As the impact of another ransomware attack is felt in New Zealand, Hadeel Salman explains how hackers are upping their game – and explores what could be done to dissuade them.
IT SECURITY SCIENTISTS BEING TRAINED IN RANSOMWARE AT THE ATHENE CYBER SECURITY CENTRE IN GERMANY (PHOTO: FRANK RUMPENHORST/PICTURE ALLIANCE VIA GETTY IMAGES)
When we think about hostage situations, holding someone captive against their will is usually what comes to mind. The hostage will be released only once the perpetrators’ demands are met. Ransomware cyber-attacks work the same way – a criminal organisation holds your data hostage until you pay to gain access to your files. Ransom hackers employ similar tactics, like ransom notes and countdown clocks, to coerce you into making payments out of fear.
That is exactly what happened when Waikato DHB was hit by a ransomware attack last month. The attackers took control of the district health board’s files and network systems, demanding payment for their release. The attack impacted health services, stalled cancer treatments and halted elective surgeries.
As these attacks become more frequent, it’s worth asking who is responsible, what motivates them, and what can be done about it?
Who is targeted?
Typically, ransomware hackers used to target individuals and demand small payments of roughly $100 to $200. In recent years, however, hackers have realised it is much more lucrative to hold businesses and public services hostage. Indeed, many companies, while reluctant, often pay millions of dollars to regain access to their systems. In the United States, Colonial Pipeline paid 75 bitcoin, equivalent to US$4.4 million, to ransomware hackers.
To pay or not to pay?
The major argument against paying is clear: when companies pay ransoms, it encourages more ransomware attacks. The hope is that denying their demands will remove all incentives for ransomware attacks, thereby eliminating the practice. But for that policy to work, it would require the collective approval and coordination of all organisations. If even a few companies are willing to pay, the incentive remains. Of course, this would be difficult to enforce, even if we made it illegal to do so.
It is often assumed that paying the ransom is much cheaper than rebuilding the company’s systems and data from scratch. When the city of Baltimore refused to pay the US$75,000 ransom, it spent US$18 million rebuilding its systems and services. However, these companies are dealing with criminals. Even if payments are made, there is no guarantee their files will be retrieved. Even when companies recover encrypted data, they still need to upgrade, overhaul or rebuild their systems and networks. Not paying ransoms may have greater short-term costs, but will have greater long-term benefits, as the incentive to launch ransomware attacks will decline.