Imagine firing up your work computer on a Monday morning only to be faced with a digital ransom note. Your machine has been locked, the company systems and critical information have been encrypted and you need to pay a ransom, often in cryptocurrency, to get your business back online. What do you do?
Regrettably, that scenario is becoming more common for businesses as Ransomware attacks become more popular with criminal gangs. A report by Harvard Business Review found that attacks in 2020 were up 150% but more significant, the amounts paid out to cyber criminals had increased 300%.
Holding a company to ransom in the 21st Century is therefore a lucrative business for the criminals but can be a financial and PR nightmare for businesses who miss-calculate their response. Pay the ransom and you may get control of your systems with little public acknowledgement beyond hacker forums who will know you will payout, increasing the likelihood of further attacks. Don’t pay and the PR and commercial fallout can quickly escalate with the long term price far outweighing the original ransom demand.
Recent attacks have exposed the vulnerabilities that exist in both public and private organisations to crippling effect. The Colonial Oil Pipeline, AXA Insurance and the Irish Health Service have been the most high profile victims in recent weeks, all approaching the challenge to get systems back online very differently.
The Colonial Pipeline attack crippled the US East Coast fuel supply with people panic buying fuel in fear of long term disruption. Colonial Pipeline reluctantly paid the almost $5 million ransom to Darkside, a Ransomware-as-a-Service provider. In a statement, the Colonial CEO confirmed the payment was made due to longer term uncertainty that an outage would have caused and it was the right thing to do for the Country [United States].
Meanwhile, the Irish Health system was thrown into disarray last week when hackers infiltrated computer systems within the HSC and Department of Health. Unverified reports from Ireland suggest the ransom demanded is between $15-$20 million, which the Irish government refuses to pay. The attack is still causing havoc with some medical procedures still offline. The fallout will likely take weeks to fully resolve.
The two approaches show the challenges facing law makers who are trying to tackle the problem. UK Home Secretary Priti Patel has said that paying ransoms does not work and demonstrates to cyber criminals that such attacks work. Whilst an approach being suggested in the US is that paying ransoms for such attacks becomes illegal and that notification is essential for all ransomware attacks. Criminalising the people who are victims of the very crime they are trying to prevent does not sound like a long term solution though.
With fewer opportunities for criminals to fund their lifestyle through “traditional” means and the rise of Ransomware-as-a-service providers such as Darkside and Avaddon (the ransomware group that provided the Malware for the Axa attack), it’s likely we’ll see more and more public and private companies, who could afford a big ransom, being attacked. Of course, there is an obvious alternative to paying the ransom and getting a criminal record and that is to not get held to ransom in the first place.