During the first day of the WCI Cybersecurity Forum yesterday, there was extensive discussion on the issue of “ransomware” and the threat it poses to just about any business today who relies on computer data. Ransomware is software that is maliciously installed on a computer or network, and in most cases locks your critical data by encrypting it. The user or company is then notified that they must pay a large amount to get the “key” to unlock their data. If they fail to pay, usually with Bitcoin or other untraceable electronic currency, the data will be destroyed or remain permanently encrypted and unusable. The ransom demanded in these situations is quite large and can be in the millions of dollars.
In some cases, the data isn’t encrypted but rather is stolen, and the ransom amount demanded is paid to ensure the data is destroyed, and not released for further malevolent purposes. This was the case in a story on this site from F.J. Thomas, where cloud software company Blackbaud paid a presumably large ransom to have stolen data from a ransomware attack destroyed. The breach impacted over 25,000 nonprofit organizations, as well as information of at least 2 million individuals from 11 healthcare systems. The “data kidnappers” are said to have provided proof that the stolen data had been destroyed once the ransom was paid.
That of course brings up a point discussed in yesterday’s Cyber Security Forum. How can you be sure that the data was destroyed? How can you be confident that your large ransomware payment will produce the needed key to release the data you so desperately need?
Data can be a fluid and easily replicated thing. It can be copied an unlimited amount of times. It can exist in a multitude of locations and formats. How can Blackbaud be convinced the data taken was destroyed and will not resurface elsewhere? How can a business whose data has been locked be reasonably certain that a code to release it will be forthcoming?
The short answer, of course, is they can’t, except for one possible reason. The answer thus far may be a variant of the ancient Roman proverb “honor among thieves.” While that philosophy dictated that criminals would not compromise the criminal activities of other criminals, in this case it can be assumed that it is to ensure that future ransomware attacks will be honored with the demanded payment. In other words, if these hackers start taking money without producing the promised results, the entire ransomware system breaks down. Those criminals would indeed be compromising the criminal activities of other criminals.
In a perverse sense, these thieves have to do the honest thing if the criminal enterprise is to be successful.
The FBI and other law enforcement agencies advise that ransomware payments not be made, as it only continues the cycle of crime. That is understandable, but the temptation to save the data; indeed, the need to save one’s business can be an overwhelming factor in these situations. As with all threats to your business, the best defense is a good offense. Use updated anti-virus and malware detection software. Employ effective password management protocols. And most importantly of all, train your staff to know the threats and vulnerabilities. While the image of hackers is often that of sinister people toiling at a computer trying to break into your systems, more often than not they have been provided the key to your network by an unwitting click of a link in an innocuous email, or from an employee tricked to provide it in a phony telephone call from “Bill down in the support center.”
That brings a variant of another old proverb, “To err is human, but to forgive expensive.” And the human factor looms large in these types of attacks.
If you lack a proactive game of protection, it could cost you dearly. And if you get in trouble, ironically, the “honor among thieves” may be your only saving grace.