The news that Travelex the foreign currency firm was the victim of the Ransomware infection known as Sodinokibi or Revil is just another, in a long line of companies and organisation’s whose businesses have been crippled by this type of cyber-attack.
A survey by Which and Malwarebytes in August 2019 highlighted some startling figures. Looking across Europe and North America, research showed that the UK was the third most attacked nation after the USA and Canada. First identified in 1989 ransomware is not new but has only really started dominating headlines in recent years. The report also highlighted that attacks against businesses had soared by a whopping 365% while attacks on consumers had fallen by 12%. Business is the primary target.
Whether it be Travelex, Maersk, schools, hospitals, local authorities, (all victims in recent times) everyone agrees that no one is 100% immune from this attack vector. And in 2019 Ireland’s Department of Communications, Climate Action and the Environment, which oversees Cyber Security was also infected. Being effectively prepared, however, they were all able to eventually recover.
One thing that is recognised is that effective planning and preparedness can help reduce the overall impact of cyber attacks to both profitability and business reputation, particularly in a world that is more focused than ever on good governance, ethics and company values as a pre-requisite for driving customer growth.
There is all manner of technology companies with the latest inventions and widgets offering to cure these problems, but time and time again history teaches that these on their own will not keep you completely safe and can provide a false sense of security. Out of date technology, unaware employees and unpatched or legacy systems also add to the risk of compromise. There is more reporting and general noise around cybercrime than ever, but the statistics show that Ransomware is still on the rise with a growing focus on business enterprises which are a lucrative market.
What is still startlingly common is the absence of knowledge and awareness on these issues for people at the helm of many of these companies; the Boardroom is still worryingly silent on business risks facing the firms they are supposed to be overseeing. Often the IT department is still seen as the responsible area as opposed to personal ownership on the Board. Awareness and preparedness in relation to this critical business risk at the leadership level should be a number one priority. Its not just an IT issue.
But what about when you are not effectively prepared, and payment is made? Some justify this, using the comparison with paying for releasing human hostages, which also is not new, and most people would do this to potentially save harm to a loved one. The UK, the USA and other Governments, however, have a policy of not paying. Simply put, all the evidence shows that if payment is made then it perpetuates more hostage taking and is used as greater leverage for other concessions.
In 2019, Eurofins who provide Forensics for UK policing admitted to paying criminals to unlock files, the irony on this is not lost on anyone, particularly those in law enforcement. And already in 2020 Albany Airport in New York has admitted to paying criminals to unlock files infected with Ransomware.
In 2019 McAfee reported that ransomware payouts overall have doubled over the previous year, often by Insurance companies. It is difficult to think of any other insurance that pays the criminals to undo the crime they have committed. If your car is stolen, your insurer won’t usually do a deal with the criminal to get it back, or the fraudster who steals your money. It should be an exceptional event that requires this, but when it comes to companies’ data however, this behavior is becoming become normalised. The increase in ransomware attacks appears very linked to the rise in payments.
Paying out to organised criminal networks who have attacked systems and encrypted data is not regulated or illegal, although according to some legal experts it skirts close. Some countries are starting to consider this, as the longer-term outlook does not paint a good picture. It is important not to forget these payments only serve to perpetuate other criminal deeds such as more cyber-attacks and other more tragic human exploitation.
There are though, some glimmers of hope and examples of good ethical leadership which should be applauded. Consider the words of Bernard C. Jack Young, Mayor of Baltimore who in June 2019 after the infection of Baltimore Government Computers said; “Why don’t we just pay the ransom? I know a lot of residents have been saying we should’ve just paid the ransom or why don’t we pay the ransom? Well, first, we’ve been advised by both the Secret Service and the FBI not to pay the ransom. Second, that’s just not the way we operate. We won’t reward criminal behaviour”.
“That’s just not the way we operate” if anything sums up good preparation, leadership and values in business it is this. When it comes to Ransomware an air-gapped back-up is recognised as the last line of defence in the pathway to recovery, even if that recovery won’t be easy and will cause some disruption. Being prepared and having the choice to say no is key. There is also growing disquiet that some organisations are choosing the payment option as a first choice and an easier and simpler route to the hard yards of recovery from a Ransomware attack.
Is it now the time for regulators and governments to begin to consider this as part of wider cybercrime strategies? Currently these have less impact if on the one hand the victims who law enforcement are trying to protect are also paying the same criminals on the other. Equally, those who feel this is a cheaper and easier option to investing in protection and prevention will rapidly lose the trust and confidence of their customers. In every Boardroom the words “that’s just not the way we operate “should be displayed.
For companies and Governments, being part of the ethical solution must be the only viable way forward otherwise the problem will continue to grow, and in the longer term we will all be poorer for it.