Paying a Ransom: Does It Really Encourage More Attacks?The Debate Over Impact of Colonial Pipeline's Apparent Ransom Payment
Some cybersecurity experts question the contentions of Speaker of the House Nancy Pelosi and another member of Congress, who say a $5 million ransom reportedly paid by Colonial Pipeline Co. after being hit by DarkSide ransomware would serve as a catalyst for attacks on other critical infrastructure providers.
Cyberattacks on critical infrastructure, such as the breach of a water treatment facility in Oldsmar, Florida, are relatively common, so the apparent ransom payment in the Colonial Pipeline incident is likely to have little influence, some security pros say.
"The floodgates are already open," says Etay Maor, an adjunct professor at Boston College and senior director of cybersecurity strategy at Cato Networks.
The May 7 attack that struck the company's IT infrastructure led the pipeline operator to temporarily shut down its operations; it began launching restart efforts Wednesday.
The research firm Elliptic says that on Friday, it identified evidence that Colonial Pipeline paid the ransom.
Elliptic says it discovered the bitcoin wallet the ransomware group used to receive ransom payments from its victims. "Based on our intelligence collection and analysis of blockchain transactions, this wallet received the 75 BTC [bitcoin] payment made by Colonial Pipeline on May 8, following the crippling cyberattack on its operations - leading to widespread fuel shortages in the U.S.," says Tom Robinson, Elliptic's co-founder and chief scientist.
Colonial Pipeline has not confirmed paying the ransom or even being in contact with its attackers. The company has not responded to Information Security Media Group's requests for comment.
The company's pipeline connects refineries in the Gulf Coast to customers throughout the southern and eastern U.S., carrying gasoline, diesel, jet fuel, home heating oil and fuel for the military. Colonial Pipeline transports about 45% of all the fuel consumed on the East Coast.
Although Phil Reitinger, a former director of the National Cyber Security Center within the Department of Homeland Security, doesn’t expect the pipeline company's apparent ransom payment to serve as a catalyst for other ransomware gangs, he acknowledges the impact the attack had on pipeline operations could encourage those interested in causing similar mayhem.
"I don't see paying this particular ransom as that different from others, in the sense of opening up critical infrastructure as a target," he says. "Indeed, I expect there to be a reduction in criminal attacks on critical infrastructure as this ransomware gang now has a big target on its back," says Reitinger, who's now president and CEO of the Global Cyber Alliance. "However, the effectiveness of the attack may well increase the incentive for other actors who want to disrupt rather than cash a check."
The ransomware-as-a-service gang behind DarkSide announced Thursday it was shutting down its operation after losing access to part of its infrastructure.
A ransomware attack by a nation-state or highly competent gang, such as DarkSide, is almost impossible to stop, Maor says. But he points out that such attacks aren't easy to pull off.
"There is a very serious myth in the cybersecurity world - the attacker has to be right once, the defender has to be right all the time," Maor says. "I say no, it's exactly the opposite. The attackers have to be right many times. They have to enter, find and stage everything. Actually, the defenders have many points where they can identify the attack."
"The point is that we don't want people to think that there's money in it for them to threaten the security of a critical infrastructure in our country," Pelosi said.
"We've had attacks on hospitals and schools, and now they're going to critical infrastructure," Katko said. "I think this is a major shot across the bow to tell us as a country to wake up to the fact that cybersecurity is a preeminent threat to our national security right now."
Reitinger says that if lawmakers believe paying a ransom will lead to more attacks, they must take steps to help prevent victims from choosing this course of action.
"If the government wants to prevent that because paying ransom provides an incentive for crime, then the government needs to ban the act [of paying a ransom] and own the results that come from that, which could be significant," he says.
Phil Quade, CISO at the security firm Fortinet, offers a similar point of view: "The use of ransom-like techniques against critical infrastructures and government services merits a strong federal role stopping such exploits, through policy, law and cybersecurity operations."
Pelosi's comments support the FBI's well-publicized recommendation that victims should refrain from paying a ransom to attackers.
"Paying a ransom doesn't guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity," the FBI says.
But Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said Monday that such decisions are ultimately up to the organization that has been targeted.