It's OK To Pay Ransom For Data But Not For People?
The rise of ransomware is forcing us to reevaluate our approach to negotiating with criminals.
Last week, the city of Plainfield, New Jersey became the latest victim in a scheme where hackers demand payment in exchange for the release of encrypted computer files. Dubbed ransomware, this type of attack relies on unwitting computer users who download malware which then encrypts data files and holds them for ransom. In this case, the hackers wanted 500 euros for releasing the files back to the city.
“We were attacked by a ransomware virus and we responded as quickly as we were able to. We immediately informed the (Union County) Prosecutor’s Office, State Police and the Secret Service, and all of these agencies have been involved since we got this message,” city Mayor Adrian Mapp said. “The TeslaCrypt 3.0 virus was inadvertently introduced into the system by a city employee and quickly managed to infiltrate some of the city’s shared servers.”
Ransomware is on the rise. According to the Washington Post, for nine months in 2014, the FBI received 1,838 complaints about ransomware that cost victims an estimated $23.7 million. In 2015, the FBI received 2,453 complaints, costing more than $24 million. “Ransomware has been around for a long time, but we’ve never seen a concerted manual effort by hackers to break into a network, hang out for a year, spread to all the machines and then install it everywhere,” said Val Smith, chief executive of Attack Research in an interview with the Post. “This is a major shift in effort.”
These types of schemes, like most phishing attacks, work by convincing users on the target network to download a file which then encrypts the victim’s files or otherwise locks them out. Most times this happens when a user clicks a link in an email or opens an attachment. Then the malware runs rampant. Surprisingly, the ransom usually demanded by hackers is low and more victims appear willing to pay up.
Early in February, Hollywood Presbyterian Medical Center was infected with ransomware that shut down their communications. To regain control, the hospital made the decision to pay the hacker. “The malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” the hospital’s chief executive said. “In the best interest of restoring normal operations, we did this.”
The 434-bed hospital paid 40 bitcoins (about $17,000 at the time) to restore normal communications.
Some have argued that 2016 is the year of ransomware and that in some cases, it’s best to pay up. In fact, the FBI, while not recommending that victims pay ransom, do suggest it as an option when ransomware has infected a company network. In a statement provided to the blog naked security, the FBI says that “the FBI doesn't make recommendations to companies; instead, the Bureau explains what the options are for businesses that are affected and how it's up to individual companies to decide for themselves the best way to proceed. That is, either revert to back up systems, contact a security professional, or pay.”
My question is why pay ransom at all? For example, if a terrorist kidnaps someone, it’s common knowledge that we wouldn’t negotiate for their return. But, when it comes to data, it’s ok? I’m not sure I buy that. It seems evident to me that paying ransom—whether it’s for the safe return of data or a person—is non-negotiable. It shouldn’t happen.