So I came across this article today over on DarkReading. It’s a “how to” guide that describes in detail for security practitioners how to pay the ransom associated with a ransomware attack.
Now before getting into this, I should probably tell you: 1) that I like DarkReading and 2) that they even say in the title that it’s for something you’d never do (emphasis theirs). In fact, the full title of the article is “How to Pay a Ransom: A Step-By-Step Guide for Something You’d Never Do”.
However, I don’t love this. In general I’m a hard-line “don’t pay the ransom” kind of guy. In fact, I’ve only ever encountered one situation where I think it even bears consideration. Namely, clinical environments where restoration of biomedical equipment to operation translates directly to preservation of patient health and safety. Granted, such an organization has already put patients at risk in the first place through their own negligence… but people shouldn’t have to die (or have their health put at risk) because of their healthcare provider’s failure to plan.
All that aside, we know there are times when communicating certain kinds of information can be ethically problematic. We can demonstrate that this is so by example. Were it possible to do so, if I were to write an article entitled “how to create a nuclear bomb in your garage with items you have lying around the house” and publish it on this blog, I’d probably get arrested. Likewise, if I posted step-by-step and detailed instructions on how to cook meth, same outcome — I’d at least get a nastygram from my ISP. So if we can establish that publishing information can be ethically problematic, the question then becomes whether this rises to that level. I think it does, but I expect to get heat for saying it.
The bigger – and perhaps more interesting question to me – is whether doing it, advocating for doing it, or enabling it rises to the level of malpractice when done by a security practitioner. Now I hear people saying, “But who cares? Just pay it”. The problem is that paying it does three things:
- Encourages different bad guys to do it more to other people
- Encourages the same bad guys to do it more to you
- Financially rewards criminality
If I were to, through my actions in an organization, both put the organization at greater risk while also make the world less safe as a whole, that’d be malpractice right? I think it is. If I did so knowingly, even more so. Say, for example, that I worked for a bank and bad guys paid me 10k to “accidentally” create an admin account with a blank password. That’d be terrible, right? Is this different? If so, is it difference in kind or in degree? I mean this candidly. I personally think it’s a difference in degree but not in kind. At best it’s a deviation from what (ought to be) professional standard of care.
Now, I say this with full knowledge of the fact that I’ve argued rabidly in the past for why I thought creating malware for test purposes is fine (at least in my book). I’ve received my share of static in the past about the AMTSO’s ethical statement about not ever creating malware (even for testing. I can’t find my original rant on the topic, but I found Kevin Townsend’s which is probably better than mine was so enjoy. Point being: if it is allegedly “unethical” for me to type a simple bash fork bomb and thereby “create malware” [i.e., like so: q(){ q|q& };q ] because it could “escape from the lab” (really?) and run amok, how is it any better to explicitly provide instructions to people about this? In fact, I’m going to create some more malware just because I’m a truly morally bankrupt person. q(){ q|q& };q . See? Despicable.
Anyway, I’m not trying to slam DarkReading here exactly. Their job is to provide information that people want. And people want this. In fact, I’ve had people ask me how to do exactly this many times in the past as well as related things like advice about how much bitcoin to keep in reserve for paying ransoms and so on. My position has always been that I don’t recommend it, I recommend they don’t do it and restore from backup (when they can) or take the lumps and be better out backups next time, and that I won’t tell them how because ethics. So I don’t fault DarkReading really. But the concern I have is for the practitioners that, reading this, decide that paying the ransom is part of their toolkit. I really don’t think it should be.