A slew of ransomware attacks in recent months have brought the issue to greater prominence and raised justifiable alarm. While data theft and conventional hacking are alarming enough, ransomware attacks entail affected users being locked out of their systems until a demanded fee is paid; there is, of course, no guarantee that access will be restored even if the demand is met. Targets may be individuals, companies, or government institutions.
In May of this year, a Norwegian-based aluminum company, Norsk Hydro, was subject to a crippling attack, receiving the message ‘Pay us or be locked out forever’. The company’s entire global network – comprising 35,000 employees and 22,000 computers distributed between 170 different sites around the world – came under a coordinated and simultaneous assault. With the company’s computers out of action, production was only resumed thanks to the help of retired workers brought back in to help, and the discovery of old paperwork detailing how to perform the operations the computers have been conducting automatically in more recent years. Even after a month following the attack, the company was still struggling to return to operations, and their recovery process accumulated costs in excess of $57 million.
Yet the company did not consider paying the ransom demands. Jo De Vliegher, Norsk Hydro’s Chief Information Officer, told the BBC: “I think in general it’s a very bad idea to pay. It fuels an industry, it’s probably financing all sorts of crimes.”
This logic is in line with the consensus of cyber security companies and law enforcement agencies, which dictates that refusing to pay is preferable to caving in to ransom demands. Yet the issue remains that firms will be tempted to give in to the hackers – the eventual cost could be far less than the price of actually making up for the damaged caused.
This idea was certainly in the minds of a number of towns in Florida, whose local government bodies came under attack in late June. Over $1.1 million was paid to the attackers, and while this fee will be covered by insurance, it will still result in an additional $10,000 cost to taxpayers. Computer access was ultimately restored to the towns, and within two weeks all normal services had been resumed.
The ransom payments are usually demanded in Bitcoin, largely due to the simplicity of transaction from the attacker’s perspective, but the ease in which cryptocurrency can be traced on public blockchains has resulted in several instances in which law enforcers were able to catch cyber criminals. The perpetrators were at particular risk when attempting to convert Bitcoin into national currencies.
As Edward Lowery, Special Agent in Charge of the Criminal Investigative Division of the U.S. Secret Service, told the Senate Homeland Security Committee’s inquiry into digital currencies: “The public ledger feature of the Bitcoin blockchain differentiates Bitcoin, and other decentralized digital currencies, from many of the centralized digital currencies, such as e-gold and Liberty Reserve. The blockchain makes it harder for criminals to hide their illicit activity. The work of researchers to link known transactions to individual identities reduces the attractiveness of Bitcoin for criminal activities. This research also provides an additional tool for law enforcement to identify illicit transactions, assets and the individuals associated with this activity in support of apprehension, asset forfeiture, and prosecution.”
However, this does not mean that any risk on the part of the attacker will deter cyber criminals from distributing ransomware. It is entirely possible that other ways to demand payment will be thought of, in the form of other types of crypto currency or more traditional monies. Yet it can be hoped that the increasing frequency of ransomware attacks will at least instill a sense of urgency in sectors of the private sector and governments, as well as amongst individuals, and help propagate the fact that cyber security measures must constantly be evaluated, installed, and constantly updated.