With few options, companies increasingly yield to ransomware demands

Attackers view stolen or encrypted data as a powerful weapon

Faced with few options, companies are increasingly giving in to cybercriminals who hold their data hostage and demand payment for its return, while law enforcement officials struggle to catch the nearly invisible perpetrators.

The risks to organizations have become so severe that many simply pay their attackers to make them go away -- a strategy that may only embolden the crooks.

It's a case of asymmetric electronic warfare. Ransomware, which encrypts files until a victim pays to have them unlocked, can be devastating to an organization. Barring an up-to-date backup, little can be done aside from paying the attackers to provide the decryption keys.

Less common but just as harmful are extortion schemes, where attackers claim to have stolen critical data and threaten to publicly release it unless their demands are met. Timeframes are tight: Hackers may give a company less than 48 hours to comply, setting off a race to confirm what data, if any, has been stolen.

The costs of ransomware and extortion are difficult to calculate. Last June, the FBI estimated that the CryptoWall ransomware family alone had cost US organisations $US18 million over the prior year. In October, an industry group put the total cost of CryptoWall - which was first detected in mid-2014 - far higher, at a staggering $US325 million.

Extortion costs are even harder to estimate, since companies are often unwilling to admit they fell victim. Computer security company, FireEye, says it knows of companies that paid more than $US1,000,000 to prevent sensitive data being released, though most incidents are resolved for less.

The volume of cases is overwhelming law enforcement, said Erin Nealy Cox, a former federal cybercrime prosecutor and head of the incident response unit at Stroz Friedberg, which conducts computer forensic investigations.

The FBI and the Secret Service "in many cases are fine with in essence acquiescing to payment of the ransom," Nealy Cox said, though he emphasized that this is not their official position.

Groups conducting the attacks are difficult to find. They're experienced at covering their tracks and demand payment in the cryptocurrency bitcoin, which makes payments hard to trace. Also, the hackers are often based in countries that don't cooperate closely with the U.S. on cybersecurity, making arrests unlikely.

Unlocking the encrypted files is often near impossible.

"It's a a big challenge to decrypt victims," said Andrew Komarov, CIO of InfoArmor, which collects intelligence on cyberthreats.

InfoArmor has had some success in disrupting ransomware, by infiltrating the computer networks used to control it. In one example, Komarov said a vulnerability was found within the command-and-control network used to distribute ransomware called CryptoLocker.

cryptolocker warning Screenshot

The warning displayed by CryptoLocker, one of many ransomware programs.

The vulnerability allowed researchers to send a command that made it appear that thousands of victims had paid their ransom, causing their computers to be decrypted, according to InfoArmor's report.

But happy endings are uncommon. The most well-documented ransomware incidents have hit the medical industry. Hollywood Presbyterian Medical Center in Los Angeles paid 40 bitcoins -- about $US17,000 -- to decrypt its files.

Allen Stefanek, president and CEO of Hollywood Presbyterian, said the payment was "in the best interest of restoring normal operations."

Four weeks later, Methodist Hospital of Henderson, Kentucky, said a piece of ransomware known as Locky infected its systems, according to computer security writer Brian Krebs. The hospital did not pay a ransom but was able to restore its systems, according to a local news report.

Ransomware and extortion schemes offer advantages over other methods of cybercrime. Rather than stealing data and needing to find a buyer for it in risky transactions that take place in underground forums, a vulnerable victim is approached for payment directly.

"We're starting to see adversaries in many regions start thinking of data as a weapon," said Dmitri Alperovitch, CEO of Crowdstrike. "Certainly the North Koreans did that with Sony."

Sony Pictures, whose attackers released gigabytes of sensitive internal data and destroyed computers, was asked to not release a film that was seen as offensive to North Korean leader Kim Jong-un. The U.S. government quickly attributed the attack to North Korea.

Paying a ransom is a hang-wringing proposition and not one without its opponents.

Last month, Roman Hussy, who runs a security blog, launched a Ransomware Tracker -- a tool that catalogs servers around the world that have been tied to ransomware campaigns. He started the tracker after seeing many people become victims.

"The golden rule is performing backups frequently and never pay any ransoms," Hussy wrote. "Paying ransoms will fund the miscreants' cybercrime operation and the infrastructure that they are using to commit further fraud, as well as motivate the attackers to keep carrying out their attacks."

Hussy's resistance strategy might work eventually, but it would require many organizations to fall on their swords.

Kevin Mandia, chief operating officer of FireEye and founder of Mandiant, said the result of not paying could mean great risk and embarrassment -- if, for example, a company's general counsel's email is leaked.

"What would you do?" Mandia said in a recent interview. "The alternatives are pretty bad."

The uptick in ransomware and extortion attempts is likely an outgrowth of better payment card security in the U.S. Stolen card details are getting harder to monetize, so attackers have ound an easier route to generate cash.

FireEye has seen some of the same hacking tools and infrastructure use for state-sponsored cyberespionage now being used for extortion, suggesting experienced hackers see a gravy train.

"Finally, Russian organized crime and groups out of China realized, well, we still have the hacking skills, we're getting card data we can't monetize as easily anymore, so just extort," Mandia said.

On March 22, the Department of Justice unsealed charges against three members of the Syrian Electronic Army, a group that waged a multi-year hacking campaign in support of President Bashar al-Assad.

Two of the men are also accused of extorting 14 U.S. and international victims after hacking their systems and threatening to cause damage or sell stolen data. The victims included a Chinese online gaming company, a U.K. web hosting provider and an online media company.

All told, the men allegedly demanded more than $500,000, although they frequently lowered their demands after negotiation, according to the criminal complaint.

"Some of this is like hostage negotiations," Crowdstrike's Alperovitch said. "You can start the dialog with a criminal and see if you can stall them and get yourself more time."

But "nothing is foolproof when you're dealing with thieves," he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityInfoArmorFireEyeCryptoWallfbiransomware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?