26/Jun/2019
When malicious hackers disable your business and demand a ransom, it’s tempting to just pay up and move on. But should you? Many firms do so out of sheer desperation, but law enforcement says this just makes matters worse.
In March, news broke of a ransomware attack on Norsk Hydro, a global aluminium producer. An estimated 22,000 computers were hit across 170 different sites in 40 different countries. The entire workforce of 35,000 had to resort to pen and paper. Production lines shaping molten metal were switched to manual, and long-retired workers came back in to help colleagues run things “the old fashioned way”.
Despite all of this upheaval and costs currently estimated at more than £45 million, Norsk Hydro has refused to pay the ransom.
The gold standard
The company’s response is being described as “the gold standard” by law enforcement organisations and the information security industry. Not only did they refuse to pay the hackers, they have also been completely open and transparent with the outside world about their experience.
However, other companies and organisations are choosing to pay. And evidence is growing that ransomware hackers are increasingly being paid off secretly by victims – and their insurance companies – looking for an easy way out.
“It’s become a simple business case for many organisations to pay, and at this point it’s a known secret that this is happening,” says Josh Zelonis, cyber-security analyst at Forrester.
Secrecy surrounds the practice because organisations are concerned about the possibility of litigation and the damage to their reputations following an attack, he says.
“And a lot of the time incident response companies are being brought in to broker the transaction with the adversaries themselves in order to ensure that the payment is made and recovery is possible,” he says.
Sources in the information security industry have described multiple occasions when large, well-known companies have paid out thousands of pounds – in some cases hundreds of thousands – to hackers and not told the public or even shareholders.
Last week, a Florida town paid hackers $600,000 (£475,000) to get its computers working again after a ransomware attack disabled email, hit emergency response systems and forced staff to use paper-based admin systems.
This worrying trend has prompted Europol, the European Union’s law enforcement agency, to re-issue its warning that paying ransoms fuels hackers and often leads to more organised crime.
WannaCry
Some degree of optimism can be gleaned from data that indicates a decline in ransomware attacks since the WannaCry virus of May 2017. WannaCry infected an estimated 200,000 computers in at least 150 countries, including causing notable disruption to the UK’s National Health Service. Since then ransomware attack numbers have actually declined significantly.
Cyber Security vendor Trend Micro estimates that numbers could have dropped 91% in the past year. But data from many other vendors points to a rise in more targeted attacks, where companies and organisations, instead of individuals, are in the cross-hairs and researchers at cyber-security company Malwarebytes say that compared to the same time last year, business detections of ransomware have risen more than 500%.
Norsk Hydro CIO, Jo De Vliegher is convinced that his company has done the right thing. “I think in general it’s a very bad idea to pay,” he says. “It fuels an industry and it’s probably financing other sorts of crime. It goes against our company values and we have good foundations and good people. But I understand why, for some companies who are less secure, this can be the only option.”
His words are echoed by Europol’s head of the European Cybercrime Centre, Steven Wilson. “Companies need to understand that if you continue to pay a ransom it perpetuates the crime,” he says. “It encourages the criminals to commit further crimes. If you pay, you’re fuelling organised crime on a global basis.”
For more on this story, take a look at the BBC News report.
