Ransomware has exploded in the last few years. That is because it has become a very lucrative business for criminals. The premise is as follows: you break into a company’s IT system, steal or lock sensitive data from the system, contact the company with a ransom demand to unlock the files or avoid them being made public.
A few well-documented cases are when CD Project Red’s source code for its most popular games were made public, when TSMC had to shut down its facilities in August 2018, and when the Colonial Pipeline in the U.S. was taken down.
The dilemma that companies face when being targeted by ransomware attacks is whether to pay or whether to ignore the demand. Companies will suffer from reputation damage when it becomes public that the company is being blackmailed. Therefore, companies are inclined to pay out to the criminals before the criminals make public that they have access to a company’s files. However, in the end the ransomware attack will nearly always reach the news. The criminals demand huge amounts of money that would surely show up in the annual reports. For example, Colonial Pipeline paid $4.4 million to the hackers in May of this year. Large multinationals will have no financial difficulty with paying these amounts of money.
Would there still be a reason for them to not pay? Definitely! First of all, the criminals could always still make your data public, even after you paid. Secondly, it is about setting a precedent; for your company and companies in general. It has been proven that companies that pay out on ransomware attacks have an 80% chance of suffering another attack again. Next to that, if no company would pay to hackers, there would be no incentive for ransomware attacks to happen. As a result, the U.S. Department of the Treasury has issued a statement that makes many forms of paying ransom to criminals illegal. Next to that, the department is cracking down on cryptocurrency exchanges that aid in the ransomware payments.
It will be interesting to see whether the whole business world can come to an agreement where no one pays criminals ransom, and that way reduce the number of ransomware attacks.
Links:
https://arstechnica.com/gadgets/2021/06/cd-projekt-red-says-its-data-is-likely-circulating-online-after-ransom-attack/
https://thehackernews.com/2018/08/tsmc-wannacry-ransomware-attack.html
https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
https://www.welivesecurity.com/2021/07/08/ransomware-pay-not-pay-legal-illegal-these-are-questions/
https://home.treasury.gov/news/press-releases/jy0364
Very interesting Max. Just had a discussion with my roommate about this. It seems to be a vicious cycle in which companies do need see any alternatives and criminals are increasingly aware of the financial potential.
More of these articles are needed to make companies aware that other options exist, and that they are in fact a key decision maker in putting this systemic hostage taking to an end.
Hi Max! You’ve written an interesting blog on an even more interesting topic. In fact, it is also bizarre how much influence criminals can have on our society, especially if a company is hacked that provides goods / services to people. I like your ideas about the reasons for not paying hackers, although I doubt we’ll ever be in a position with all companies that no one will pay them. I fear that in that respect there is too much at stake for some companies in terms of confidential information and then only in this way can limit the damage as best as possible.
As for the future, I think we’re going to see a shift in crime in ransomware from hacking the big companies you mention in your blog to smaller, community-based companies. Many giants do have the money to invest in privacy and security, while sectors such as education, healthcare and smaller companies already have little money / subsidy and are therefore less protected against hackers. Although the big money is with the big companies, I think it will only become more attacks on smaller organizations to still be able to earn the same total of money but with more different companies. What are your thoughts on that?