstein: Yes, they are. In fact, less than a month ago, actually this month the Hancock Regional Medical Center on January 11th was attacked. This was covered in the press as well. Their CEO, Steve Long said some interesting things in the press about this. Essentially that the affected files were backed up and they could have been recovered but restoring them would have taken days, possibly weeks, and it would've cost a bunch of money. As we just talked about from a business stand point, paying a small ransom, which in this instance was $55,000. We're gonna call that small, but note that it is more than double, almost triple actually, what the ransom was in 2016. What Mr. Long said and this is a direct quote, "These folks have an interesting business model. They make it just easy enough to pay the ransom. They price it right." I think that goes directly to your point about as a hospital administrator might be thinking of this as a business decision. Which leads to the next question which is, Kip, does anyone refuse to pay?

Kip Boyle: Well, yes. We do have some cases where people are refusing to pay. Again, just continuing to talk about medical centers. One of the reason by the way that we're talking a lot about medical centers is they get a lot of coverage when this happens to them. It's a very high disability event when a medical center stops functioning. I don't see any reason why our conversation wouldn't apply to any other form of business or organization. The Methodist Hospital in Henderson, Kentucky, they were attacked a couple of years ago, March of 2016. Very similar to the Hollywood Presbyterian Medical Center, in the sense that they were out of business for about five days. They had to return to pen and paper record keeping. Which by the way, the cost of, once the crisis is over with, and they're back in business, somebody has to take those paper records and digitize them. There's another expense that really isn't even talked about in terms of the recovery process.

Kip Boyle: Methodist Hospital, Henderson, Kentucky, they had pretty much the same profile as Hollywood Presbyterian Medical Center. Their ransom was actually even 10 times less, $16,000 was all that was being demanded of them. They dug in and refused to do it. The reason why is because they had effective data backup systems and other recovery systems before they were ever attacked. I think of it as like in Judo or Karate and forgive me I'm not a martial arts expert, but I see this where somebody is attacking you and you essentially step out of the way. Grab them and just use their momentum to let them go right by you. That's essentially what happened here at Methodist Hospital. There are other cases we could talk about where they didn't have effective data backup and recovery ready to go. They just ended up grinding it out, and on principle they would not pay that ransom.

Jake Bernstein: Well, let me ask you this, the Methodist Hospital here, they had date recovery, they had disaster recovery, backup systems. Would it ever be wise to pay a ransom and then just trust that your files were back to normal? It seems to me that once someone has infiltrated your information system and encrypted your files that you probably should restore from backup even if you did pay. Why are some people paying?

Kip Boyle: Again, the theme of reducing this down to a business decision, "Do I do A or B? Which one cost the least? Which is quickest and easiest to get me where I wanna be?" That's where a lot of this is being driven from, why people are paying. It's just less time consuming and it fits the paradigm of, "Do I buy tongue depressors from supplier A or supplier B? They're all pretty much all the same, so I'll just go with the least cost alternative." What's overlooked is things like what you're talking about which is, we don't know when somebody attacks our data, what they've really done to it. If we buy it back from them, how do we know that they didn't change it before they gave it back to us.

Jake Bernstein: Well, you have no idea. That's my point is that, if you're paying a ransom and you're expecting your data to be given back to you just as it was. I mean look, these people are crooks. Even if they intend to give it back to you, there's no real reason to think that they're gonna be able to decrypt everything and give it back to you just as it was before as if they'd never happened. I don't think that you can reasonably trust a ransomware affected data that you paid to unlock. I just think you have to restore from backup no matter what, so why pay ever?

Kip Boyle: Especially in a medical situation. Because let's say my billing records for examples, if I get them back and they're not correct and I go ahead and submit reimbursement requests to insurance companies on the basis of data that actually turns out to be incorrect. That can come back and bite me later on. If there some kind of audit, I might've requested a reimbursement for far in excess of the cost that actually occurred, or a patients' record or their dosing. The quantities of medicines they should have. I mean, there's a lot at risk here.

Jake Bernstein: I think that's true.

Kip Boyle: Also, by the way, there's another angle to this as well. Not only is there a data integrity issue but how do we know that when we get our data encrypted that the thieves, the attackers, aren't also making a copy for themselves?

Jake Bernstein: You don't know. There's really no guarantees here at all. I think that if you've been a victim of a ransomware attack, you have to assume that you need to restore from backup and that you might need to notify people of a breach. In fact, Kip, under HIPAA, the current thinking and enforcement has been that if a medical company or anyone with personal health information is affected by ransomware, that is actually considered a loss of control of the data and is itself a violation of HIPAA.

