Does crime pay? In the case of ransomware, sometimes it does. However, law enforcement agencies have long discouraged victims from caving into ransomware demands, and recently Christopher Wray, the Director of the United States FBI, strongly advised ransomware victims to never pay a ransom fee under any circumstance. Why is this you may ask? There is never any guarantee that the victim will get any, or all their data back, untainted. Furthermore, ransom payments simply encourage threat actors to commit more of the same crimes, possibly against the same victims, with the expectation they will receive even more money The FBI and related agencies prefer to have organizations call them to help find the perpetrators, because sometimes they can catch the criminals, and sometimes they already have the decryption key, as a result of previous investigative work.
Recently, businesses and government agencies have been presented with a new reason to not pay a ransom fee; five state legislatures (New York, North Carolina, Pennsylvania and Texas) may soon “place limits on certain entities’ ability to pay a ransom payment in the event of a ransomware attack,” according to Alston & Byrd, a law firm that specializes in privacy, cyber security, and data. These restrictions would generally apply to state agencies and other local governmental authorities, but “certain state proposals may also apply to state agencies’ IT service providers, entities that receive public funds, and/or business entities more broadly.” The legislation aims to force organizations to report their cyberattacks, so the shared information can be used to help law enforcement agencies find the criminals.
However well-intended the legislation is, some stakeholders are concerned that it could backfire and hurt agencies or businesses, by penalizing them and putting them in a very difficult position at a time when they are already facing a crisis. We at Corero agree that organizations should not pay ransom fees. However, at the same time, we fully recognize that many organizations don’t feel they have a choice, if they are under attack. Some organizations have essential data and will consider all options to get it back, untainted. For example, a police department is essential to public safety (threat actors are all too aware of that!) Just three months ago, CNN reported a ransomware attack on the Washington, DC Metropolitan Police Department, noting that the “breach is the third ransomware incident to hit an American police force in the past six weeks. Since January, twenty-six government agencies based within the United States have been hit by ransomware.”
State and local government agencies usually have lean budgets, so they cannot afford to pay ransom fees. Ultimately, the money would come out of taxpayers’ pockets, so perhaps some of the intent of the legislation is to avoid impacts on municipal budgets. From a fiscal perspective, the proposed legislation could make sense, because it forces agencies to find ways to improve their cyber defenses and cyber hygiene; as the saying goes, an ounce of prevention is worth a pound of cure. Unfortunately, the legislative bills don’t mandate any extra funds to bolster cyber defenses in those government agencies.
Perhaps one helpful approach would be to assist government agencies (and the businesses affiliated with them) with preventing ransom attacks, either through additional cybersecurity funding or education. To be sure, there are already educational programs in place, such as NIST (National Institute for Standards and Technology), and CISA (National Cyber Security and Infrastructure Security Agency.) And, on July 15, the Biden administration in the US launched a ransomware task force, and is planning to launch “stopransomware.gov, a website of preventative resources geared at assisting businesses and state and local governments with cybersecurity-related issues.”
This is a complex problem to solve, and much remains to be seen but one thing is certain: cyber security professionals must be aware that cyber extortionists are increasingly combining ransomware attacks with Distributed Denial of Service (DDoS) attacks. It is a doubly dangerous threat. Cybercriminals can quietly “knock on the door” with a sub-saturating DDoS attack that distracts IT security staff, or knocks a web application offline, so the hackers can infect the network with ransomware or steal data. This recently happened to Ireland’s Health Service Executive agency’s IT system.
Alternatively, cybercriminals will launch a ransomware attack, then blatantly threaten to launch a DDoS attack against an organization unless the ransom fee is paid, in which case the organization could lose its data AND all or part of its network could be shut down; how could any organization function effectively under those crippling circumstances? Organizations must be proactive in defending against cyberattacks like DDoS and ransomware. A key step towards in preventing these types of attacks is by deploying always-on, real-time DDoS mitigation. This enables ransom DDoS demands to be safely ignored in the knowledge that DDoS attacks of all types, sizes and durations will be detected and automatically blocked.
For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s flexible deployment models, click here. If you’d like to learn more, please contact us.