Ransomware has undoubtedly been one of the top cybersecurity threats recently. Dealing with its aftermath is complicated and costly. A ransomware attack can turn to have fatal consequences for any affected organization from loss of revenue, damage to the organization’s reputation to closure of its business altogether.
While immediate ransom payment is an option for fast recovery of services, it certainly does not guarantee any safety. On the contrary, more than half of the organizations previously affected by ransomware become victims to another attack soon after, often by the same perpetrators.
The solution for many still remains clear and simple – to pay the ransom as quickly as possible to minimize the impact of the attack. But is that it? Should not we put more thought and effort into the changing dynamics of ransomware and our decision making to demystify it and face it like other challenging cybersecurity threats before?
The ransomware debate is often shrunk into the oversimplified moral dilemma of “pay or not to pay”. This evokes a false moral equivalency of a hostage situation which blocks our decision making on what to do with the ransomware besides the expected payment. One can be even accused of immoral behavior when thinking out-of-the-box in such situations when business is paralyzed, critical infrastructure is impacted, or human lives are in danger due to ransomware.
This oversimplification often occurs during strategic decision-making exercises that we organize for the management of both the private and public sectors. Private companies are usually willing to pay the ransom in order to restore their services and save their business and brand without a deeper investigation or strategic communication. The public sector is hesitant, however, and is cut off from valuable information that eventually leads to an attacker’s identity or the final destination of the payment.
Nevertheless, two recent cases have suggested a possible new smarter path that treats ransomware as an intelligence opportunity rather than a simple moral choice.
In October 2020, a hacker blackmailed more than 40,000 Finnish patients after gaining access to their medical records from therapy sessions. Their data had been stolen from Vastaamo psychotherapy centre, the largest network of private mental-health providers in Finland. This shocking and brutal attack immediately evoked a wave of solidarity from several cybersecurity companies which joined forces with blockchain analytics providers to trace and identify the perpetrators. For example, the cryptocurrency exchange provider Bittiraha, suggested to be used for payments by the attackers themselves, was able to spot ransom payment attempts.
The provider blocked a large number of payments and refunded the victims. Above that, the platform was also able to collect the attacker’s cryptocurrency wallet addresses to be used for further investigation. Similarly, Mikko Hyppönen, Chief Research Officer at Finnish company F-Secure, openly invited the victims of the attack who paid the ransom to contact him and share the cryptocurrency wallet addresses with him. This unique out-of-the-box approach had a simple goal – to systematically trace the payments, recover the funds and contribute to the investigation.
In May, the Colonial Pipeline, an oil pipeline network that delivers gasoline and jet fuel to the US South-East was hit by a ransomware attack forcing the company to shut down all its pipeline’s operations for six days. It turned out to be the largest cyberattack against oil infrastructure in American history.
Colonial Pipeline traded a decryption tool for the requested ransom of 75 bitcoins ($4.4 million) within a couple of hours after the attack. Although the decryption tool turned out to be so slow that the company used its own backups to get back online, the ransom was not paid for no reason.
A month after the ransomware attack, the US Department of Justice announced that 63.7 bitcoins of the ransom payment were successfully recovered. Despite the attackers’ bitcoin laundry attempts, the FBI used a blockchain explorer to track the ransom to a single wallet address. Although it remains unclear as to how the FBI got hold of the private key of that particular bitcoin wallet, its agents managed to log in and retrieve most of the bitcoins paid to the attackers.
These two recent stories should be recognized as the first attempts to change the dynamics of our decision making on ransomware sending a strong message that ransomware should indeed not be treated purely as a moral dilemma anymore but rather as an intelligence opportunity.
Several years ago, attribution was an “unsolvable” cybersecurity issue. Today, governments and organizations are not afraid to point a finger at a potential suspect. We can only hope the same will become the case for ransomware in the foreseeable future.
To achieve that, there needs to be more robust cyber training, with a particular focus on destigmatising ransomware. Users must do more than just think twice before clicking on a link. They must be informed about what to do when they open a malicious link with ransomware. Second, the cybersecurity community should further develop decryption initiatives that can be shared for the purpose of reverse engineering and analytical support.
These moves would force the ransomware threat into the risk matrix of each and every organization that cares about its security, business and reputation.
*This article was written in cooperation with Prague European Summit, taking place in Prague 12-14 July 2021.