Experiencing a ransomware attack can be traumatic. Imagine you begin a normal workday, and your company’s entire network is shut down within the next hour. Your business comes to a screeching halt as you start hemorrhaging money with every passing second. Suddenly, a message materializes on your computer screen. It’s a hacker telling you your system will be useless unless you fork over a nauseating amount of money.
Paying off the cybercriminals and returning to normal life can be tempting. But there’s a reason the FBI recommends against paying hackers. Unfortunately, some corporations have ignored that advice this year, and hackers reap all of the benefits.
That may be part of why the Department of Homeland Security (DHS) issued new mandatory cyberattack rules.
Hacker Gangs ‘Phoenix’ and ‘DarkSide’ Make Off Like Bandits
Back in March, billion-dollar insurance company CNA was hit with a ‘sophisticated’ ransomware attack. Its website was rendered obsolete, and the attack caused a ‘network disruption,’ the company said at the time.
It must have caused quite the disruption because news came out late last week that the Chicago-based firm reportedly paid the hacker gang a $40 million ransom. That’s the biggest ransomware payment on record.
The hacker gang deployed ransomware called Phoenix Locker–a variant of the ransomware Hades. Hades was created by the Russian hacker gang Evil Corp. The US Treasury Department sanctioned Evil Corp. in 2019, barring Americans from paying them any ransom. Phoenix, however, “isn’t on any prohibited party list and is not a sanctioned entity,” according to a CNA spokesperson.
News of the payout comes on the heels of Colonial Pipepline’s settlement with cybercrime syndicate DarkSide. After an 11-day shutdown which led to gas shortages and panic-buying, Colonial paid the hacker gang $4.4 million.
Since last August, DarkSide has reportedly made off with more than $90 million from 47 different victims.
It’s hard to blame the corporations for swallowing the ransom fees and getting their companies back. But victims are warned against paying hackers because the cybercriminals will often ask for more money once they know you’re willing to pay. It also encourages them to engage in more attacks.
Are There Any Other Options?
In an article published by the BBC, Joe Tidy presents a compelling argument for making all ransom payments illegal.
Rapid7 community and public affairs vice-president Jen Ellis told the BBC: “Most people agree, in an ideal world, the government would prohibit paying ransoms.”
Ellis, however, argues that we don’t live in an ideal world, and a law like this could result in a “pretty horrific game of chicken.” If hackers compromise an essential company, like a hospital, the cybercriminals have the luxury of time, whereas the hospital and its patients do not.
Ransomware is even starting to show up in television shows like The Daily Show:
Cyber Threat Alliance president and chief executive Michael Daniel told the BBC:
Ransomware attacks are primarily motivated by profit. And without profit, attackers will shift away from this tactic…A payment ban would take some burden off organizations, by removing payment as a legal possibility.
But even Daniel agreed that such a ban should not occur until victim-support mechanisms are firmly established.
Assuming the government is still a ways off from implementing such a ban, organizations should do all they can to protect themselves. Sadly, most small businesses still don’t view themselves as vulnerable to cyber threats when in fact, they’re becoming targeted more than ever.
There are some basic steps every organization should take for protection. But most importantly, every firm should have a plan.
Featured image by Sashkin from Shutterstock.com