The Problem with Ransomware
The other day I ranted on Twitter.
I was investigating the latest company to be hit by a cyber attack.
A household name and huge brand.
It looked like Ransomware and it smelt like ransomware but of course the company was saying nothing and neither were the authorities.
I could see once again the frustrating pattern emerging that has become so familiar in cyber security so posted this.
It must have struck a nerve.
It was retweeted more and a 100 times, received more than 350 likes and was viewed 75,000 times.
Many people chimed in with their own ‘steps’ like:
“Day 203: Fire the IT guy who was just trying to do their job.”
It seems that my frustration is shared.
Too many breaches, too little time
Since I got the job of Cyber Reporter at the BBC we’ve had to be very selective on where I put my time and energy. We simply can’t cover every breach or hack but covering the big ransomware attacks is massively in the public interest.
Companies are getting hit all the time. Literally almost every day we get news of another massive company being held hostage by faceless hackers usually halfway across the world.
But whilst companies might not be getting any better at preventing ransomware attacks, they are getting very good at handling the press.
The mushroom treatment
Advisors in law enforcement and private recover firms are clearly operating a ‘treat the public like mushrooms’ approach – feed them manure and keep them in the dark! That’s a quote from one of my favourites films – The Departed. Which was said by a policeman funnily enough!
The advice mirrors another form of criminal enterprise involving hostages – kidnapping. The advice has always been not to go to press in case the criminals use the publicity to raise the stakes.
Yes it is the case that ransomware hackers love the attention. Many have blogs updating reporters and potential criminal clients about what sort of data they have on their victims.
Generally we avoid publishing what we find on those sites for the very reason that it can fuel the hackers in their extortion.
However, I see problems with the ‘don’t speak to anyone about the data being held hostage’ situation.
Firstly, the victims here aren’t one poor backbacker or suchlike, the victims are sometimes hundreds of thousands, even millions of individuals whose data is being bartered over.
When a company makes the business decision to pay hackers on a ‘pinky promise’ that the data will be deleted, there are zero guarantees.
The other big issue with ransomware that luckily many people are now trying to address is that it is not illegal to pay hacker demands.
I have a huge amount of sympathy for a company which is in the terrible position of not paying or paying when it’s life and death for a firm.
A cautionary tale
I always think back to the most shocking example of this from 2014. I doubt even the term ‘ransomware’ had been coined yet and this case wouldn’t technically qualify as no ransom malware was used. But the attack played out the same way and was devastating to the Coventry cloud computing company. The hacker found his/ her way into the company’s cloud storage system and tried to get paid to leave. When the company refused to respond the criminal just started deleting files until there was literally nothing left.
One report put it like this:
‘Within 12 hours, Code Spaces went from a viable business to devastation. The company reported that all of its svn repositories—backups and snapshots—were deleted.’
https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/
This example always sticks with me when I consider the dilemma of paying or not. I think of the person who started and nurtured that business to success. I think of the staff. I think of the IT manager who watched the files disappearing in front of his eyes, but Ransomware is the biggest problem in cyber security and we need to start talking about how to stop or slow the criminal industry. It’s hard to get figures for the losses as so many companies keep quiet or only disclose the bare minimum but a conservative estimate from one of the leading Ransomware researchers Emsisoft is that $25bn has been lost to criminal gangs in 2020 alone. (https://blog.emsisoft.com/en/35583/report-the-cost-of-ransomware-in-2020-a-country-by-country-analysis/)
And going back to my Step by Step Guide – that doesn’t even include the money changing hands for Mr and Mrs Jones’ details on the darkweb.
There is hope
There are some companies who refuse to conform to the ‘mushroom’ principle. Go to any conference and you will hear Norwegian aluminium giant Norsk Hydro held up as the ‘gold standard’ in terms of how to handle ransomware.
I was lucky enough to go visit the Norwegian company as they were recovering for a news report. Let’s end on a positive!