Kip Boyle: I thought I had heard that. I'm sure that too, that the management teams in medical centers, this probably seems completely overdone. It's hysterical, even. The idea that a ransomware attack is actually a data breach. Because for all you can tell, from what you can see, the data is still right where you left it, you just can't get to it. The truth of the matter is, is that you have to think beyond what you could actually see. If I were the kind of person who would attack and encrypt people's data, why wouldn't I take a copy and sell it? Because private health information is worth a lot more in the black market than credit cards are. For the effort that I put in to attacking you and getting you to pay me a ransom, I can turn around and take that very same data and earn extra money for no additional effort.

Jake Bernstein: Agreed. I think, I mean if we analyze these reasons, even if they sound okay, I think it's pretty clear that they're not, right?

Kip Boyle: Yeah. Let's go ahead and flip the script. We've been talking about all the reasons why it may make sense in the moment, especially when you're terrified and nothing's working to pay the ransom. Let's go ahead and flip the script and talk about why it wouldn't be a good idea. We've already touched on a few sort of nibble around the edge ideas. Jake, give us some hard hitting ideas for why we shouldn't be doing that.

Jake Bernstein: Well, one thing I tell clients who get, or what I would say, shaken down in litigation is that there's a tension. That if you pay once, guess what? You're a great target to come back to again. Right off the bat, if you negotiate with these people and you pay the ransom, not only do you continue the business model and make it viable for them to continue doing this to other people, but let's be honest they're coming back for you as well.

Kip Boyle: These days, organized crime on the internet is really like Al Capone and gets a high speed bandwidth connection to his house. I mean, these are bullies at the end of the day. They want your milk money and just like in middle school or in elementary school, if the bully's waiting for you and takes your milk money or you give it to them one day, you can be sure they'll be there tomorrow and the next day and the day after that. They want you milk money and they're just gonna keep coming for it. I mean, this is really the same thing you're talking about, isn't it?

Jake Bernstein: Well, it's close. I think it's actually even worse, because where does this money actually go?

Kip Boyle: Let's talk about that. I'm paying Bitcoin and I get my files back. I have no idea because of the anonymity of cryptocurrency. I don't really know where it's going. What do we think is happening? Where do we think it's going?

Jake Bernstein: I think you end up funding terrorism, which is a real problem. You're very likely to fund organized criminal groups in countries that are hostile to the western world. We know for a fact that a lot of these ransomware attack come out of Russia, China. They come because of the democratization that the internet offers for forced multiplication. Small countries who can't possibly compete with larger nations in a classical military sense are absolutely able to cause just as much havoc online with cyber warfare. These are also going to small dictatorships, fundamentalist terrorists Islamic groups. They're going to places that we probably don't want to fund. I think there's no way to prove that, that's the definition of Bitcoin and anonymous cryptocurrencies. If you think about it, and think about where it's likely going, I think that needs to be another aspect of the quote, “business decision”. You're not just paying some kid down the street who though he was real clever to give you your files back. You're honestly probably funding people you don't wanna fund.

Kip Boyle: You're giving money to Tony Soprano. I mean, these are not good people. To the extent that we don't have a lot of evidence on them, one thing we've been hearing a lot about in the press is North Korea is being blamed by the US government in a string of attacks. The motivation for them is really quite simple, we've put a set of lock down of controls on North Korea. We've isolated them economically and they have got to find some way to fund their nuclear program. It sure seems like these ransomware attacks and other attacks to convert data into money is being perpetrated by them.

Jake Bernstein: Agreed. I think that the bottom line here is that paying a ransom simply encourages more criminal behavior. It's bad for our online community. Once again, just to reiterate it, you never know if the attackers are going to keep their promises. You don't know if they're actually gone from your computers or if your data is even the same as it was.

Kip Boyle: When the CEO at Hancock, when I read that article, and I saw that he paid a $55,000 ransom payment. I thought, "Well, there's 55,000 votes for more attacks." I really think about it as being unethical to pay a ransom with no thought given to the effect that it has on the larger community. I hope that these folks who paid the ransom don't get hit again. There's just no way to know. Well, any last thoughts on paying ransomware, Jake?

Jake Bernstein: No, I think that as you move away from the medical industry, the possible reason for paying just continue to diminish. I think that, as we've said, these have not been attacks on life saving equipment. I don't want to imply that you should never pay the ransom if you're talking about life or death. That's obviously a different question. Hopefully it won't come to that. With respect to nonmedical industries, backup your systems, and don't encourage this behavior.

Kip Boyle: Absolutely. Even though it's probably going to get worse before it gets better, we're encouraging our listener is not to become part of the problem. Well, thanks for joining us today at the Cyber Risk Management Podcast. Today, we talked about whether you should pay a ransomware attacker to get control of your data and systems back. Thanks everybody, for joining us today on the Cyber Risk Management Podcast.

Jake Bernstein: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR, and IT, for full effectiveness.

Kip Boyle: Management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. If you wanna manage your cyber risk and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.

Jake Bernstein: You can find out more by visiting us at CyberRiskOpportunities.com and newmanlaw.com. Thanks for tuning in, see you next time.