The ransomware dilemma - to pay or not to pay

What is ransomware?

Ransomware is malicious software used by hackers to lock or deny you access to your systems and files, unless you pay a ransom. There are two main types of ransomware that are typically used by attackers:

Crypto-ransomware encrypts files, effectively locking the victim out of their own business. The attacker will contact you to demand payment, or a ransom, to reveal the password that will allow you to regain access to your files.
Lockscreen ransomware works by locking the victim’s computer or files. A message will appear on your screen telling you that you need to pay a ransom before you get access back. You won’t be able to remove the message or access your desktop, your apps, or any of your files.

There are several different ways an attacker can launch a ransomware attack – the most common being through malicious spam or phishing. Once someone downloads the software through a bad link or infected attachment, the software can quickly spread through your network.

Attackers bank on the fact that businesses find it easier to pay a ransom, than lose their files or get someone to fix the problem.

Ransomware attacks are by far the most popular form of cyber attack and can include many attack vectors including phishing attacks, brute-force and distributed denial-of-service (DDoS) attacks.

Globally ransomware is up around 500% on this time last year. In New Zealand more than half of businesses have been successfully targeted by a ransomware attack in the past year, with one in five businesses saying the attack caused serious disruption to operations. Why the increase in attacks over the past year? We think this could be due to the following factors:

Attackers had more opportunities to exploit vulnerabilities in software systems as organisations prioritised COVID-19 resilience over cybersecurity over past the year
Adoption of cloud technologies continues to increase (79% in 2020 versus 59% in 2019), but the level of understanding around cloud security remains low
It is becoming increasingly easy to set up a ransomware attack.

Ransomware as a service

Ten years ago, if you were going to run a ransom campaign, you would have to develop the campaign yourself, or access networks which could produce the code for you. It was also quite expensive and often quite difficult to execute because you had to get the malware into the targeted organisation. Also phishing emails, which are often used to execute the attack, weren’t particularly sophisticated. Because of these challenges, typically cyber criminals attacked larger organisations and demanded large ransom amounts. Small and medium-sized businesses and community organisations were largely left alone.

These days ransomware has been commoditised. It can be purchased as a service, is easy to access and is professionally packaged. You no longer need to be a developer with knowledge of software vulnerabilities. You can simply purchase software which will find and exploit these vulnerabilities in the systems you choose to attack.

Further, many ransomware services include easy payment systems, support desks for both the attacker and victim, and have streamlined payment options to reduce any barriers to payment. Many also offer credit and instalment options for those not able to stump up with the cash immediately.

How does a ransomware attack work?

Many attackers just spend their time looking for companies which are running vulnerable software. With some services you can search the companies you're after, and then buy code that exploits the vulnerability in that software. Aura research has found that it can cost as little as US$15 to find information about the vulnerability and exploit it. Once the vulnerability has been exploited in the computer system, cyber criminals will go into your system and steal critical information. And, once this has been extracted, they run the ransom attack – locking your system and demanding a ransom to delete the information.

Many ransomware attacks are customised to the scale of the business being attacked. Some groups specialise in small business – high volume of attacks but low ransom amounts. Then you get groups that go for big organisations and demand much higher ransoms. And these ransom amounts are getting higher. In fact they have almost doubled in the past 12 months, with the largest attack being on Acer by REvil group, which purportedly demanded a US$50 million ransom.

The dilemma

Pay the ransom

Cyber attacks should be considered a business risk. As such, some businesses may be prepared to pay the ransom as a business cost. Organisations which do not carry customer data, or can ascertain that no important data has been stolen, may determine it is cheaper to pay the ransom than restore their systems from backups.

Other organisations may make a decision – based on a risk assessment – to pay the ransom to resume normal business operations as soon as possible. For them, the risk of customer data or sensitive information being leaked online, or the time needed to restore systems from backups will have been determined to have a greater negative impact than simply paying the ransom.

And finally, some businesses may be forced to pay the ransom. In the case of Travelex in 2020, they tried for several weeks to restore their systems but failed to do so and eventually caved in to a $2.3m ransom to get their business operational again.

Do not pay the ransom

Simply, if you pay the ransom then you're sponsoring a criminal enterprise. Paying a ransom may mean your own business is released from its cyber shackles, but it also emboldens and further resources the criminals to carry out more attacks.

It also creates a vicious cycle, as criminals are now funded to develop and carry out more sophisticated attacks. Even if you improve your security settings following the attack, there will be a more sophisticated attack being developed which will make you vulnerable again in future.

The ransom paid to the cyber criminals may also be used for more insidious purposes including human trafficking, child exploitation and terrorism.

In paying a ransom, you are also putting trust in the criminal to unlock your system or destroy any sensitive data as promised. Whilst many cyber criminals will delete the stolen data and provide the decrypt keys to unlock your system, many don’t. There is every likelihood that they will sell your information on a secondary market to other criminals.

Beyond the moral dilemma

Some jurisdictions are now considering making it illegal to pay a ransom or requiring notification of a ransomware attack.

In the USA, pressure has been mounting on Congress to implement legislation which would see a ban on paying ransoms although it has failed to gain traction to date. It has also instituted a multi-agency government task force which coordinates on cybersecurity issues including prevention, reporting and acting to apprehend criminals and recover ransoms.

Some states such as New York, Pennsylvania and Texas have bills under review which would prohibit business entities and or/government agencies from paying a ransom in the event of a ransomware attack.

In Australia, The Ransomware Payments Bill 2021 is currently before parliament. It establishes a “mandatory requirement for Commonwealth, state or territory entities, corporations and partnerships to report to the Australian Cyber Security Centre ransomware payments paid in response to a ransomware attack”.

Australian organisations would be required to disclose key details of any attack which would be passed to law enforcement and security agencies to track down the cyber criminals. Over time, data on ransom attacks may help authorities develop guidance for organisations to help them improve their cybersecurity settings

There are no laws preventing the paying of a ransom in New Zealand, although it is likely the government will be keeping an eye on developments across the Tasman.

Organisations here which have suffered a privacy breach that “has caused or is likely to cause anyone serious harm” must notify the Privacy Commissioner and those affected.

We are running behind the pack

Consider the analogy of outrunning a lion. If a lion is chasing you and your friend, you don’t need to outrun the lion, you just need to run faster than your friend. Sadly, over the past 12 months, New Zealand organisations have been clearly been identified as some of the slowest in the group internationally and have become increasingly targeted by ransomware.

According to research undertaken by Aura Information Security, almost a third of New Zealand businesses are still failing to provide any regular reporting to those responsible for making key business decisions relating to cyber security. Boards need to ensure they are getting the right information and are across key decisions being made by their executive teams. This includes ensuring the organisation:

has a roadmap in place to improve your overall security posture
educates its staff on phishing links
is up to date and running the latest versions of software
has detection mechanisms in their network to alert staff if anyone gains access to data.

Our recommendation for boards is get your business to a point as soon as possible where it is too hard for attackers to infiltrate your systems. The more barriers you present, the more likely criminals will abandon an attack and go searching for another target. Don’t be the slowest in the group.

And if your organisation is breached by a ransomware attack, there’s no guarantee that paying a ransom will result in your access being returned – hence why it’s our advice at Aura not to give in to the demands of a ransomware attack.