Written by: Charles Weaver, co-founder of MSPAlliance
It is an interesting question: should MSPs pay ransomware demands? One of the members brought up the idea of not paying ransomware. Given the latest attacks on MSPs, I think it is a great time to have this debate. So, let’s do it.
Possible Ransomeware Scenarios
There are several situations where an MSP could be involved with ransomware. First, the MSP itself is attacked and infected with it. The news reports are out there, and everyone can read them, so we shouldn’t act surprised. However, it seems to be more likely that we can stamp out ransomware infection amongst MSPs a lot easier than we can in customer environments; more on that later.
Second, customers of the MSP could be impacted by ransomware. Customers could be affected by ransomware as a result of the MSP, or through no fault of the MSP. Either way, the MSP is likely going to be involved in the response and remediation work to help the customer get back to normal system operations.
When impacted by ransomware, prevention is the best course of action for the MSP. What I mean is, MSPs should be a position where they can defend against ransomware more easily and quickly than the rest of the business community. After all, MSPs are IT professionals and should be taking all the necessary and reasonable precautions to prevent a ransomware attack and infection. If infection occurs, the MSP should be capable of quickly restoring itself to operational status.
Saying that no MSP will ever be affected by ransomware (or other cyberattacks) is not realistic. However, recovering from such attacks should be part of every MSP’s business continuity and disaster recovery planning.
Customers are more likely to find themselves victims of ransomware attacks. More importantly, these same customers are also less likely to be prepared for such a cyberattack and less capable of restoring to operational status quickly.
While we place a higher standard of care on MSPs, end-user organizations have a much more difficult path ahead. MSPs have always had to play “catch-up” with their customers when it comes to training and educating them on proper cyber hygiene. As more customers deal with the impact of cybercrime, the faster they should evolve when it comes to protecting themselves against cyber attacks. This cyberattack prevention necessarily includes allowing their MSPs to backup data, test data restoration regularly, and implement relevant cybersecurity policies and procedures.
Should You Pay Ransomware?
According to the Federal Bureau of Investigation, the answer is no. In a public service announcement issued in October of 2019:
“The FBI does not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data. In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.”
I tend to agree with this statement. Not paying is the best long term strategy against cybercriminals. First, it will permanently foreclose any option involving the “cooperation” of the cybercriminal. Involving the cybercriminals in assisting with data restoration is dubious, at best, according to the FBI.
Second, not paying ransomware will properly place the responsibility on the customers (and MSPs) to begin safeguarding networks and systems. Continuing to pay cybercriminals will encourage them to continue their attacks and will not correct the behavior of the customers to modify their behavior.
This is a long term strategy, and MSPs need to be involved with their customers in having these discussions. MSPs need to also safeguard themselves from the business impact of customers who do not take cybercrime seriously. We are all in this together.
These are my thoughts. I’d love to hear your thoughts.