The US government’s fight to choke off ransom payments collected by hackers hit a major snag on Thursday last week, following news that Colonial Pipeline paid a hefty sum to hackers who for several days last week effectively shut down the country’s largest fuel pipeline and created gas shortages along the US east coast.
The decision went against FBI and the US Department of the Treasury warnings that such payouts would only spread pain down the line by encouraging more hacking, raising questions around the ethics of paying the ransoms.
Cybersecurity experts, lawyers and insurers say that their pleas run up against the hard logic faced by many ransomware victims. Often the quickest way to restore debilitated computers systems is to pay, and victims typically have insurance to cover the cost. For those who resist, hackers have found new ways to increase the pain.
“It’s just a cold calculation by the policy holder and the carrier,” said Robert Cattanach, who works on cybersecurity litigation at the law firm Dorsey and Whitney. “As unfortunate as this dynamic is, at the end of the day, the insurance company is going to do what’s going to mitigate its exposure.”
While a ransom of US$5 million in cryptocurrency might seem like a hefty sum, victims do the math and find that their daily losses add up to much more, Cattanach said, referring to the amount that Colonial paid the hackers.
However, others worry that Colonial’s payment is going to embolden other criminals.
“It’s a terrible precedent to set and disappointing,” said an oil trader who was not authorized to discuss the topic publicly and requested anonymity. “But Colonial is a high-profile company, and it’s faster and cheaper to pay and then buy some better firewalls.”
Ransomware is a variation of malware that encrypts a victim’s computers, rendering them useless. The hacking group then demands a payment in exchange for a decryption key.
Adrian Nish, head of Cyber Technical Services for BAE Systems Applied Intelligence, said his firm tracks about 20 major ransomware groups, most based in Russia or Eastern Europe, and many of them have the capacity to hit scores of victims per month.
It is difficult to come across definitive data on ransomware victims because most prefer to keep the matter quiet. Ransoms demanded by hacking groups vary widely, and can reach tens of millions of US dollars.
However, the initial demand is often whittled down during negotiations, cybersecurity experts say.
The original ransom demand from the Colonial hackers — suspected to be a group called DarkSide — is not known.
A survey last year of senior IT and security decisionmakers by the cybersecurity firm CrowdStrike Holdings said 27 percent of victims paid the ransom, and the average payment was US$1.1 million.
In March, the cybersecurity firm Kaspersky said 56 percent of victims paid the hackers.
A ransomware task force said in a report by the Institute for Security and Technology that cyber-ransoms paid last year totaled US$350 million, a 311 percent increase over 2019. The average payment was US$312,493.
Although the Colonial attack was especially serious because of the impact on US energy supplies, there have been other major ransomware attacks over the past few weeks. The victims include the District of Columbia Metropolitan Police Department and Scripps Health, a major hospital system in the San Diego area.
In the case of the police, the hackers eventually released what it said were personnel files on nearly two dozen people after the department did not meet the ransom demand.
The logic against paying ransom is simple: It makes the crime less profitable and discourages would-be hackers from joining in.
There is also no guarantee that a victim’s files would be returned, according to the FBI.
After news of Colonial’s ransom payment broke, White House press secretary Jen Psaki stated the FBI’s position.
However, she added: “What I’m here to do is just convey the policies of the United States government, and it doesn’t feel particularly constructive to call out companies in that manner at this point in time.”
Tyler Hudak, the head of incident response at the cybersecurity firm TrustedSec, said the calculation a company makes about whether to pay or not relies on a few variables.
The most important is whether the company has backups of the hijacked data, which would be necessary to restart its systems without help from the hackers.
However, even that might not save a victim. Many ransomware groups have begun to steal sensitive data before locking up a company’s computers, providing them with a second point of leverage.
“Like many groups, DarkSide uses a double-extortion scheme, which means they also steal data and threaten to leak it,” Hudak said. “Even if you don’t need to pay because your data is backed up, you might decide to pay to stop the leak.”
In the case of Colonial, the decrypter tool the hackers provided to help restore their systems was so slow that the company had to restore machines using existing backups anyway, a person familiar with the investigation said.
“Across the board, the decryption programs are not as well-written as the encryption programs, which is what makes the hackers money,” Hudak said.
In one case involving DarkSide, Hudak said that he and his team took 12 hours to restore a single server using the hackers’ tool.
In almost every case, victims must decide if paying the attacker is legal. In October last year, the Treasury Department created legal roadblocks for ransomware victims considering payment to attackers on the US sanctions list.
The challenge is that it might not always be clear who the hackers are, where they are located or if cryptocurrency addresses that they assign for payments are covered by sanctions.
“It’s all about risk versus reward,” Hold Security founder and chief information security officer Alex Holden said. “Can you ensure that you’re not breaking the law by paying, and what are the repercussions if you do break the law? Is it worth it?”
There are few coincidences in the world of foreign diplomacy. Two days after a Japanese government donation of AstraZeneca COVID-19 vaccines arrived in Taiwan on Friday last week, a US delegation led by US senators Tammy Duckworth, Dan Sullivan and Chris Coons touched down at Taipei International Airport (Songshan airport) in a US military transport aircraft, which flew in from Osan Air Base in South Korea. The cross-party delegation of US senators announced that Washington would donate 750,000 COVID-19 vaccine doses to Taiwan in the first wave of the US Foreign Vaccine Sharing Program. Japan and the US’ vaccine donations are
As I write this in mid-June, Chinese strongman Xi Jinping (習近平) seems to be at it again, pressuring and bullying Taiwan both rhetorically and militarily. Chinese war planes have been circling Taiwan in an overtly menacing manner, the rhetoric in state-run media has been shrill and threatening, and in general the one party dictatorship on the mainland has been showing its fear and loathing of the democratic republic 90 miles east of the “People’s” Republic. This at a time when the economy on the mainland continues to be in a slump connected to the global economic decline, though there is
On Tuesday, a total of 28 People’s Liberation Army (PLA) aircraft intruded into southwestern, southern and eastern areas of Taiwan’s air defense identification zone (ADIZ), a record number since the Ministry of National Defense began publishing PLA aircraft movements last year. Taking off from air bases on China’s east coast, 10 Shenyang J-16 multirole strike fighters, six Shenyang J-11 fighter jets and two Shaanxi KJ-500 airborne early warning and control aircraft flew on a course adjacent to the Taiwan-controlled Pratas Islands (Dongsha Islands, 東沙群島) before turning back. In a separate formation, an assortment of aircraft, including heavy bombers, more J-16s, electronic warfare
NATO leaders in a communique on Monday described China as a threat to the “rules-based international order and to areas relevant to alliance security,” marking a major change of focus for the organization. They said that China “is rapidly expanding its nuclear arsenal,” is “opaque” about its military modernization and is “cooperating militarily with Russia.” Following the NATO meeting in Brussels, US President Joe Biden assured the alliance that the US would honor its NATO commitments, and said that China and Russia were attempting to drive a wedge between the Washington and European allies. “I want all Europe to know that the United