by Karl Stephan
In what is just the latest of a lengthening series of ransomware attacks, the sheriff’s office of San Bernardino County, California reportedly paid over $1 million in ransom to an Eastern-Europe-based hacking group. About half the money was paid by insurance and the county paid the rest from its risk-management fund. Reporters for the Los Angeles Times were unable to determine exactly who authorized the payments, which enabled the county to restore its email servers, in-car computers, and law enforcement databases.
According to the report, the FBI discourages payments to ransomware hackers, but almost half of the state and local governments attacked worldwide pay anyway. A survey conducted by the British security firm Sophos was cited in the report, which said that the only organizations paying at a higher rate than local governments are K-12 schools, at a rate of 53%.
One distinguishes a trend here: the less likely an organization is to have a well-funded and robust IT security operation, the more likely it is to pay ransom. We haven’t heard of successful ransomware attacks on, for example, Bank of America, because bank IT operations have historically been acutely aware of all kinds of hacking hazards and have devised means of preventing such large-scale attacks on their systems. This doesn’t make them immune from the occasional data breach, but hackers have limited resources too, and they aren’t going to take on the equivalent of a 900-pound gorilla when they can pick on a chihuahua, as long as the chihuahua will pay up.
From the hacker’s point of view, it is a kind of optimization problem. You want to go after a target that is large enough to pay a ransom that will remunerate you for expenses and leave a substantial profit, but not so large that their IT department will defeat your efforts. Unfortunately, a great many institutions fit that description: hospitals, city and county governments and law-enforcement agencies, state agencies, and innumerable private firms as well.
It would be great if everyone could resist the temptation to give in to the hackers’ demands, and defeat their malware attacks with backups and better IT security in the first place. Unfortunately, the hackers are always devising new approaches, which means that successful defense requires an IT staff that is constantly updating their own knowledge and resources. The analogy of preparing for war is, unfortunately, relevant here. In war as well as IT security, the only way you know for sure you didn’t spend enough preparing for a crisis is if you lose.
And judging by the statistic that in 2021, U. S. banks processed an estimated $1.2 billion in ransomware payments, there are more and more entities taking the supposedly easy way out and simply paying the ransom.
This is a worrisome trend for several reasons.
One is that the ransom money has to come from somewhere: either taxpayer dollars that don’t get spent on something useful, or customer revenue that has to be made up in the form of higher prices or reduced profits. And it’s not like the money gets spent in the U. S., either. Studies indicate that many ransomware attacks originate either in Russia or Eastern Europe, where there is likely implicit or explicit cooperation between the criminals and their governments.
Another is that tolerance of corrupt practices lowers the moral tone of an entire environment. What I mean by that can be explained with an analogy. In the past, and to some extent in some countries even today, criminal organizations muscle their way into the commerce of a neighborhood by visiting the store owner and saying, “Nice little shop you have here. A shame if anything should happen to it.” Whereupon the owner has to fork over cash simply to stay in business and not worry about having his store wrecked or firebombed some evening. This type of thing is sometimes ironically referred to as “protection,” but in some locations where local law enforcement was useless, a powerful crime syndicate would actually ensure safety for pay, because minor criminals knew better than to fool with a store under the protection of the Mob.
Nothing good like that happens with ransomware. A successful ransomware attack is just a loss to the organization attacked, which faces two alternatives. One is to rely on their own IT support, outside security assistance, and backups to restore operations independently of the attack. The other is to give in and pay the ransom, hoping that the attackers will be true to their word and restore operations to their pre-attack status.
Trusting criminals is rather stupid on the face of it, although paying ransom does work now and then. But it sets a bad precedent that encourages further attacks and drains both public and private institutions of badly needed resources, while also raising insurance rates.
I recently experienced something along the lines of a ransomware attack on my own PC. I was visiting a site operated by a European lightning-detection organization run mainly by hobbyists (and therefore probably not supplied with abundant IT security help). A button on the right of the screen read something ambiguous like “Click here” and when I did, the screen lit up with bells and buzzers and a mechanical woman’s voice told me I had to do something or other to gain back control of my computer. Fortunately, when I closed the browser it all went away, but there for a few seconds I thought the PC was a goner.
Sufficiently advanced and well-resourced IT security can in principle defeat any ransomware attempt. Unfortunately, that standard is seldom met in practice, so we can expect ransomware attacks to continue, especially if the hackers find that their chances are about even of getting money out of their victims. But taking the easy way out and paying, while it is often the path of least resistance for individual organizations, is muddying the IT waters for all of us. The better way is to improve IT security, including fundamental changes to the way the Internet works, so that ransomware attacks could land in the dustbin of history along with stagecoach holdups. But that may take quite a while to do.
This article originally appeared in the Engineering Ethics Blog. Re-posted with permission.