There’s No Peace of Mind in Paying a Ransom

There’s No Peace of Mind in Paying a Ransom

Ransomware can be disastrous for any business that gets hit by it, but not always in the way that you might expect. It might threaten business continuity and compromise data security, but it can also directly impact the way that the public views your company. In fact, the decision you make about whether or not to pay the ransom can be a major deciding factor in whether a customer will stick with you.

Ransomware, hacking, and data privacy dominated cybersecurity in 2021.

Hacks, ransomware and data privacy dominated cybersecurity in 2021

Throughout 2021, Cyberattacks/ Ransomware dominated the headlines. They cause massive disruptions to government institutions, large enterprises, and even supply chains for critical products like fuel and meat. The year began on a poor note in terms of security. In January, the FBI, the National Security Agency, and the Cybersecurity and Infrastructure Security Agency all suspected that Russia was behind an attack on SolarWinds, a Texas-based firm whose software was used by everyone from the federal government to railways, hospitals, and large tech firms.

Being Infected with Ransomware Is Just the First In a Series of Problems

The ransomware attack against Kaseya’s VSA servers for approximately 1,500 organizations was yet another major challenge for businesses to overcome, and while most of the affected companies did not give in to the hackers’ demands, others felt forced to pay the ransom. The problem, however, is that some of those who did pay the ransom are now having trouble decrypting their data, and with REvil MIA, they do not have the support needed to decrypt their data.

“Paying the Ransom” Isn’t a Ransomware Defense

What Happened with SamSam You may recall the SamSam outbreak, which stretched from 2015-to-2018 and racked up $30,000,000 in damages across 200 entities. This large total was partially due to the fact that SamSam knocked out a few sizable municipalities, including the cities of Atlanta and Newark, the port of San Diego, the Colorado Department of Transportation, and medical records across the nation. The ransom demand sent to Newark gave a one-week deadline to pay up the ransom in Bitcoin, before the attackers would render the files effectively useless. In November 2018, then deputy attorney general Rod Rosenstein announced that two Iranian men had been indicted on fraud charges by the United States Department of Justice for allegedly developing the SamSam strain and carrying out these attacks with it. As Rosenstein pointed out, many of SamSam’s targets were the kind of public agencies whose primary goal was to save lives – meaning that the hackers responsible knew that their actions could do considerable harm to innocent victims. Unfortunately, those responsible have never been apprehended. How Some Cybersecurity Firms Just Pay the Ransoms According to a former employee, Jonathan Storfer, the firm Proven Data Recovery (headquartered in Elmsford, New York) regularly made ransomware payments to SamSam hackers for over a year. ProPublica managed to trace four payments made in 2017 and 2018 from an online wallet controlled by Proven Data, through up to 12 Bitcoin addresses, before finally ending up in a wallet controlled by the Iranians. This wasn’t a huge revelation to Storfer, who worked for the firm from March 2017 until September 2018. “I would not be surprised if a significant amount of ransomware both funded terrorism and also organized crime… So, the question is, every time that we get hit by SamSam, and every time we facilitate a payment – and here’s where it gets really dicey – does that mean we are technically funding terrorism?” According to Proven Data, they assist ransomware victims by using the latest technology to unlock their files. According to Storfer and the FBI, however, Proven Data instead pays ransoms to obtain the decryption tools that their clients need. Storfer actually states that the firm was able to build a business-like relationship with the hackers, negotiating extensions on payment deadlines – and the hackers would actually direct their victims to Proven Data. Another firm, Florida-based MonsterCloud, follows a few similar ‘strategies,’ according to ProPublica. In addition to paying the ransoms (sometimes without informing the victims), these companies then add an upcharge to the ransom payment. However, it becomes important to consider where the money that is used to pay these ransoms is actually coming from. In the case of SamSam, many of the victims received some kind of government funding, which means that – if the ransoms were paid – taxpayer money likely wound up in the hands of cybercriminals in countries hostile to the United States. Differing Accounts from Proven Data Recovery Proven Data provides the following disclaimer on their website: “[PROVEN DATA] DOES NOT CONDONE OR SUPPORT PAYING THE PERPETRATOR’S DEMANDS AS THEY MAY BE USED TO SUPPORT OTHER NEFARIOUS CRIMINAL ACTIVITY, AND THERE IS NEVER ANY GUARANTEE TO OBTAIN THE KEYS, OR IF OBTAINED, THEY MAY NOT WORK. UNFORTUNATELY, SOME CASES MAY REQUIRE THE PAYMENT OF THE DEMAND IN HOPES […]

Even Cities Aren’t Immune to Ransomware

These numbers, by the way, come from a cybersecurity firm, as neither the federal government nor the Federal Bureau of Investigation track these kinds of attacks. As of May 10, of this year, there were 22 known attacks on the public sector. Unfortunately, there are likely more that we just don’t know about yet, as reports of these attacks usually crawl in months or even years after the fact. March Attacks March saw a few ransomware attacks on municipalities. The sheriff’s office in Fisher County, Texas, was infected and couldn’t connect to a state law enforcement database as a result. In Albany, New York, the capital city quietly announced that it had been victimized by a Saturday ransomware attack – a tactical choice on the part of the hackers, as there would be nobody there to fight back on the weekend. While the city initially gave an understated account of the attack’s effect, the real problems were much larger than a few belated marriage licenses and birth certificates. In addition to the clerical delays, the ransomware attack had also impacted the Albany Police Department’s systems. As these systems are effectively entirely digitized, the department was left without their incident reports, crime reports, and even their schedules. April Attacks April saw the entirety of Genesee County, Michigan’s tax department shut down by ransomware for most of the month. The infection has since been removed. May Attacks May has been exemplified by the complete shutdown of Baltimore, Maryland, due to an attack using a ransomware known as RobinHood. As a result of this attack, government emails can’t be sent, payments to city departments are on hold, and real estate transactions have been paused. While RobinHood leverages a notoriously powerful algorithm – even the National Security Agency may not be able to break it, according to cybersecurity expert Avi Rubin – it doesn’t help that Baltimore was also using outdated hardware and software. Baltimore City Mayor Jack Young has already gone on record to state that the city will not be paying the ransom of 13 Bitcoins, or approximately $100,000. Instead, the FBI and Secret Service have been called in, along with assorted cybersecurity experts. Despite these resources, the city isn’t expected to recover for months. Rubin provided some insight into why not paying the ransom is the right call for Baltimore, pointing out that if nobody paid the demanded ransoms, these kinds of attacks would quickly go out of fashion. However, many companies struck by ransomware will quietly pay up. Analysis has found that a full 45 percent of affected organizations ultimately pay the ransom to try and get their data back, while 17 percent of state and local governments will fork over the demanded cash. At SRS Networks, we have some experience in dealing with these kinds of things, which means we can confidently agree with the actions of Mayor Young and the statements made by Rubin – paid ransoms only encourage future ransomware attacks. What’s worse, what guarantee is there that any data will be restored even after payment is made? No guarantee at all. That’s why we’ve dedicated ourselves to assisting business users in protecting themselves against ransomware. Give us a call at (831) 758-3636 to find out more.