What do brewery giants, infrastructure conglomerates, hospitals, and the city of Tulsa have in common? Each have recently been the victim of a ransomware. And they’re just a few of a strew of recent ransomware-based attacks around the world, including in Aotearoa.
This article touches on some of the issues raised by ransomware, tackles the question of whether ransom payments should be made (or indeed, should be criminalised), and suggests some practical and proactive steps that organisations can take to protect themselves from the risks of an attack.
What is ransomware?
At high level, ransomware is a form of malicious computer code that bad actors deploy to prevent organisations from accessing their own systems and data, usually through encryption-based strategies. The ‘ransom’ part comes from the inevitable demand for financial ‘reward’ for supplying the decryption key, usually by way of hard-to-trace cryptocurrencies.
Attackers gain access by targeting an organisation’s weak spots: for instance, by barraging employees with persuasive phishing emails or by exploiting known vulnerabilities in the third-party software known to be relied on by the organisation. Tracking down the bad actors responsible for the attack is like finding a needle in a haystack and often involves a complicated web of different players: politically motivated state actors, ‘hacktivists’ and even service providers deploying ‘ransomware-as-a-service’
The latest ransomware-caused saga, involving a major US infrastructure player – Colonial Pipeline – shows just how devastating and far reaching the ripples (or floods) of ransomware attack can flow. On Friday 7 May, Colonial Pipeline announced the shutdown of its near 10,000 kilometre of pipeline, responsible for carrying almost half of the East Coast of the US’s fuel supplies. And while fuel began to flow again, it wasn’t for almost a week later, and the shutdown led to potential consequences of ‘pandemic proportion’, not least due to a jump in gas prices caused by customers panic buying at the pump.
This is not a problem limited to a US gas company: With many organisations in Aotearoa quickly shifting to a ‘remote-first’ modus operandi in response to the 2020 lockdown, we saw a sharp increase in cyber-attack related security breaches over the course of the last year – and the frequency and seriousness of attacks is ever-increasing. Changes to working conditions have intensified heightened activity of work-from-home technologies, all which present fresh opportunities which cyberattackers have fervently exploited.
To pay or not to pay?
The rise and rise of ransomware means drastically increased earning potential for cybercriminals: Chainalysis reported a 311% increase in the total amount paid by ransomware victims in 2020 when compared with 2019, representing approximately US$350 million worth of cryptocurrency. But even this figure is likely to be underrepresented, with many organisations keeping tight-lipped about their payment of ransom amounts. The hackers responsible for the Colonial Pipeline attack were reportedly paid almost US$5 million worth of cryptocurrency for their efforts.
In response to the increase in ransomware attacks, some experts have called for the criminalisation of ransom payments. In short: paying ransoms essentially funds increasingly sophisticated cybercrimes, intensifies and incentivises attacks, and ultimately contributes to greater harms, all without a guarantee that the data will actually be returned.
While frowned upon by CERT NZ, paying a ransom is not currently expressly prohibited in Aotearoa. However, other jurisdictions – such as the US – impose sanctions and/or require government approval for the payment of a ransom. It is possible that New Zealand could look to take a similar approach.
But a whack-a-mole policy approach to ransomware is not favoured by all: A blanket ban on ransomware payments arguably fails to address the nuances of a ransomware attack and the consequential harms that flow from it. This is especially the case for those who arguably suffer the most harm with the least involvement: individuals whose data is the subject of the attack. For those individuals, the macro-level goal of stamping out cyber-crime is lofty and irrelevant to the very real financial and reputational risks presented by a bad-actor possessing their data. Put simply: if a customer’s bank account is in the hands of a bad actor, the safe return of that information is usually the most important thing to that customer.
Enforcement of a crime against paying ransoms would not be an easy feat and is likely to put tremendous pressure on the public’s purse strings. How do you prove a ransom payment has actually been made? And is there a risk that criminalisation would disincentivise from reporting breaches and assisting law enforcement authorities?
Our view is that a complex issue begs creative solutions that aren’t offered by black-letter law. Proactive prevention of sophisticated cyber-criminals means coordinating and implementing a global law enforcement effort. That effort must recognise the complicated geo-political context of attacks, rather than a ‘police-car at the bottom of the cliff’ approach which sees victims take a double-hit. Take DarkSide for example – the group presumed responsible for the Colonial Pipeline attack. DarkSide is reportedly shutting down due to ‘pressure’ from the US, possibly from the US military’s Cyber Command, with DarkSide stating that it had lost control of its DOS and payment servers. While this is by no means the end of the story, it demonstrates that a co-ordinated approach to disruption can be effective.
What’s clear is that global policy will continue to evolve, no doubt on a ‘cat and mouse’ basis, with means of enforcement tested by governments at the same time tactics used by attackers adapt and evolve. But the good news is, while global debates continue, there are steps that your organisation can take to both limit your exposure to the risk of an attack and to be ready for consequences you cannot prevent.
So, what can you do?
We set out our top tips below:
- Scrub up well: Establishing a culture of good IT ‘hygiene’ can significantly limit your exposure to risk. While an organisation’s approach to security needs to be bespoke, all organisations can start by implementing good processes. This might include ensuring crucial systems are kept up to date, undertaking regular penetration tests to expose any vulnerabilities early, and requiring employees to complete regular training.
- Build up your defence: In our increasingly remote-based economy, almost all organisations rely on third party vendors to manage some of their data. But you shouldn’t be outsourcing your wits, which means doing your diligence before engaging service providers, especially those that you will rely on to keep your data safe. When it comes to understanding and highlighting the risks associated with your IT contractual arrangements, you need to make sure that you have a team of experts to assist. We can help.
- Keep your standards high: IT security is ongoing and dynamic: the nature of what constitutes best practice will evolve over the lifespan of your organisation’s IT practices. It is important to continue to monitor the efficacy of both your service providers as well as your own organisation. This means keeping on top of who is responsible for implementing routine patches, undertaking regular testing, and creating back-ups of data crucial to your business. And then make sure that person – whether inside your organisation or a service provider – meets that obligation.
- Plan for the worst: Sometimes things fall apart. While there’s no ‘one-size-fits-all’ approach to dealing with an attack, a cyber-security crisis response plan can be your best asset. If you do find yourself infected by ransomware, paying a ransom should be your last option, not your first and only, but knowing who to call (and when) can help prevent that option from feeling like the only one. This means pulling together a team of people that know what they’re doing and can work together to help your organisation – we have experience working with IT professionals and public relations pundits to help our clients deal with sophisticated security crises.
- Practice. Now: Testing your response playbook now can only serve to enable your organisation to expose and fix your weak spots, before cybercriminals get the opportunity. We can help you develop scenarios to test how your team might respond to an attack that threatens your operations, your security, and your reputation.