Ransomware Is Malicious Software That Encrypts Files And Req ✓ Solved
Ransomware is malicious software that encrypts files and req
Ransomware is malicious software that encrypts files and req
uires a key to decrypt the files. To get the files decrypted, the organization must typically pay the hackers a large fee, often in cryptocurrency. If payment is made, cryptocurrency transactions are hard to trace. If the hackers do not provide decryption, there is no refund.
As examples, attackers targeted hospitals and cities, such as Baltimore. Read brief articles from the UMGC library to learn about ransomware incidents: Chokshi (2019) Attacked With Ransomware, Baltimore Isn’t Giving In; Mazzei (2019) Another City in Florida Pays a Ransom to Computer Hackers.
If the organization does not pay the ransom, it would need to use backups or rebuild systems. In Baltimore, backups were encrypted, preventing real estate transactions. Depending on environment complexity, costs can be 10 to 20 times the ransom.
What would you do as the cybersecurity analyst advising Baltimore and/or smaller cities? Would you pay the ransom? Conduct internet research to understand different viewpoints. When ready, explain why you would or would not pay. If you agree to pay, what would you tell the CEO if decryption fails or the hackers demand more? If you don't pay, what would you tell the CEO, especially if restoration costs exceed the ransom? Are there ethical considerations? If your organization pays, will other organizations be vulnerable? Would you have a different decision for a small organization like Mercury USA?
Paper For Above Instructions
Ransomware incidents have escalated in frequency and sophistication, affecting both public and private sector organizations across the globe. For cybersecurity professionals, the central dilemma is whether to pay a ransom to regain access to encrypted data. The Baltimore attack in 2019 became a salient case study in public sector risk, resilience, and governance. While the immediate impulse for many executives is to minimize downtime and data loss, the longer-term consequences—such as funding criminal enterprises, encouraging future attacks, and legal or reputational exposure—complicate the decision. This paper analyzes the considerations involved in paying or not paying, weighs ethical implications, and proposes a decision framework suitable for municipal and small organizational contexts (Chokshi, 2019; Mazzei, 2019). (Chokshi, 2019; Mazzei, 2019)
Arguments for paying the ransom often center on the potential to restore operations quickly and minimize disruption. In scenarios where critical services must resume operation—such as emergency response, 911 capabilities, and essential municipal functions—paying may appear to be a pragmatic choice to reduce downtime and service outages. A rapid restoration could shorten the window of operational paralysis and limit cascading harms to residents and businesses. However, paying does not guarantee decryption. Decryption keys may be incomplete, slow to arrive, or may not function as advertised. Moreover, payment is effectively financing criminal activity and could incentivize further attacks against the payer and others in the same sector. Law enforcement and government guidance generally caution against paying, arguing that it funds crime, can undermine deterrence, and does not guarantee a favorable outcome. The FBI’s Internet Crime Complaint Center (IC3) and CISA guidance consistently emphasize that paying ransoms is not advised and that organizations should instead invest in robust backups and preventive controls (FBI, 2020; CISA, 2021). (FBI, 2020; CISA, 2021)
In the Baltimore case, the city reportedly faced encrypted backups and transactional disruptions even when some data could be recovered. This illustrates a key risk: even if decryption succeeds, business processes and data integrity may remain compromised. The cost estimates from such incidents often exceed the ransom by a substantial margin, particularly when data restoration, downtime, regulatory exposure, and reputational damage are factored in. In the Baltimore narrative, the combination of encrypted backups and system-wide dependencies contributed to costly and prolonged downtime, underscoring a central point: even a “successful” decryption may not fully restore confidence or capability in a complex environment (Chokshi, 2019; Mazzei, 2019). (Chokshi, 2019; Mazzei, 2019)
