It'd be a shame if something happened to it!

In the real, physical world, extortion is a real problem and across the world, certain gangs and organisations see extortion as a legitimate way to earn real money, even apparently in the nuclear power industry! [10] The Internet is of course similar in many ways to the real world. If there are assets that are valuable to the owners, and if those assets are easily accessible and poorly protected, then online attackers are likely to take advantage of the situation, especially if the level of risk (i.e. probability and/or consequences of being held responsible) is low, and the likelihood of return (i.e. getting a ransom paid) is high. [1][2]

The Optus and Medibank debacles are the first time that large numbers of Australians have had first-hand, face to face experience with ransomware attacks and their consequences. These kinds of attacks have actually been taking place for many years, but Australia’s reporting laws are so weak when compared to laws in some US and European jurisdictions that many people (even those who have been unknowingly affected) are unaware of their occurrence.

This lack of awareness has led some organisations to believe that ransomware and extortion attacks are uncommon and that the perceived level of business risk does not warrant expenditure on improving cybersecurity maturity. Consequently many organisations are poorly protected and open to compromise, and are unable to even provide their customers with details regarding the information that has been lost or stolen when an attack does occur.

The first time I had anything to do with assisting with a ransomware attack must have been around eight years ago. The victim was an engineering company with a low level of cyber security maturity and as a result, all the company servers and backups were encrypted in the attack. Consequently, the victim organisation only really had two choices:

Close the doors, or,
Pay the ransom.

The engineering company was an otherwise strong and viable business, so option (1) was not actually a valid option, and that just left option (2).

This is backed up by studies [3] which show that the percentage of organisations that paid ransoms increased by approximately 5% over the past year.

Other studies clearly illustrate the kinds of situations in which a victim organisation is likely to pay the ransomware gangs. For example, the short paper, “Your Money or Your Business: Decision-Making Processes in Ransomware AttacksRansomware Attacks” [6] illustrates two scenarios:

In the first scenario, two businesses who were affected similarly by ransomware attacks chose to pay the ransom. “Business operations solely relied on digital data (private organisation). When ransomware struck, critical data got encrypted and all vital operations were ceased. Backups were not available. The victim made a decision to pay the ransom to avoid bankruptcy”.
In the second scenario, a public organisation chose not to pay. “A public organisation suffered an unprecedented attack, where around 100 servers got encrypted, disabling several important services. The victim only had partial backups. They immediately reported the incident to authorities and were subsequently advised not to pay the ransom. Upon reflection, the organisation regretted not to explore a possibility of paying to offenders as recovery was extremely challenging (over a year). If it was a private organisation, the business would not survive.”

Trust, attackers and reputation

So as the decision-making paper [6] explained, the likelihood of return for the attacker (i.e. the business will pay) is very high unless:

The victim organisation is a forward-thinking business that has invested in a robust level of cyber security maturity and so can manage the attack, or,
The victim organisation takes the view that it’s OK to hang their customers’ personal information out to dry, despite the obvious distress that will cause, in order to prop up some moral “we don’t pay ransoms” hobby horse.

So why not pay the ransom? The line that is popular with Medibank and the government at the moment is that “you can’t trust the criminals to do what they say they will”. But is it really true?

Studies [2][3] have shown that real ransomware gangs establish a reputation for punishing non-compliance and victims decide whether to pay or not to pay depending on how likely it is that they’ll be punished for non-compliance. In addition, it appears that the real ransomware gangs have also realised that victims are more likely to pay when compliance results in the recovery of lost data. In fact, once they have been paid, the gangs sometimes even provide assistance to help victims avoid a similar attack in the future.

Take for example the ransomware negotiations that took place when CWT (formerly Carlson Wagonlit Travel) was compromised a couple of years ago. The attackers originally demanded US$10M but as shown in a chatroom that was left accessible to the Internet, appeared to settle for less when CWT negotiated in good faith [8]. And once paid, the attackers then provided a summary of the vulnerabilities they exploited, and suggestions to help improve the level of cyber security maturity and prevent similar breaches from occurring in the future! Here is part of that chat…

This is backed up by the 2022 Cyberedge Cyberthreat Defence Report which reports that over the past two years the percentage of ransom payers who did recover their data rose to 72.2%.

And it also reflects upon my experience with the engineering company: The extortionist(s) provided help files in a range of languages and also provided assistance with bitcoin and funds transfer, and the engineering company was able to recover all their files.

So where does that leave us?

Well to start with, the attackers that are currently in the headlines are (under Australian law) criminals; yes, agreed, there is no question about that so we can move on, because that is not the point.

And yes, in some situations, criminals can be identified and brought before the courts, as shown in this case that was recently awarded to Google [7]. But that is not the point either.

We can even observe that in many cases, the extortion gangs are also sincere (illegal) business people, with sophisticated operating infrastructure, and a good understanding of reputation, consistency and customer service. But even that is not the point!

The point is this: Complaining about criminals doing criminal things after they’ve done their work is all backwards-looking and the-horse-has-bolted. That does not mean that I condone extortion in any way, shape or form; just the opposite! What it means is that we know that extortion can be extremely damaging or organisations and their customers, so it’s very important to look ahead before the gate is left open and note that organisations do not have to become victims. It’s not a fait accompli. That is the point!

Drive it like you own it!

As business owners, one of our jobs is to manage business risks, especially risks associated with business reputation and continuity. In theory, risks can be:

Avoided. Well, not really in this case, unless your business has somehow travelled back to the pre-Internet era of Abba and flared jeans. And wild hairstyles… and my Ford Escort… good times! But I digress…
Transferred. That’s usually done through cyber insurance but as discussed here [5], coverage increasingly relies on the business being able to show that it can demonstrate an adequate level of cyber security maturity.
Managed (reduced). This where the business is proactive and sets up a well managed and reasonably funded maturity-improvement plan to manage (reduce) cyber risks to an acceptable level.
Accepted. This is where the organisation has a formal system security plan, risk register and associated risk-management plan, and can be confident that it has addressed managed (as per point 3) or transferred (as per point 2) risks that cannot be accepted.

Sure, even after all that, an organisation might still be breached. In fact, if we go with the cheery advice of Robert S. Mueller, III, former Director of the FBI and Special Counsel into the Russian interference of the USA election: “There are only two types of companies: Those that have been hacked and those that will be hacked.” But Mueller’s advice was not given so that we could all just throw our hands up in the air and give ourselves over to abject, pre-ordained hopelessness like Marvin [9].

No, Meuller’s advice was given as a prescient warning. It’s time for organisations to manage risk and maintain a suitable level of cyber security maturity (here are some examples [11]) so that when an attack does come, there is a realistic expectation of timely detection, investigation, defence and recovery, without major consequences for more than a quarter of the country’s population.

Oh, and by “it’s time” remember that Mueller made his observation in 2012!