COMMENTARY: If you’ve ever seen an action movie, you’re probably familiar with the phrase, “We don’t negotiate with terrorists.”
Let’s unpack that phrase a little bit.
According to action lore, the U.S. government has a strict policy not to give in to the demands of bad actors, regardless of the threats made against the state or its people. To illustrate this, we’re going to focus on Michael Bay’s 1996 action flick
The Rock. In this film, Ed Harris’ disgruntled Brigadier General Francis Hummel goes rogue, takes over Alcatraz, and threatens to levy a deadly gas attack on the city of San Francisco if he doesn’t receive $100 million. If you haven’t seen
The Rock, feel free to picture
Air Force One,
Tropic Thunder,
Austin Powers,
Olympus Has Fallen,
Die Hard,
James Bond: The World is Not Enough,
Get Smart,
The Dark Knight Rises, or basically every action movie ever made for reference.
In
The Rock, the folks in the situation room immediately get started working on two plans. The first: To sneak a chemical weapons expert (Nicholas Cage’s Dr. Stanley Goodspeed) into Alcatraz to neutralize the gas. The second: Ready a high-heat thermite air attack on the island in case the first plan fails. One thing they distinctly
do not get to work on? Acquiring $100 million to pay off General Hummel.
On its face, this may seem like a strange decision. After all, what is $100 million to the U.S. government in exchange for the lives of the entire population of the Bay Area? But the issue is tremendously more complex than it may seem.
Michael Bay movies are for popcorn and fun, but the ransomware issue is serious and affects millions. The lessons learned from unpacking the fiction of
The Rock can teach us a lot about how we deal with the very real problem of ransomware attackers in the non-fiction world of cybersecurity.
Ransomware
Let’s put a pin in the Bay-hem conversation for a moment and talk about ransomware. Ransomware is one of the most common ways attackers monetize their hacking skills. It generally goes like this: An attacker gains a foothold in an organization’s system and escalates their privileges until they find their way into the part of an application which holds valuable information. In cybersecurity, we call this the “crown jewels.”
The crown jewels could be anything from medical information to credit card numbers to valuable IP. Depending on the industry, it’s anything that the organization can’t function without or that its users trust will remain private.
Once the attacker has gained access to this data, they use malware to encrypt the data so that the organization can not access it. They then issue a ransom demand: Pay us this amount in exchange for the decryption keys, and you will have your data back. This number will be very carefully calculated for the organization in question. Too little, and it wasn’t worth the attacker’s time. Too much, and the company won’t be able to pay. Remember: The attacker’s only goal is to get paid.
By the way, we may think that ransomware is a creation of the 2020s, but holding data hostage dates back to 1989 when the ransom demand was $189 USD. Fast forward to 2024, when the average ransom paid is
$2.7M USD. And those losses don’t come close to the whole picture. Companies attacked with ransomware experience an average of
24 days of system downtime, which can cost millions more in lost business.
What Happens When We Do Negotiate with Terrorists?
Now, back to the Michael Bay of it all. The salient question is, why not just pay the money and make the problem go away? $100 million isn’t all that much in the scheme of things, and allowing the attack to happen would cost way more in lives lost than that. But to answer this question, we need to game it out. What happens if the government pays General Hummel his $100 million?
The government would send a signal far and wide to every negative actor in the world with the resources to make a similar threat that the U.S. is open for business. All you have to do is take some hostages, acquire a weapon of mass destruction, and levy a credible threat, and you can earn yourself a fat payday. Not only would this cost the government more and more millions of dollars as future terrorists execute similar plans, but every time it happens, the number of lives at stake skyrockets.
Remember, the world's ransomware attackers have the same goal: To get paid. They (for the most part) aren’t interested in just watching the world burn. The threat they deliver is a means to an end, and the effort to set it all up is only worth it if they get paid at the end. it simply isn’t worth it if there is no chance they’ll get the money.
Where Modern Ransomware Philosophy Fails
As you can see from the numbers above, ransomware attacks are getting more and more prevalent every year. This is mostly due to the very issues we played out above. For most organizations, the ransomware strategy is simple. Pay the attackers the money, get your encryption key, go back to business as usual, and collect a check from your ransomware insurance provider to cover the losses.
It’s a plan that seems to make sense in the short term. But every time a company gives into the demands of a ransomware attacker, they put up a big neon sign that says
if you succeed at hacking us, you will get paid. A recent example (that wasn’t even technically ransomware) is the breach against Edtech giant PowerSchool. The company paid a financial sum to prevent the hackers from publishing the stolen data. This incentivizes the world’s attackers not only to go after the same organization for their own payday but their competitors as well.
What this means over time is that the ransomware insurance industry is booming; premiums go up and up every year to account for the higher likelihood that they will have to cut a check, and the free market tells all would-be attackers that there is money to be made in the ransomware game.
And this is the world we currently live in. Ransomware attacks continue to rise because, in every instance, each organization that becomes the victim of an attack makes the choice to accept the long-term consequences in exchange for a short-term reprieve. And this trend will continue until one of two things happens. One, either someone must stand up and break the trend, or the community must adopt security strategies that are so next-gen that the attackers simply cannot gain a foothold in their system to begin with.
Next-Gen Solutions to Break the Cycle
Traditional signature-based detection methods depend on recognizing known patterns of malicious activity to provide security. Instead, modern approaches must focus on analyzing the behavior of applications as they execute commands to identify and neutralize threats dynamically.
Ransomware attacks often exploit unprotected entry points in enterprise applications to encrypt critical data or disrupt operations. For Java applications (still one of the most commonly used languages for apps), these entry points usually arise from insecure deserialization, improper input validation, or unpatched vulnerabilities in third-party libraries. Modern mitigation approaches require embedding security directly into the application, providing a layer of protection that automatically prevents ransomware payloads from executing.
A massive step toward avoiding system compromise from ransomware attackers is tackling the threat of zero-days.
According to Deloitte, over a third of successful ransomware attacks (36%) use zero-day vulnerabilities as the initial attack vector. The industry must adopt solutions that are capable of preventing attacks without relying on prior knowledge of the exploit.
Get Started Today
This is a plea to the entire business community to make a change in how we philosophically understand the consequences of giving in to ransom demands. When you take the easy way out in the short term, you end up paying far more in the long term and place everyone else at a greater risk of succumbing to the same circumstances.
We need tools that can detect ransomware attacks
and then prevent their execution altogether. And we need them to sniff out entry vectors 100% of the time, regardless of how complex or rare the vulnerability is. Moving to modern protection techniques will go a long way to ensuring ransomware attacks become, like
The Rock, works of fiction.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].
