In “sublime to ridiculous” news, I saw this article detailing a recent conversation between Jim Cramer (yes, that Jim Cramer) and CyberArk’s CEO Udi Mokady in reference to organization hoarding Bitcoin to use for ransomware purposes.
It’s not the first time this has come up: Citrix weighed in on it, as did Nuix, et cetera, et cetera. In fact, Jim Cramer alone has now discussed this exact topic with multiple tech and security CEO’s (not that I follow Jim Cramer, but I do follow cryptocurrency news.)
Anyway, the Jim Cramer thing suggested to me that maybe it was time to weigh in on this. Because I’m sure that it’s true that people are stockpiling BTC for this purpose. I will tell you that I don’t know of anyone doing it personally, but I’m sure it’s happening (because it seems like the kind of thing people would do). That said, stockpiling Bitcoin is, I think, a bit misguided. Don’t get me wrong: I’m all about preparedness. But there are a few reasons why I think this is not the best idea.
First, there’s the logistics. Doing this presupposes that attackers will always ask for BTC. In the short term, this is probably usually true. But isn’t it a better investment (assuming your intention is to pay the ransom – which I’ll get to in a minute) to set up a process to rapidly create a wallet (and transfer funds into it) rather than specifically buy and hold some unknown sum of a particular currency in the event that you might (maybe, possibly) need it at some point down the road? Doing that, you’re subject to market fluctuations and you’re locking down funds that could be used for some other productive purpose while at the same time making guesses about some future attack that may or may not actually happen and for which your efforts may or may not be useful if it does (for example, if they request 10x the sum you have earmarked in ETH instead of BTC.)
Put another way: do you have a slush fund to buy off international terrorists who kidnap your executives while traveling? No, right? Because you don’t know when or if this will happen or what kidnappers might happen to ask for if it does. Really, does it make any more sense (logistically) since it’s BTC? I’m not convinced it does.
Then, there’s the issue of paying the ransom in the first place. We all get it that this isn’t a good idea, right? It’s like paying the kidnappers in the above example. Only sometimes will you get what you want from the bargain – and the byproduct is that you announce yourself as a “soft target” for their next attack. Neither of those things is good. A much better strategy (in my humble opinion) is to put your energies into mitigating the attack in the first place rather than paying off the bad guys for afterwards. For example, you could put effort into ensuring that systems are resilient and data is recoverable. Really, you should be doing this anyway. It seems like asking yourself why it’s the case that you have data that you can’t recover should it get lost is a better strategy than figuring out the mechanics of how to pay off the person holding it hostage once you can’t recover it.
Anyway, I get it why people would want to go down this path. That part’s human nature. But it seems to me that on some level it’s analogous to walking around “all day every day” with a can of paint and Spackle so you can fix the drywall in your house when the rain comes through the hole in your roof. Yes, you could do that. It makes some level of intuitive sense because it absolutely will rain eventually – and (because there’s a hole in the roof), the drywall will absolutely need repair when it does. But what if you just fix the hole in the roof to begin with? It could be that something happens where you get water damage anyway — in which case, you go buy some paint. But is the prep really worth the return when compared to fixing the root cause?