To pay or not to pay? The dilemma for ransomware victims
May 13, 2021 - 09:13 AM
WASHINGTON — Last year, a northwestern US county paid $300,000 to recover data locked by hackers, opting like many victims to pay the ransom despite experts advising against it — the same dilemma which has recently faced fuel behemoth Colonial Pipeline.
“We had no phones, and no internet, and no computer system,” former Tillamook county commissioner Bill Baertlein said during an online seminar.
Authorities had studied the system to see if it could be unlocked without paying, but “we determined that we probably could not fix it.”
Colonial found itself in a similar quandary, after a ransomware attack Friday forced the company — which operates the largest fuel conduit system in the United States — to shut down its entire network.
In Tillamook, a rural county near Portland, Oregon known for its cheese, negotiations with the hackers — whom Baertlein said were from Russia — took two weeks. The city finally paid up, with the help of a computer security company.
“Our belief (is) that it only happens to someone else,” said Baertlein. “Well, it happened to us, and I think it can happen to anybody.”
In total, the whole situation cost Tillamook $525,000 — but that’s still less than the $1 million it would have cost the county of 26,000 people to redo the entire system, an operation that would have taken between one and two years, according to Baertlein.
Just four months after the Tillamook affair, the University of Utah paid nearly $460,000 to recover the private data of its students and staff, also locked by hackers.
The Salt Lake City institution later acknowledged there was “risk” associated with paying, particularly “uncertainty that the threat actor will adhere to negotiated terms.”
Hackers will sometimes leak part of the locked data in order to pressure their victims.
That’s what happened Tuesday to the Washington police department, which was the victim of an attack by the Babuk cybercrime group.
Specializing in extorting funds, the group recently seized administrative and personnel files from the US capital’s police.
The hackers, dissatisfied with the negotiations, then released the encrypted files of about 20 officers, a police spokeswoman said.
“The negotiations reached a dead end, the amount we were offered does not suit us,” Babuk told the police, threatening to reveal all of the stolen files with their decoding key.
The files contain psychological evaluations, professional interviews, social security numbers, addresses and personal phone numbers, or officers’ electronic signatures, according to specialized news outlets.
All data that could be used by other cybercriminals.
Other attacks on critical infrastructure for the country could have economic implications, as with Colonial Pipeline.
Last weeks’ hacking of Colonial, which sends gasoline and jet fuel from Texas’s Gulf Coast to the populous east coast, caused thousands of motorists to panic and rush to gas stations, resulting in gasoline shortages in several regions.
It began to reopen Wednesday, warning it would take “several days” before things returned to normal. It was not clear if the company had paid any ransom, with the Washington Post reporting that it had no plans to do so, and instead was working with a cybersecurity firm.
The US government is reluctant to give instructions to companies calling on them to strengthen their security systems.
“They have to just balance off, in the cost-benefit, when they have no choice with regard to paying a ransom,” Anne Neuberger, a cyber specialist on the US National Security Council, said Monday.
Colonial Pipeline is a private company, and President Joe Biden’s administration “has not offered further advice” on how to proceed, she said.
Still, federal law enforcement and some experts advise against paying a ransom.
Not only is there no guarantee of recovering the data, paying “also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity,” the FBI says on its webpage dedicated to data theft.
According to Danish IT security company Heimdal, half of all hacking victims never get their data back. And even if they do, there’s no guarantee the information hasn’t already been resold on the dark web.
Additionally, for US companies, paying a ransom could be illegal in some situations, Heimdal points out.
In October 2020, the Treasury Department’s Office of Foreign Assets Control indicated that entities that paid a ransom could be investigated and fined, even if they went through an intermediary such as an insurance company, for funding a criminal group subject to Washington sanctions.