The U.S. government’s struggle to stifle ransom payments collected by hackers hit a major problem on Thursday, following news that Colonial Pipeline Co. had paid a large sum to hackers who, for several days this week, effectively shut down the country’s largest fuel pipeline and created gas shortages on the east coast.
The move went against warnings from the FBI and the Treasury Department that such payments will only spread pain down the line by encouraging more hacking, raising questions about the ethics of paying ransoms.
Cyber security experts, lawyers and insurers say these calls run up against the harsh logic many victims of ransomware face. Often the fastest way to restore their weakened computer systems is to pay, and victims usually have insurance to cover the cost. And, for those who resist, hackers have found new ways to increase the pain.
“It’s just a cold calculation by the insured and the carrier,” said Robert Cattanach, who works on cybersecurity litigation at the Dorsey & Whitney law firm. “As unfortunate as this dynamic is, at the end of the day the insurance company is going to do what will mitigate its exposure.”
“If they ran the math and said they were losing $ 3 million a day, and we can get rid of that for five, where do I sign?” Cattanach said, referring to the $ 5 million from cryptocurrency that Colonial paid to hackers.
But others feared that Colonial’s payment would embolden other criminals. “It is a terrible and disappointing precedent to set,” said an oil trader who was not authorized to discuss the matter publicly and therefore requested anonymity. “But Colonial is a leading company. And it’s faster and cheaper to pay and then buy better firewalls. “
Ransomware is a variant of malware that encrypts a victim’s computers, rendering them useless. The hacking group then requests payment in exchange for a decryption key.
Adrian Nish, cyber manager for BAE Systems Applied Intelligence, said his company is currently tracking around 20 large ransomware groups, most of them based in Russia or Eastern Europe, and many of them have the ability to hit attacks. dozens of victims per month.
It is difficult to find definitive data on ransomware victims, as most prefer to remain silent. The ransoms demanded by hacker groups vary widely and can reach tens of millions of dollars. However, the initial demand is often reduced during negotiations, according to cybersecurity experts. The initial ransom demand of the colonial hackers – believed to be a group called DarkSide – is not known.
A 2020 survey of top IT and security decision makers by cybersecurity firm CrowdStrike Holdings Inc. said 27% of those surveyed had paid the ransom and the average payout was 1.1 million bucks. In March, cyber company Kaspersky said 56% of victims paid the hackers.
A ransomware task force, in a report prepared by the Institute for Security and Technology, said ransomware victims paid $ 350 million in 2020, an increase of 311% from the previous year , and showed the average payout in 2020 at $ 312,493.
While the colonial attack was particularly severe due to its impact on U.S. energy supplies, there have been other major ransomware attacks in recent weeks. The victims include the Washington DC Metro Police Department and Scripps Health, a major San Diego-area hospital system. In the case of the DC Police, hackers finally released what they said were personal files on nearly two dozen people after the department failed to respond to the ransom demand.
The logic against paying a ransom is simple: it makes the crime less profitable and discourages potential hackers from joining us. There is also no guarantee that a victim’s files will be returned, according to the FBI. However, after the announcement of Colonial’s ransom payment, White House spokeswoman Jen Psaki noted the FBI’s position and added, “What I’m here to just convey the policies of the government to United States, and that doesn’t strike me as particularly constructive. to call businesses that way at this point. “
Tyler Hudak, head of incident response at cybersecurity firm TrustedSec, said the calculation a business makes to decide whether or not to pay comes down to a few variables. The most important of these is whether the company has backups of the hacked data, which would be necessary to restart its systems without the help of hackers.
But even that may not save a victim. Many ransomware groups began stealing sensitive data before locking down a company’s computers, giving them second leverage. “Like many groups, DarkSide uses a double extortion system, which means they also steal data and threaten to disclose it. Even if you don’t need to pay because your data is being backed up, you might decide to pay to stop the leak, ”said Hudak.
Even if they pay, businesses can still struggle to restore their computers.
In Colonial’s case, the decryption tool provided by hackers to help restore their systems was so slow that it had to restore the machines anyway using existing backups, according to someone familiar with the investigation. .
“Overall, decryption programs are not as well written as encryption programs, which saves hackers money,” Hudak said. In a recent case involving DarkSide, Hudak said it took his team 12 hours to restore a single server using the hackers’ tool.
In almost all cases, victims must decide whether the attacker’s payment is legal. In October 2020, the US Treasury Department created legal roadblocks for ransomware victims considering paying attackers on the US sanctions list.
But the challenge is that it’s not always clear who the hackers are, where they are, or whether the cryptocurrency addresses they assign for payments are covered by penalties.
“It’s all about risk versus reward,” said Alex Holden, founder and chief information security officer at Hold Security. “Can you make sure you are not breaking the law by paying, and what the repercussions are if you break the law.” Is it worth it?”
–With help from Sheela Tobben, Jennifer Jacobs, David Wethe and Jordan Robertson.
Copyright 2021 Bloomberg.