Firms small, medium and large are becoming increasingly aware of the rising threat that ransomware presents. So far ranging is the fear factor and associated implications that several have begun the process of stockpiling bitcoins as a mechanism to counter any potential attack. But is this response wise, and does it provide a cast iron guarantee that the targeted institution will regain control of its data ?
Views seem to vary on this topic, but the general consensus within the security arena is that institutions should not encourage payment to cyber criminals, but should channel their efforts and budget into ensuring that data can be recovered quickly and effectively. If a firm were to pay a ransomware demand, the implication of such an action could generate a ripple effect. Now, if firms begin the stockpiling process, bearing in mind that the typical minimum ransom fee is 2 BTC (for a “domestic” attack), and often much higher dependant on the institution involved, wouldn’t their money be better spent on Business Continuity Processes, and incident response ? In addition, let’s also not forget the current processing time for Bitcoins can be up to one week – way beyond the 48 hour window that most ransomware attacks permit before permanent encryption occurs
An example bitcoin and ransomware case study
As a paradigm, we can use the report of the Holywood Presbyterian Medical Center as a “case study”. Back in 2016, hospital management relented – they took the decision to comply with the demand, and paid an astonishing USD 17,000 to restore access to their data. Rumour has it that the original demand was closer to USD 3.4m, although there isn’t any real evidence to support this theory, and the hospital has vehemently denied the claims. Nonetheless, this is a significant sum to part with in order to restore access to your own data. Not only does this generate a significant new revenue stream for a cyber criminal, but also creates negative PR and damages patient trust if details of the incident and response made it out into the public domain. Let’s look at how this response could trigger another wave of attacks.
Cyber criminals are indiscriminate when it comes to selecting a target. From small businesses to large financial institutions, the method of approach tends to be the same – find a way of getting the ransomware onto a machine, then execute it. Convincing a user to click a link, or visit a malicious website where the necessary components can be delivered via a drive-by attack (usually in the form of a fake application masquerading as the real thing) is much easier than it was previously, owing to the ability of newer scams to look legitimate on the surface, whilst under the hood lies the payload. So why target banks, or other financial institutions ? Let’s have a look at how a basic formula could be used by cyber criminals to both visualise the required components, and the desired outcome – it’s a worryingly simple concept.
Bank + Ransomware * Extortion = Easy Money. And if you think about it, there’s a logical path. Breem is a fish. Fish sounds like Phish, and that’s where we are going with this article.
The types of ransomware deployed in today’s threat landscape are no longer single or individual packages – they are often hybrids. With recent rumours circulating that ransomware and malware creators are joining forces to create “super malware” that takes the most effective and successful components from a collection of packages to form one new payload, the genesis and dawn of a new era in financial attack and extortion begins.
Should firms stockpile bitcoins ?
With this in mind, was the decision of the Hollywood Presbyterian Medical Center to pay the ransom the right one ? Perhaps, but it would not have had my backing. My attention would immediately be focused on how to restore access to critical data and business systems. Looking at it this way, why should anyone consider paying a premium to reinstate access to data they are already the owner (or in the sense of patient records and confidential information) the custodian of ? The main argument here is contingency. This is what really matters when (not if) any institution is hit by ransomware. If you are prepared to pay for the first attack, then you should expect a secondary, third, or even multiple incidents based on that response. It’s not unusual for victims paying the demand to find themselves on a “suckers list“. This constantly updated database is then sold onto other cyber criminals, and given that you’ve already paid once, there is a very high probability that you will be targeted a second time. And by definition, forced to pay again.
Let’s also not forget that paying the ransom does not necessarily guarantee that you will be joyfully reunited with your data. There have been numerous cases in the past where the fee was promptly paid, but the codes issued did not produce the desired result – basically, they did not work, and despite paying the ransom, the criminals ran off into the sunset without a trace – never to be seen again. It’s not like you can call, complain, and get a refund if the key provided to unlock your systems doesn’t work. Cyber criminals care only about financial gain and profit – not customer service.
If you needed any further proof as to just how lucrative this growing trend is, let’s look at the current market values for one Bitcoin against the US Dollar and British Pound
Given these current exchange rates, it’s not difficult to see the appeal. Let’s also remember that Bitcoin as a currency is almost untraceable in terms of transaction history and footprint.
London’s banks have defended their decision to stockpile Bitcoins as a “just in case” mechanism. Clearly, they are not the only ones doing so. A vast majority of firms have adopted the same policy, and also hold a significant sum of a cyber criminal’s preferred currency “just in case” they get hit. This really isn’t contingency – it’s a loud and clear message (albeit completely the wrong one in my view) to any attacker looking to make a guaranteed profit that their target will pay up. In fact, this paints a picture of a very worrying, and somewhat dangerous attitude that will only attract a plethora of sustained attacks like a shoal of piranhas feasting on a whale carcass.
Prevention is better than the cure
Admittedly, you can’t realistically prevent every ransomware attack – especially if you take into account my earlier comment about the new era of super malware. For as long as you have users (and let’s face it, firms have more than their fair share of those), you will have a significant vulnerability that relies on human trust and nature. Rather than waste USD 17,000 on meeting the demand of cyber criminals, that money could and should have been invested in gap analysis to determine a suitable user training and awareness program. I discuss how this could work in further detail here, and would like to hear comments about how you think this should work in today’s modern world.
Would you pay a cyber criminal to get your data back, or stockpile Bitcoins “just in case” ? Of course you wouldn’t – you’d invest in the necessary training ,policies, and technology….. or would you ?