The US government’s fight to choke off ransom payments collected by hackers hit a major snag on Thursday last week, following news that Colonial Pipeline paid a hefty sum to hackers who for several days last week effectively shut down the country’s largest fuel pipeline and created gas shortages along the US east coast.
The decision went against FBI and the US Department of the Treasury warnings that such payouts would only spread pain down the line by encouraging more hacking, raising questions around the ethics of paying the ransoms.
Cybersecurity experts, lawyers and insurers say that their pleas run up against the hard logic faced by many ransomware victims. Often the quickest way to restore debilitated computers systems is to pay, and victims typically have insurance to cover the cost. For those who resist, hackers have found new ways to increase the pain.
“It’s just a cold calculation by the policy holder and the carrier,” said Robert Cattanach, who works on cybersecurity litigation at the law firm Dorsey and Whitney. “As unfortunate as this dynamic is, at the end of the day, the insurance company is going to do what’s going to mitigate its exposure.”
While a ransom of US$5 million in cryptocurrency might seem like a hefty sum, victims do the math and find that their daily losses add up to much more, Cattanach said, referring to the amount that Colonial paid the hackers.
However, others worry that Colonial’s payment is going to embolden other criminals.
“It’s a terrible precedent to set and disappointing,” said an oil trader who was not authorized to discuss the topic publicly and requested anonymity. “But Colonial is a high-profile company, and it’s faster and cheaper to pay and then buy some better firewalls.”
Ransomware is a variation of malware that encrypts a victim’s computers, rendering them useless. The hacking group then demands a payment in exchange for a decryption key.
Adrian Nish, head of Cyber Technical Services for BAE Systems Applied Intelligence, said his firm tracks about 20 major ransomware groups, most based in Russia or Eastern Europe, and many of them have the capacity to hit scores of victims per month.
It is difficult to come across definitive data on ransomware victims because most prefer to keep the matter quiet. Ransoms demanded by hacking groups vary widely, and can reach tens of millions of US dollars.
However, the initial demand is often whittled down during negotiations, cybersecurity experts say.
The original ransom demand from the Colonial hackers — suspected to be a group called DarkSide — is not known.
A survey last year of senior IT and security decisionmakers by the cybersecurity firm CrowdStrike Holdings said 27 percent of victims paid the ransom, and the average payment was US$1.1 million.
In March, the cybersecurity firm Kaspersky said 56 percent of victims paid the hackers.
A ransomware task force said in a report by the Institute for Security and Technology that cyber-ransoms paid last year totaled US$350 million, a 311 percent increase over 2019. The average payment was US$312,493.
Although the Colonial attack was especially serious because of the impact on US energy supplies, there have been other major ransomware attacks over the past few weeks. The victims include the District of Columbia Metropolitan Police Department and Scripps Health, a major hospital system in the San Diego area.
In the case of the police, the hackers eventually released what it said were personnel files on nearly two dozen people after the department did not meet the ransom demand.
The logic against paying ransom is simple: It makes the crime less profitable and discourages would-be hackers from joining in.
There is also no guarantee that a victim’s files would be returned, according to the FBI.
After news of Colonial’s ransom payment broke, White House press secretary Jen Psaki stated the FBI’s position.
However, she added: “What I’m here to do is just convey the policies of the United States government, and it doesn’t feel particularly constructive to call out companies in that manner at this point in time.”
Tyler Hudak, the head of incident response at the cybersecurity firm TrustedSec, said the calculation a company makes about whether to pay or not relies on a few variables.
The most important is whether the company has backups of the hijacked data, which would be necessary to restart its systems without help from the hackers.
However, even that might not save a victim. Many ransomware groups have begun to steal sensitive data before locking up a company’s computers, providing them with a second point of leverage.
“Like many groups, DarkSide uses a double-extortion scheme, which means they also steal data and threaten to leak it,” Hudak said. “Even if you don’t need to pay because your data is backed up, you might decide to pay to stop the leak.”
In the case of Colonial, the decrypter tool the hackers provided to help restore their systems was so slow that the company had to restore machines using existing backups anyway, a person familiar with the investigation said.
“Across the board, the decryption programs are not as well-written as the encryption programs, which is what makes the hackers money,” Hudak said.
In one case involving DarkSide, Hudak said that he and his team took 12 hours to restore a single server using the hackers’ tool.
In almost every case, victims must decide if paying the attacker is legal. In October last year, the Treasury Department created legal roadblocks for ransomware victims considering payment to attackers on the US sanctions list.
The challenge is that it might not always be clear who the hackers are, where they are located or if cryptocurrency addresses that they assign for payments are covered by sanctions.
“It’s all about risk versus reward,” Hold Security founder and chief information security officer Alex Holden said. “Can you ensure that you’re not breaking the law by paying, and what are the repercussions if you do break the law? Is it worth it?”
Two sets of economic data released last week by the Directorate-General of Budget, Accounting and Statistics (DGBAS) have drawn mixed reactions from the public: One on the nation’s economic performance in the first quarter of the year and the other on Taiwan’s household wealth distribution in 2021. GDP growth for the first quarter was faster than expected, at 6.51 percent year-on-year, an acceleration from the previous quarter’s 4.93 percent and higher than the agency’s February estimate of 5.92 percent. It was also the highest growth since the second quarter of 2021, when the economy expanded 8.07 percent, DGBAS data showed. The growth
In the intricate ballet of geopolitics, names signify more than mere identification: They embody history, culture and sovereignty. The recent decision by China to refer to Arunachal Pradesh as “Tsang Nan” or South Tibet, and to rename Tibet as “Xizang,” is a strategic move that extends beyond cartography into the realm of diplomatic signaling. This op-ed explores the implications of these actions and India’s potential response. Names are potent symbols in international relations, encapsulating the essence of a nation’s stance on territorial disputes. China’s choice to rename regions within Indian territory is not merely a linguistic exercise, but a symbolic assertion
More than seven months into the armed conflict in Gaza, the International Court of Justice ordered Israel to take “immediate and effective measures” to protect Palestinians in Gaza from the risk of genocide following a case brought by South Africa regarding Israel’s breaches of the 1948 Genocide Convention. The international community, including Amnesty International, called for an immediate ceasefire by all parties to prevent further loss of civilian lives and to ensure access to life-saving aid. Several protests have been organized around the world, including at the University of California Los Angeles (UCLA) and many other universities in the US.
In the 2022 book Danger Zone: The Coming Conflict with China, academics Hal Brands and Michael Beckley warned, against conventional wisdom, that it was not a rising China that the US and its allies had to fear, but a declining China. This is because “peaking powers” — nations at the peak of their relative power and staring over the precipice of decline — are particularly dangerous, as they might believe they only have a narrow window of opportunity to grab what they can before decline sets in, they said. The tailwinds that propelled China’s spectacular economic rise over the past