From an ethical perspective, paying a ransom raises questions about moral hazard and public welfare. Public sector organizations have obligations to protect citizen data, maintain essential services, and safeguard critical infrastructure. Paying could be construed as tolerating criminal activity and perpetuating cybercrime that threatens public safety and trust. Conversely, abstaining from payment may impose harsher immediate harms on residents and stakeholders if essential services remain down for extended periods. Ethicists may weigh duties to protect people and property against duties to uphold legal norms and discourage criminal incentives. Ethical frameworks such as utilitarianism (minimizing overall harm) and deontological ethics (upholding certain moral rules, such as not aiding wrongdoing) can yield different conclusions depending on the context, risk tolerance, and available alternatives (ENISA, 2023; Sophos, 2023). (ENISA, 2023; Sophos, 2023)
Beyond ethics, practical considerations drive the decision. A robust ransomware resilience program—characterized by offline backups, rapid restore capabilities, network segmentation, and incident response planning—reduces the incentive to pay and lowers expected recovery costs. Data restoration from clean, offline backups is typically favored, though this path requires that backups remain uncompromised, that restored data is verified, and that business processes are restored in a controlled manner. Industry reports consistently emphasize the importance of backup integrity and recovery planning; downtime costs, regulatory implications, and reputational harm often dwarf the ransom amount (IBM Security, 2023; Coveware, 2023). (IBM Security, 2023; Coveware, 2023)
Insurance considerations also influence decision-making. Cyber insurance can help cover recovery costs, but policy terms vary, and insurers increasingly scrutinize incident response actions. Some policies may impose conditions requiring certain containment measures or denials of ransom payments, while others may cover negotiation and decryption assistance. In any case, insurers typically advocate for preventative investments in backup resilience and security controls to reduce the likelihood and impact of an attack (Coveware, 2023; Sophos, 2023). (Coveware, 2023; Sophos, 2023)
When advising a city like Baltimore or a smaller municipality, a risk-based framework is essential. A decision matrix should consider (a) the likelihood of successful decryption if paid, (b) the guaranteed availability of backups, (c) the criticality of affected services, (d) the potential for data exfiltration and regulatory penalties, and (e) the societal impact of prolonged outages. In a smaller organization such as Mercury USA, the calculus may be different: smaller entities often operate with fewer redundancies and tighter budgets, which can magnify the consequences of downtime. Nevertheless, the same ethical and governance questions apply: does paying reduce overall harm, or does it perpetuate a cycle of extortion that ultimately harms the public and other organizations? (FBI, 2020; ENISA, 2023; IBM Security, 2023)
Given these considerations, the recommended course is to avoid ransom payments as a general rule and to invest in robust cyber resilience. This includes regular, verifiable offline backups; rapid, tested disaster recovery; network segmentation to limit spread; endpoint detection and response; multi-factor authentication; and user education to reduce phishing and credential theft. In parallel, engage with leadership to establish a clear incident response plan, define escalation pathways, and determine the role of cyber insurance prior to an incident. If a ransom negotiation occurs as a last resort, it should be governed by an explicit policy approved by the executive leadership and legal counsel, with a clear understanding of the potential implications for future attacks. Such a policy should also include communications guidance for the CEO and board to explain the rationale, risks, and anticipated outcomes. Research and practice in ransomware response indicate that this structured approach reduces decision-making errors and aligns actions with organizational risk appetite (Coveware, 2023; ENISA, 2023; Kaspersky, 2022). (Coveware, 2023; ENISA, 2023; Kaspersky, 2022)
Ultimately, the Baltimore case and related experiences suggest that a preventive, rather than reactive, posture offers the best balance of risk and responsibility. A no-ransom policy, backed by sound backup practices, transparent governance, and clear communication with stakeholders, provides a defensible stance that helps limit the incentives for criminals, protects public welfare, and supports long-term resilience for both large cities and smaller communities like Mercury USA. In situations where restoration costs threaten the organization’s viability, the decision becomes more nuanced, but even then, the emphasis should be on resilience, transparency, and alignment with ethical and legal obligations rather than capitulation to criminal demands. (Chokshi, 2019; Mazzei, 2019; IBM Security, 2023; FBI, 2020; ENISA, 2023; Coveware, 2023)