To pay or not to pay the cybercriminals’ demand? No, it will just create more ransom attacks

Adrian Weckler

The HSE is adamant it will not give in to ransomware cybercriminals

May 15 2021 02:30 AM

To pay or not to pay, that is the question.

The HSE is adamant: it will not give in to ransomware cybercriminals by handing over hundreds of thousands, or millions, in Bitcoins.

“It’s government policy that we don’t pay ransoms,” the HSE’s chief information officer, Fran Thompson, told this reporter yesterday.

“And we have no intention of doing so here. It would open up a Pandora’s Box.”

In general, Mr Thompson’s approach is backed up by IT security experts.

Because paying ransoms just creates more ransomware.

Lightning cyber attack on HSE by international crime gang puts thousands at risk as treatment disrupted for days

“I applaud the HSE for that stance,” says Brian Honan, of BH Consulting.

“Paying the ransom is funding crime. You’re motivating criminals.”

The other reason cited for holding out is that there isn’t any guarantee you’ll actually get your data back. At least, not in a timely way.

Last week, the US energy company Colonial Pipeline paid ransomware attackers $5m (€4.1m) to unlock its hijacked IT system, which caused regional gasoline shortages and higher fuel prices in parts of the US. But it only partially worked; according to Bloomberg, the decryption ‘key’ was so slow that the company had to revert to a more manual process of rebooting from its own backups.

On other occasions, the hackers just walk away without helping when they’ve received their crypto-currency ransom.

Research from Cyber Edge, an IT security firm, claims while 57pc of ransomware victims paid ransoms last year, half of them failed to recover their data.

If this happens, what are you going to do – report them to the Ransomware Regulator?

Ransomware attacks are now a regular occurrence for Irish organisations. Last month, both the National College of Ireland and Technological University Dublin’s Tallaght campus were hit by ransomware attacks.

That comes amid a 60pc rise in ransomware attacks last year, according to cybersecurity firm SonicWall. The jump came as the pandemic caused millions of people to access company systems from their home computers.

“It’s absolutely rampant,” says Mr Honan. “We’ve dealt with quite a few victims here in Ireland. They’ve been small and large companies. Often, the larger international ones don’t go public about it.”

Other security experts say that ransomware is now one of the big two IT security threats in Ireland (the other being business email compromise).

One can see the attraction for cybercriminals. The average payout last year varied between €130,000 and €300,000 according to various security industry firms’ research.

And unlike phishing or other types of hacking, the bad guys have around a one-in-four chance of getting a result, with 25pc of victims typically paying up.

It’s a bonanza: the cyber security group Emsisoft estimates that some €15bn in ransoms were paid last year, mostly to a handful of criminal gangs.

The HSE ransomware attack, for instance, is being attributed to the Conti gang, which is widely believed to have been responsible for over 100 attacks on different organisations in the last year. It has a speciality in attacking organisations such as hospitals, having been blamed for ransomware infections in hospitals in Texas and Florida earlier this year.

“It’s a criminal group thought to be based in Russia who run a sophisticated ransomware operation,” says Jamie Smith, head of cyber security at S-RM, a risk and intelligence consultancy.

The geographical disparity between the attackers and the victims, together with the difficulties in tracing Bitcoin ransoms, means that catching the cyber-criminals hasn’t been especially easy.

There is another train of thought within the IT system administrator industry that is less judgmental about paying ransoms.

Cyber-insurance companies are a good example. They often choose to pay a ransom rather than the restoration cost brought about by destruction of an organisation’s data.

While this is a controversial position, it’s not illogical for an organisation whose sole motivation is to keep its payouts as low as possible.

There is some movement on this, though. Last week, one of Europe’s five biggest insurers, Axa, said that it would stop paying out on ransoms in France. The French market is the largest, after the US, to be hit by ransomware. Some estimates put French losses at over €4bn in 2020. It’s a big enough deal that the French government has asked insurance companies to stop paying out on ransomware losses. Would the withdrawal of a cyber-insurance safety blanket have any impact here? Other than not paying up, most experts advise people to do two simple things: regularly back up all important files and data and try to be aware of suspicious-looking emails and web activity.