If your organization’s data is being held for ransom by hackers, should you pay up?  The universal consensus is that you shouldn’t because it encourages criminals.  But an earlier question needs to be: is it legal to pay?

They answer is not as straight-forward as you might assume.  Let’s assume your companies servers are locked up by thieves and although you don’t want you pay, you decide you have no choice.

How are you making that payment?  Depending on who’s involved – say, a US-based exchange – they could get in trouble for handling the payment.  After all, those Know Your Customer (KYC) laws are there for a reason.  You could not call up Bank of America or Barclays and say “I would like to wire $10 million to a gang of thieves in North Korea.”

Where are you sending that payment to?  If you’re in the US and the hackers are in North Korea, you may be violating sanctions.  Sanctions typically don’t say “no trading but you can wire money to bad actors in that country if you need to”.  It sucks that hackers can break into your country and lock up your data, but it’s still a crime if you violate sanctions.

Of course, the criminals don’t care.  Their attitude is “we’re criminals already.  You can join us in the underworld and pay up.  What’s that?  You have regulatory challenges?  Sounds like your problem.  Tick tock, tick tock.”

This also explains why bans on payments will never work.  You could add a dozen laws and people who operate outside the law will not care.

The best policy is to have a robust, reliable, resilient backup solution in place.  Robust in the sense that it covers everything in your environment – everything needed to restore what you need with an “everything included, specific exclusions” policy instead of the opposite.  Reliable meaning that your backups work and they are regularly stored.  If you need something from last Wednesday at 2:14pm, you know it’s there.  And resilient because they are immune to attack – someone who breaks in your network cannot nuke your backups on their way out.

I just made up those 3 Rs but they sound pretty good.

raindog308

Raindog308 is a longtime LowEndTalk community administrator, technical writer, and self-described techno polymath. With deep roots in the *nix world, he has a passion for systems both modern and vintage, ranging from Unix, Perl, Python, and Golang to shell scripting and mainframe-era operating systems like MVS. He’s equally comfortable with relational database systems, having spent years working with Oracle, PostgreSQL, and MySQL.

As an avid user of LowEndBox providers, Raindog runs an empire of LEBs, from tiny boxes for VPNs, to mid-sized instances for application hosting, and heavyweight servers for data storage and complex databases. He brings both technical rigor and real-world experience to every piece he writes.

Beyond the command line, Raindog is a lover of German Shepherds, high-quality knives, target shooting, theology, tabletop RPGs, and hiking in deep, quiet forests.

His goal with every article is to help users, from beginners to seasoned sysadmins, get more value, performance, and enjoyment out of their infrastructure.

You can find him daily in the forums at LowEndTalk under the handle @raindog308.