Some Firms Opt to Pay Hackers’ Ransoms, but Fail to Recover Data: Opinion

May 16, 2017 by

Behind the rise of ransomware lies the rise of bitcoin, the virtual currency of choice for hacker blackmailers who steal huge amounts of sensitive data. That doesn’t mean bitcoin is inherently to blame, but it does suggest that business has a bitcoin problem. Buying the currency has become a form of short-term protection, however dicey, against attacks.

The logic is twisted but tempting. Hoarding bitcoin to pay off hackers may seem a better option for companies that either don’t or can’t make the heavy investments needed to see off the attacks in the first place.

Paying ransoms certainly isn’t considered best practice in IT security circles. And that’s putting aside the principles of supporting criminals. But if you fall prey to a ransomware attack, there aren’t many options, especially if you have no data backup. One Los Angeles hospital reportedly paid about $17,000 to hackers to restore its computer systems last year.

Hopefully, the global outrage over WannaCry, which hit more than 200,000 computers in at least 150 countries, will nudge CEOs into trying something more than just playing along with the hackers. A study by Citrix Systems Inc. last year found one-third of British companies were hoarding digital currencies for future ransomware payoffs. It also found that one in five medium-to-large businesses didn’t have any broader contingency measures in place for this kind of attack.

And it’s not as if cyber-criminals offer guarantees. One in three Australian companies that pay off attackers don’t get their data back, according to Telstra Corp Ltd.

Unfortunately, with even blue-chip companies such as ArcelorMittal and Kering identifying ransomware as a risk in their annual reports, finding an alternative that works is neither easy nor cheap.

While Europol says “remarkably few” payments have been made in response to WannaCry, recent data suggest ransomware attacks are soaring — as is their cost. The first half of 2016 saw a doubling of ransomware attacks versus all of 2015, according to specialist insurer Beazley Plc. It found finance firms with yearly revenue below $35 million were among the top targets. These companies won’t have the deepest pockets to fight cyber crime. The mix of damages and related costs from ransomware is seen topping $1 billion a year, according to one estimate.

So it won’t be easy to break the cycle feeding such attacks: victims willing to pay up, and hackers responding to that opportunity. The price of bitcoin fell on Friday, as traders weighed the chance of tighter regulatory scrutiny of what is a crucial enabler of ransomware. But it has already recovered some of the losses.

Bitcoin’s rise to record heights just increases the temptation for criminals, while the purchasing of the crypto-currency by businesses looking for insurance is almost certainly fueling its rise.

Tougher sanctions against companies with meager data protection may force them to find better ways of tackling this. Yet technology is only part of the answer. Humans need to up their game too through better training and organizational awareness.

With people often the weak spot in cyber defenses, this is easier said than done. For now, bitcoin will keep filling company wallets and hackers’ pockets.

This column does not necessarily reflect the opinion of Bloomberg LP and its owners.

Related:

Firms Hit by Cyber Attack Could Face Lawsuits over Lax Security: Legal Experts