With few options, companies increasingly yield to ransomware demands

Attackers view stolen or encrypted data as a powerful weapon

Faced with few options, companies are increasingly giving in to cybercriminals who hold their data hostage and demand payment for its return, while law enforcement officials struggle to catch the nearly invisible perpetrators.

The risks to organizations have become so severe that many simply pay their attackers to make them go away -- a strategy that may only embolden the crooks.

It's a case of asymmetric electronic warfare. Ransomware, which encrypts files until a victim pays to have them unlocked, can be devastating to an organization. Barring an up-to-date backup, little can be done aside from paying the attackers to provide the decryption keys.

Less common but just as harmful are extortion schemes, where attackers claim to have stolen critical data and threaten to publicly release it unless their demands are met. Timeframes are tight: Hackers may give a company less than 48 hours to comply, setting off a race to confirm what data, if any, has been stolen.

The costs of ransomware and extortion are difficult to calculate. Last June, the FBI estimated that the CryptoWall ransomware family alone had cost US organisations $US18 million over the prior year. In October, an industry group put the total cost of CryptoWall - which was first detected in mid-2014 - far higher, at a staggering $US325 million.

Extortion costs are even harder to estimate, since companies are often unwilling to admit they fell victim. Computer security company, FireEye, says it knows of companies that paid more than $US1,000,000 to prevent sensitive data being released, though most incidents are resolved for less.

The volume of cases is overwhelming law enforcement, said Erin Nealy Cox, a former federal cybercrime prosecutor and head of the incident response unit at Stroz Friedberg, which conducts computer forensic investigations.

The FBI and the Secret Service "in many cases are fine with in essence acquiescing to payment of the ransom," Nealy Cox said, though he emphasized that this is not their official position.

Groups conducting the attacks are difficult to find. They're experienced at covering their tracks and demand payment in the cryptocurrency bitcoin, which makes payments hard to trace. Also, the hackers are often based in countries that don't cooperate closely with the U.S. on cybersecurity, making arrests unlikely.

Unlocking the encrypted files is often near impossible.

"It's a a big challenge to decrypt victims," said Andrew Komarov, CIO of InfoArmor, which collects intelligence on cyberthreats.

InfoArmor has had some success in disrupting ransomware, by infiltrating the computer networks used to control it. In one example, Komarov said a vulnerability was found within the command-and-control network used to distribute ransomware called CryptoLocker.

cryptolocker warning Screenshot

The warning displayed by CryptoLocker, one of many ransomware programs.

The vulnerability allowed researchers to send a command that made it appear that thousands of victims had paid their ransom, causing their computers to be decrypted, according to InfoArmor's report.

But happy endings are uncommon. The most well-documented ransomware incidents have hit the medical industry. Hollywood Presbyterian Medical Center in Los Angeles paid 40 bitcoins -- about $US17,000 -- to decrypt its files.

Allen Stefanek, president and CEO of Hollywood Presbyterian, said the payment was "in the best interest of restoring normal operations."

Four weeks later, Methodist Hospital of Henderson, Kentucky, said a piece of ransomware known as Locky infected its systems, according to computer security writer Brian Krebs. The hospital did not pay a ransom but was able to restore its systems, according to a local news report.

Ransomware and extortion schemes offer advantages over other methods of cybercrime. Rather than stealing data and needing to find a buyer for it in risky transactions that take place in underground forums, a vulnerable victim is approached for payment directly.

"We're starting to see adversaries in many regions start thinking of data as a weapon," said Dmitri Alperovitch, CEO of Crowdstrike. "Certainly the North Koreans did that with Sony."

Sony Pictures, whose attackers released gigabytes of sensitive internal data and destroyed computers, was asked to not release a film that was seen as offensive to North Korean leader Kim Jong-un. The U.S. government quickly attributed the attack to North Korea.

Paying a ransom is a hang-wringing proposition and not one without its opponents.

Last month, Roman Hussy, who runs a security blog, launched a Ransomware Tracker -- a tool that catalogs servers around the world that have been tied to ransomware campaigns. He started the tracker after seeing many people become victims.

"The golden rule is performing backups frequently and never pay any ransoms," Hussy wrote. "Paying ransoms will fund the miscreants' cybercrime operation and the infrastructure that they are using to commit further fraud, as well as motivate the attackers to keep carrying out their attacks."

Hussy's resistance strategy might work eventually, but it would require many organizations to fall on their swords.

Kevin Mandia, chief operating officer of FireEye and founder of Mandiant, said the result of not paying could mean great risk and embarrassment -- if, for example, a company's general counsel's email is leaked.

"What would you do?" Mandia said in a recent interview. "The alternatives are pretty bad."

The uptick in ransomware and extortion attempts is likely an outgrowth of better payment card security in the U.S. Stolen card details are getting harder to monetize, so attackers have ound an easier route to generate cash.

FireEye has seen some of the same hacking tools and infrastructure use for state-sponsored cyberespionage now being used for extortion, suggesting experienced hackers see a gravy train.

"Finally, Russian organized crime and groups out of China realized, well, we still have the hacking skills, we're getting card data we can't monetize as easily anymore, so just extort," Mandia said.

On March 22, the Department of Justice unsealed charges against three members of the Syrian Electronic Army, a group that waged a multi-year hacking campaign in support of President Bashar al-Assad.

Two of the men are also accused of extorting 14 U.S. and international victims after hacking their systems and threatening to cause damage or sell stolen data. The victims included a Chinese online gaming company, a U.K. web hosting provider and an online media company.

All told, the men allegedly demanded more than $500,000, although they frequently lowered their demands after negotiation, according to the criminal complaint.

"Some of this is like hostage negotiations," Crowdstrike's Alperovitch said. "You can start the dialog with a criminal and see if you can stall them and get yourself more time."

But "nothing is foolproof when you're dealing with thieves," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityInfoArmorFireEyeCryptoWallfbiransomware

More about Department of JusticeFBIFireEyeSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place