How Poker Skills Help Guide Ransomware Payment Decisions

A ransomware attack does more than just hold your data hostage. It can create situations that end up crippling your organization’s ability to move forward or make good, effective decisions quickly. Even those companies that have a ransomware response plan in place may wonder whether their decision to pay—or not to pay—a ransom is the right one. Is paying a ransom just encouraging future attacks? Is not paying the ransom going to lead to being blackmailed with your data?

There are no easy answers when it comes to how to best deal with a ransomware attack, so maybe it is time that we rethink the way we negotiate with ransomware gangs. It’s time to move away from the knee-jerk reaction and use an analytical way to respond, according to Brandon Clark, founder of Triton Technology Consulting. In other words, to paraphrase, ‘You gotta know when to hold ’em, when to fold ’em, when to walk away and when to run.’

Gamification of Ransomware When the Game Is Poker

It’s easy to view cybersecurity as a chess match; anticipating the next move(s) of the adversaries based on your actions. Clark, who hosted a session on ransomware response at RSAC 2023, suggested that poker is a more relevant analogy. When hit with a ransomware attack, said Clark, you have to place your bet:

• Do you “call,” by paying the ransom and see if the attacker will return your data?
• Do you “raise,” by not paying the ransom and force the attacker’s next move?
• Do you “fold,” and do nothing and make no attempt to recover the data?

“I’m not talking about the technical response,” said Clark; that will come later. First, it is important to mentally prepare for how you are going to handle the attack. This poker game approach offers a methodical and strategical process to think through all your options.

Even if you have a ransomware incident response plan, there may be circumstances where you will have to deviate. In most cases, a ransomware attack will be an inconvenience to the company, employees and customers. But there are times when the stakes are higher and when lives are put at risk, and this could mean a different approach is needed.

Sometimes, said Clark, it is more ethical to pay the ransom. But the final decision is always going to have some level of risk. You have to determine if you’re willing to gamble against that risk.

Understand What You’re Up Against

In poker, you don’t play the cards; you play the person sitting across from you. It’s a similar situation when dealing with ransomware. Nation-state actors have different objectives than organized crime rings.

It matters who is responsible for the attack because, believe it or not, it comes down to customer service. There are some ransomware gangs who aren’t interested in killing your business and only go after companies they know can pay. These crime rings are seeing more financial gain on their end if they cooperate and ensure your data will be returned. Nation-state actors, on the other hand, are more ruthless. So knowing who you’re up against should help you determine how to proceed and whether you should pay the ransom or not.

What is the Real Cost?

The cost of a ransomware attack is deceptive. Let’s say the ransomware gang wants $1 million in cryptocurrency. That’s a lot of money—possibly more money than a small business can pay and more than a larger business wants to pay—especially with no guarantee that they’ll ever see their data again.

However, how much will it cost you to mitigate against a ransomware attack? If it will cost $3-4 million in reparations, does it make sense to pay the ransom? Will your decision be different if you know for sure you’ll “win” the bet and get your data restored? Organizations tend to look only at their direct costs without comprehending the indirect costs. By not thinking about the big picture with regard to costs, the decision could end up crippling the company.

Sometimes, you have no choice in your move. There are some situations when it is illegal to pay the ransom. “It’s important that when you are going through this process that you are in constant contact with your legal team, your incident responders, etc.—the people who will help you make these decisions, so you know that if you make the payment, you know you aren’t going to get fined,” said Clark.

The Final Hand in Play

There will be times when it isn’t worth it to pay the ransom. The data’s value may be less than the cost of the ransom, or it might be cheaper to rebuild the system or reconstruct data from backup systems.

But if you do decide to play your hand, Clark offers this guideline:

• Get help and let an expert guide you
• Determine who you’re dealing with and if you trust the adversary’s negotiations
• Understand what is at stake if you do or don’t pay
• Recognize whether there are any other options
• Make your decision to call, raise or fold.

Image Source: Photo by Michał Parzuchowski on Unsplash 

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba