The US government’s fight to choke off ransom payments collected by hackers hit a major snag on Thursday last week, following news that Colonial Pipeline paid a hefty sum to hackers who for several days last week effectively shut down the country’s largest fuel pipeline and created gas shortages along the US east coast.
The decision went against FBI and the US Department of the Treasury warnings that such payouts would only spread pain down the line by encouraging more hacking, raising questions around the ethics of paying the ransoms.
Cybersecurity experts, lawyers and insurers say that their pleas run up against the hard logic faced by many ransomware victims. Often the quickest way to restore debilitated computers systems is to pay, and victims typically have insurance to cover the cost. For those who resist, hackers have found new ways to increase the pain.
“It’s just a cold calculation by the policy holder and the carrier,” said Robert Cattanach, who works on cybersecurity litigation at the law firm Dorsey and Whitney. “As unfortunate as this dynamic is, at the end of the day, the insurance company is going to do what’s going to mitigate its exposure.”
While a ransom of US$5 million in cryptocurrency might seem like a hefty sum, victims do the math and find that their daily losses add up to much more, Cattanach said, referring to the amount that Colonial paid the hackers.
However, others worry that Colonial’s payment is going to embolden other criminals.
“It’s a terrible precedent to set and disappointing,” said an oil trader who was not authorized to discuss the topic publicly and requested anonymity. “But Colonial is a high-profile company, and it’s faster and cheaper to pay and then buy some better firewalls.”
Ransomware is a variation of malware that encrypts a victim’s computers, rendering them useless. The hacking group then demands a payment in exchange for a decryption key.
Adrian Nish, head of Cyber Technical Services for BAE Systems Applied Intelligence, said his firm tracks about 20 major ransomware groups, most based in Russia or Eastern Europe, and many of them have the capacity to hit scores of victims per month.
It is difficult to come across definitive data on ransomware victims because most prefer to keep the matter quiet. Ransoms demanded by hacking groups vary widely, and can reach tens of millions of US dollars.
However, the initial demand is often whittled down during negotiations, cybersecurity experts say.
The original ransom demand from the Colonial hackers — suspected to be a group called DarkSide — is not known.
A survey last year of senior IT and security decisionmakers by the cybersecurity firm CrowdStrike Holdings said 27 percent of victims paid the ransom, and the average payment was US$1.1 million.
In March, the cybersecurity firm Kaspersky said 56 percent of victims paid the hackers.
A ransomware task force said in a report by the Institute for Security and Technology that cyber-ransoms paid last year totaled US$350 million, a 311 percent increase over 2019. The average payment was US$312,493.
Although the Colonial attack was especially serious because of the impact on US energy supplies, there have been other major ransomware attacks over the past few weeks. The victims include the District of Columbia Metropolitan Police Department and Scripps Health, a major hospital system in the San Diego area.
In the case of the police, the hackers eventually released what it said were personnel files on nearly two dozen people after the department did not meet the ransom demand.
The logic against paying ransom is simple: It makes the crime less profitable and discourages would-be hackers from joining in.
There is also no guarantee that a victim’s files would be returned, according to the FBI.
After news of Colonial’s ransom payment broke, White House press secretary Jen Psaki stated the FBI’s position.
However, she added: “What I’m here to do is just convey the policies of the United States government, and it doesn’t feel particularly constructive to call out companies in that manner at this point in time.”
Tyler Hudak, the head of incident response at the cybersecurity firm TrustedSec, said the calculation a company makes about whether to pay or not relies on a few variables.
The most important is whether the company has backups of the hijacked data, which would be necessary to restart its systems without help from the hackers.
However, even that might not save a victim. Many ransomware groups have begun to steal sensitive data before locking up a company’s computers, providing them with a second point of leverage.
“Like many groups, DarkSide uses a double-extortion scheme, which means they also steal data and threaten to leak it,” Hudak said. “Even if you don’t need to pay because your data is backed up, you might decide to pay to stop the leak.”
In the case of Colonial, the decrypter tool the hackers provided to help restore their systems was so slow that the company had to restore machines using existing backups anyway, a person familiar with the investigation said.
“Across the board, the decryption programs are not as well-written as the encryption programs, which is what makes the hackers money,” Hudak said.
In one case involving DarkSide, Hudak said that he and his team took 12 hours to restore a single server using the hackers’ tool.
In almost every case, victims must decide if paying the attacker is legal. In October last year, the Treasury Department created legal roadblocks for ransomware victims considering payment to attackers on the US sanctions list.
The challenge is that it might not always be clear who the hackers are, where they are located or if cryptocurrency addresses that they assign for payments are covered by sanctions.
“It’s all about risk versus reward,” Hold Security founder and chief information security officer Alex Holden said. “Can you ensure that you’re not breaking the law by paying, and what are the repercussions if you do break the law? Is it worth it?”
Because much of what former US president Donald Trump says is unhinged and histrionic, it is tempting to dismiss all of it as bunk. Yet the potential future president has a populist knack for sounding alarums that resonate with the zeitgeist — for example, with growing anxiety about World War III and nuclear Armageddon. “We’re a failing nation,” Trump ranted during his US presidential debate against US Vice President Kamala Harris in one particularly meandering answer (the one that also recycled urban myths about immigrants eating cats). “And what, what’s going on here, you’re going to end up in World War
Earlier this month in Newsweek, President William Lai (賴清德) challenged the People’s Republic of China (PRC) to retake the territories lost to Russia in the 19th century rather than invade Taiwan. He stated: “If it is for the sake of territorial integrity, why doesn’t [the PRC] take back the lands occupied by Russia that were signed over in the treaty of Aigun?” This was a brilliant political move to finally state openly what many Chinese in both China and Taiwan have long been thinking about the lost territories in the Russian far east: The Russian far east should be “theirs.” Granted, Lai issued
On Sept. 2, Elbridge Colby, former deputy assistant secretary of defense for strategy and force development, wrote an article for the Wall Street Journal called “The US and Taiwan Must Change Course” that defends his position that the US and Taiwan are not doing enough to deter the People’s Republic of China (PRC) from taking Taiwan. Colby is correct, of course: the US and Taiwan need to do a lot more or the PRC will invade Taiwan like Russia did against Ukraine. The US and Taiwan have failed to prepare properly to deter war. The blame must fall on politicians and policymakers
Gogoro Inc was once a rising star and a would-be unicorn in the years prior to its debut on the NASDAQ in 2022, as its environmentally friendly technology and stylish design attracted local young people. The electric scooter and battery swapping services provider is bracing for a major personnel shakeup following the abrupt resignation on Friday of founding chairman Horace Luke (陸學森) as chief executive officer. Luke’s departure indicates that Gogoro is sinking into the trough of unicorn disillusionment, with the company grappling with poor financial performance amid a slowdown in demand at home and setbacks in overseas expansions. About 95