If your organization’s data is being held for ransom by hackers, should you pay up? The universal consensus is that you shouldn’t because it encourages criminals. But an earlier question needs to be: is it legal to pay?
They answer is not as straight-forward as you might assume. Let’s assume your companies servers are locked up by thieves and although you don’t want you pay, you decide you have no choice.
How are you making that payment? Depending on who’s involved – say, a US-based exchange – they could get in trouble for handling the payment. After all, those Know Your Customer (KYC) laws are there for a reason. You could not call up Bank of America or Barclays and say “I would like to wire $10 million to a gang of thieves in North Korea.”
Where are you sending that payment to? If you’re in the US and the hackers are in North Korea, you may be violating sanctions. Sanctions typically don’t say “no trading but you can wire money to bad actors in that country if you need to”. It sucks that hackers can break into your country and lock up your data, but it’s still a crime if you violate sanctions.
Of course, the criminals don’t care. Their attitude is “we’re criminals already. You can join us in the underworld and pay up. What’s that? You have regulatory challenges? Sounds like your problem. Tick tock, tick tock.”
This also explains why bans on payments will never work. You could add a dozen laws and people who operate outside the law will not care.
The best policy is to have a robust, reliable, resilient backup solution in place. Robust in the sense that it covers everything in your environment – everything needed to restore what you need with an “everything included, specific exclusions” policy instead of the opposite. Reliable meaning that your backups work and they are regularly stored. If you need something from last Wednesday at 2:14pm, you know it’s there. And resilient because they are immune to attack – someone who breaks in your network cannot nuke your backups on their way out.
I just made up those 3 Rs but they sound pretty good.
Related Posts:
I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.
I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308
Leave a Reply