IT, cybersecurity, and security management practitioners appear to be split on the necessity of paying so-called “ransomware release fees” to cyber crooks who have held their company’s network systems hostage with software intrusions that lock down certain segments like payroll. Some IT people have a pragmatic attitude about paying off these cyberattacks, which often come from third-world or eastern-bloc countries, where detection is difficult and successful prosecution is rarely possible.
Paying the “fee” to release the hold on various software modules gets the company back in business that much faster, goes the thinking of some IT professionals. Security practitioners often vigorously disagree, saying that paying these extortion fees not only encourages a repeat attack from the same criminal, but the word will get around the online hacker community that the company pays and is therefore vulnerable to being attacked again and again. Security directors believe taking a fatalistic approach to these cyberassaults and paying the unlock fees only encourages more of this illegal behavior.
Note the complexity of even the definition of ransomware: “A computer malware that installs covertly on a victim’s device (e.g., computer, smartphone, wearable device) and that either mounts the cryptoviral extortion attack from cryptovirology that holds the victim’s data hostage, or mounts a cryptovirology leakware attack that threatens to publish the victim’s data, until a ransom is paid (http://bit.ly/1TMNktl).”
Security professionals need to rely on their IT colleagues to interpret these attacks and work together to fight back effectively. This should include involving the FBI’s Cyber Division and getting advice and support from cybersecurity professionals who are familiar with the latest types of attacks. IT experts urge organizations to back up their critical server modules (to several off-site locations) so that in the worst case scenario only a day’s worth of work would be compromised or lost.
One of the first publicized cases of ransomware aimed at a government entity happened in 2008 and involved a disgruntled City of San Francisco IT employee who paralyzed the City’s payroll system by changing the access password and subverting the data to his own network system. The targeted network held city e-mails, payroll, police records, information on jail inmates, and other data. Even after he was arrested and charged, the employee refused to give the password to his supervisors at the Department of Technology Information Services. He finally turned the password over to then-San Francisco Mayor Gavin Newsom during a jailhouse meeting arranged by the employee’s defense lawyer. The event caused the City an estimated $900,000 in time and labor costs to repair the damage. The suspect was convicted and sent to state prison for 4 years and made to pay restitution to the City.
A more primitive version of ransomware happens when people who visit pornography sites have their devices hijacked with warning messages that demand payment before they will “release” electronic custody of the device back to the user. In most of those cases, people who paid the “fee” did not really need to and could have cleared the message by shutting off their device, clearing their cache history, and rebooting their systems.
Other recent cases have seen similar attacks aimed at federal government sites, hospitals, and public and private sector-agencies, with a demand for money as the primary goal, along with the accompanying disruption of critical services. While local law enforcement usually has neither the expertise nor capability to get involved in these cases, federal law enforcement is now addressing these events much more rigorously.