October 16, 2019
Ransomware: To pay or not to pay? (that is the wrong question)
By: Anup Ghosh

In light of recent ransomware attacks against cities and municipalities, the Wall Street Journal asked two professors if cities should ever pay a ransom. The article cited a Recorded Future study that tallied 71 ransomware attacks against state and local governments this year already (up from 54 in 2018).

This article presents two opposing views. One says paying the ransom may be the responsible thing to do when systems taken hostage are responsible for public health and safety. The other argues paying is never right because it feeds the growth of criminal enterprises—which will bring more ransomware attacks and create national security concerns. Both arguments are compelling; both authors are noted experts.

The article is worth a read, but it’s asking the wrong question. Or perhaps more accurately, it is pursuing the wrong dialog. Ransomware is a clear and present threat to almost every organization, big or small. The challenges that state and local governments have is they aren’t adequately staffed to deal with ransomware attacks. The solution is not to stockpile Bitcoin, nor to accept a loss of services, particularly when they are vital.

There is a better way than DIY

As security has emerged from the backwaters of IT server rooms to a board-level issue, with ransomware driving home the business impact of security threats, the organizational processes for preparing for these threats have not kept pace. Expecting that an organization can be prepared for severe threats when it isn’t resourced to is a setup for disaster.

We need to collectively tackle security threats, learning from those who have been successful, sharing in threat intelligence and leveraging the strengths of organizations that have developed the capabilities to defend at scale.

The other market reality we face is there simply are not enough qualified professionals to address these threats, integrate systems and respond to attacks. Compounding this problem is that most products are point solutions. On their best day, they address only a portion of the attack.

The right approach: Security-as-a-Service

While it’s clear that security cannot be as easily consumed as electricity, we should start to think of security as a utility. Just as it is unreasonable to ask companies to generate their own power, it may be unreasonable to ask every company to build its own security. In energy as well as security, the barriers to entry are high: There are huge capital and brainpower requirements and the time it takes to get to a level of security maturity commensurate with hackers takes many years, with consistent leadership and funding. Ransomware makes the Sec-aaS case strongly because of the immediate pain and cost of attacks and the potential loss of business and mission-critical services and data. Conversely, the economics of DIY security in the face of sophisticated threats make it no longer feasible for many companies and certainly state and local governments.

Regarding the question, "To pay or not to pay?"

Taking ransomware as an example, the question really is, "How does one prepare for ransomware situations?" The answer is not an anti-virus solution because we know this is inadequate. Most organizations hit by ransomware are already running an anti-virus product. So is it advanced endpoint technology? Patching? Threat intelligence? Better email filtering? Tested backups from offsite? Is it detection and rapid quarantine? Account resetting? Blocking outbound connections to the source of the ransomware? Is it searching the email across all accounts for ransomware links or objects? Or maybe searching across the enterprise for ransomware indicators of compromise?

The answer is yes to all of the above and then some. The point here is dealing with ransomware requires sophistication, planning, orchestration and coordination of a plan across a range of security products and IT infrastructure. If you don’t have this in place, security-as-a-service is the fastest path to protecting yourself against ransomware and other threats.

Why planning—and "plays"—make all the difference

A ransomware play is an orchestrated workflow for attack detection and response as part of our Managed Detection and Response (MDR) Security-as-a-Service solution. Below is an example of one Accenture ransomware play.

Ransomware Attack, Detection & Response. Click to expand.

The diagram shows a typical ransomware attack in stages. Note that from an enterprise security approach, there are several opportunities to observe, detect and respond during the attack’s progression. The key of course is to do this before the attacker causes significant impact to operations (stage 9 in the above model). In the case of ransomware, time is of essence to ensure it is not a spreading threat that may shut down the entire network. This companion video shows how a ransomware response is orchestrated and response automated.

The ransomware play is but one of many we have built into MDR to address gaps in organizations’ solutions. The economics of Security-as-a-Service work from the perspective of not having to acquire all the tooling yourself, not having to hire all the people and not having to integrate the tools and develop your own content to orchestrate your ability to respond to attacks. Rather, you consume Security-as-a-Service just as you would any utility, letting the market compete on quality and price.

Recently OASIS, a standards body, established a technical committee to develop the core components of orchestrated response and a description language to develop playbooks to respond to attacks in vendor-agnostic fashion. We think this is the right approach. It encourages improved detection and response and enables the sharing of lessons learned. This is one reason we are contributing to the technical committee and promoting the use of standardized playbooks.

In short, if you aren’t ready for a ransomware attack, then you need to either build up the organization and processes commensurate to the threat or enlist a security-as-a-service partner that can get you there rapidly.

To learn more, visit

Popular Tags

    More blogs on this topic