In the latest development in the Montclair cyber attack, the US township has decided to pay $450,000 as ransom. Joseph Hartnett, the interim township manager, confirmed the development to local media.
The settlement was reportedly negotiated while law enforcement began investigating potential criminal charges related to the attack.
Working in conjunction with the insurance company, state, and federal authorities, including the FBI, the situation was resolved to a great extent, with critical data essential for township business and operations being recovered.
However, certain data belonging to individual users and external vendors providing storage for past records is still in the process of being recovered.
This missing data is reportedly affecting the township’s ability to respond adequately to certain Open Public Records Act requests.
Joseph Hartnett mentioned that there will be another update next week, which will provide further details on the impact of the attack, its duration, and the current status of the unrecovered data.
The town of Montclair popped up on the cybersecurity news when Mayor Sean Spiller disclosed the situation through a YouTube video on June 6.
The situation raises an important question: when is it ok to pay ransom?
The issue of ransom payment presents complex legal and ethical challenges.
While laws and regulations vary across jurisdictions, law firms generally advise against paying ransoms due to the risk of supporting criminal activities.
Ethically, ransom payments should be discouraged to avoid encouraging further attacks and funding illicit enterprises.
However, in exceptional circumstances where human lives or critical infrastructure are at stake, organizations may be compelled to make difficult decisions, striking a balance between ethical considerations and public safety.
Ultimately, preventive measures, such as robust cybersecurity practices and incident response plans, remain essential to mitigate the risk of ransomware attacks.
Montclair Cyber Attack and the legality of ransom payment
The legality of ransom payment varies across jurisdictions. In some countries, paying ransom to cybercriminals is explicitly illegal, while others lack specific legislation addressing this issue.
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) prohibits making payments to individuals or entities on its sanctions list. The situation becomes stringent when it comes to law enforcement.
The ransomware response playbook of the FBI is clear: it does not support paying a ransom in response to a ransomware attack.
“Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity,” it explained.
Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) advises against paying ransoms to discourage further attacks
However, all these provisions leave some space for negotiation. In other words, there is no absolute ban on ransom payments.
For instance, the OFAC would take action predominantly when payment is made to “designated numerous malicious cyber actors” as making or facilitating any ransom payment to a sanctioned party directly violates US foreign policy.
Companies dealing with ransomware attacks might consider requesting permission from OFAC to make payments due to the pressure of the situation.
However, it’s crucial to note that there is no assurance that such a license request would be approved, warned US-based law firm Arnold & Porter.
“In fact, OFAC reviews license applications involving ransomware payments with a ‘presumption of denial’,” said the law firm’s blog post.
“The bottom line is that for most potential victims, withholding ransomware payments may be the only means to avoid violations of US sanctions law.”
We can see a similar path in Europe too. In the European Union, the EU’s General Data Protection Regulation (GDPR) mandates that organizations protect personal data and report data breaches promptly.
While the GDPR does not explicitly prohibit ransom payments, it emphasizes the importance of implementing robust security measures to prevent such attacks.
The ethical issues of ransom payment
Paying ransoms may incentivize cybercriminals to launch more attacks, as it becomes a profitable enterprise. This perpetuates a vicious cycle of attacks, putting more individuals and organizations at risk.
Ransom payments can be diverted to finance illicit activities, such as terrorism, drug trafficking, or human trafficking. Contributing to such criminal enterprises raises serious ethical concerns.
However, the fact remains that there are no ironclad regulations in ransom payments.
In rare instances, when human lives are at risk, or essential services like healthcare or critical infrastructure are compromised, authorities and organizations might face difficult decisions.
In such cases, the ethical dilemma of saving lives and maintaining public safety could potentially justify paying the ransom.
In some situations, organizations may have no other viable options to recover their data or systems.
They might decide to engage in negotiations with attackers as a last resort, with the goal of minimizing damages and ensuring business continuity.
Do we pay ransom or not?
“Security experts across the board advise against paying,” said an advisory on ransom negotiations by cybersecurity business Acronis.
“This recommendation is due to the low number of successes in retrieving stolen data, the lack of assurance that encryption keys will indeed work, and most importantly, the fact that this only motivates cybercriminals to continue to commit extortion and to develop ransomware.”
The US Financial Crimes Enforcement Network (FinCEN) in November warned against financial services that facilitate ransom payments, as it often leads to other channels of money laundering and even terrorism funding.
“Criminals prefer to launder their ransomware proceeds in jurisdictions with weak antimony laundering and countering financing of terrorism (AML/CFT) controls,” the advisory said.
Meanwhile, UK’s National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) in July 2022 urged the legal industry against advising their clients to pay ransom.
They issued a joint letter to the UK legal community in response to a cases where some solicitors advised their clients to yield to such extortionate demands.
“I won’t argue that paying these ransoms is feeding terrorism or crimes other than further ransomware attacks,” wrote Robert K. Knake, senior fellow at the Council on Foreign Relations.
“But left unchecked, ransomware could become a crippling problem for many more companies. The best way to prevent that from happening is to criminalize the payment of ransoms to cybercriminals.