On Wednesday, an assistant superintendent of a Texas school district described in rare detail how her institution fell victim to ransomware and why the district decided to pay the perpetrators a ransom of more than $500,000.
"The recovery of our network was not our primary concern," said Lacey Gosch, the assistant superintendent of technology at Judson Independent School District. "Our concern was the security of the data." The district wanted to prevent the threat actor from releasing the personally identifiable information of 428,761 affected individuals.
Gosch offered a rare view into how institutions facing ransomware threats cope with these increasingly common attacks during a joint hearing of two committees of the House Committee on Oversight and Accountability. Numerous institutions have faced the same conundrum Gosch and Judson Independent faced, not least banks, which are disproportionately attractive targets for ransomware actors.
This summer, at least
"Security vendors almost unanimously highlight not only an upward trend in ransomware attacks, but also ransomware as the most significant threat in the cybersecurity environment," reads the report from the Financial Services Information Sharing and Analysis Center.
How paying ransoms helps and hurts
As the threat of ransomware grows for banks, Gosch's story serves as a cautionary tale that clarifies the stakes banks face as they look to prevent and mitigate these attacks. It also serves as an illustration of the bind banks face in the wake of an attack, when they receive a ransom note.
The FBI says paying ransoms "encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity." The biggest problem: a ransom payment does not even guarantee that the threat actor will delete the stolen data.
Yet twelve days after learning about the ransomware attack — and on Gosch's 34th day on the job — Judson Independent paid the ransomware actors a negotiated ransom of $547,000 in exchange for a promise — but no guarantee — that the criminals would delete the stolen data. Gosch said it was a "difficult decision," but the district felt compelled to protect its constituents.
The district's cyber insurance proved helpful, but the payout predominantly covered attorneys fees, data mining and identity protection. "It does not cover ransom payments or cost for upgrades to mitigate that damage," Gosch said.
Among experts, cyber insurance coverage for ransom payments is hotly debated. At times, cyber insurance providers do cover ransom payments, according to the Royal United Services Institute, a think tank in London. But the institute argues that there is "no compelling evidence that victims with cyber insurance are much more likely to pay ransoms than those without."
Two federal agencies recently released a warning about a strain of ransomware called Snatch, which has adopted the successful tactics of other variants.
The vicious cycle of paying criminals
Gosch's experience is not unique, according to Grant Schneider, senior director of cybersecurity services at law firm Venable. Many companies and governments fall victim to ransomware; Gosch is merely a rare example of a victim publicly disclosing the details of how the attack happened and the fallout that ensued.
"During a ransomware event, government organizations including law enforcement can provide a very limited amount of support," Schneider told the subcommittees. Left with an "unsavory set of options," victims often choose to negotiate a ransom payment because it is the "most time and cost effective approach to getting an organization up and running again."
One of the reasons ransom payments have proven so controversial is that they are the primary driver for ransomware actors.
"To be clear, ransomware is a means for malicious actors to make money," Schneider told the House subcommittees. "It is rarely about foreign policy or espionage objectives like those we see from nation state actors."
Ransomware is still a priority for many U.S. law enforcement agencies, which Schneider said have worked with international partners and invested heavily to disrupt ransomware activities across the globe. In
Still, law enforcement is not always there for victims or able to provide help in the immediate aftermath of a ransomware attack. Gosch and the Judson Independent School District learned that the hard way.
"We learned that the cavalry does not come," Gosch said. Before a panel of U.S. representatives, Gosch said that "no state or federal agency ever visited or offered recovery assistance to Judson Independent School District."
