CISA Advises Against Paying Ransom, But Rules Out a Ban

Credit: Adobe Stock Images

While the Cybersecurity & Infrastructure Security Agency (CISA) has come out against paying ransoms, the director of the organization stopped short of saying that the government should ban such payments.

CISA Director Jen Easterly recently made her position on ransomware payments known at the Oxford Cyber Forum, as reported by Security Intelligence. However, Easterly didn’t go so far as calling for a ban on paying ransomware demands.

“I think within our system in the U.S. — just from a practical perspective — I don’t see it happening,” she said.

Backing up that assertion, the Ransomware Task Force for the Institute for Security and Technology does not support a ban on paying ransom, according to Security Intelligence. The task force reasoned that small businesses typically cannot withstand a lengthy business disruption and might go out of business after a ransomware attack, and this could disrupt the wider response to ransomware threats.

The reasoning is that companies that face penalties for paying might instead make ransomware payments secretly. Therefore, accurate data about ransomware variants and threat intelligence would be negatively impacted.

Another obstacle to a ransomware payment ban is fake data recovery firms — alleged “rescuers” who negotiate with ransomware gangs on the side, essentially paying the ransom and then charging the victims a fee. If ransomware payments were banned, these types of operations would likely increase.

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) mandates the reporting of cyber incidents, while the U.S. government also promotes secure-by-design.

At the Oxford Cyber Forum, per Security Intelligence, Easterly said, “I do think we’ve made a difference, but I don’t think we’re going to make ransomware a shocking anomaly without successful implementation of a secure-by-design campaign. We cannot expect businesses that don’t have huge security teams to be able to secure that infrastructure unless that technology comes to them with dramatically reduced numbers of vulnerabilities.”

What Cyber Pros Say About Paying Ransom

Quentin Simmons, senior lead analyst of Digital Forensic and Incident Response for eSentire, a company specializing in managed detection and response (MDR) services, advised victims against paying ransom in most instances.

“We usually advise against paying a ransom if our Digital Forensics and Incident Response (DFIR) team has been able to verify the integrity of their backups (if they have any),” Simmons told MSSP Alert for a January 2024 article examining the pros and cons of paying ransom. “Another variable that’s critical to paying or not is if there has been any data exfiltration and if that data contains PII (personally identifiable information) or any sensitive data.”

Mari DeGrazia, director of Incident Response at ZeroFox, a provider of products and services to MSSPs, explained that the decision about paying a ransom demand depends on how many systems were encrypted, the viability of backups and if the cybercriminal is threatening to release sensitive data.

“We recommend that companies assess the ethical and regulatory implications,” DeGrazia said. “We advocate against payment whenever possible.”

She added, “Each company's situation is unique, and regardless if a company decides to pay the ransomware or not, we recommend a company hire a third party that specializes in ransomware negotiations to guide them through the process.”

Ransomware Response Checklist for End Customers

  • Execute incident response plan (if no plan, why not?).
  • Contact your cyber insurance carrier; review the policy.
  • Seek legal counsel to determine viability of paying ransom.
  • Determine if the ransom violates U.S. Office of Foreign Assets Control regulations.
  • Contact law enforcement.
  • Inform media relations re: crisis management/damage control.
  • Determine if any data exfiltration and what sensitive data it may contain. Some data may be old and not worth the trouble.
  • Assess which systems were encrypted.
  • Hire a third party that specializes in ransomware negotiations.
Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.