SINGAPORE – Even if a company pays the ransom hackers demand to release files locked up in a ransomware attack, the crooks can still strike again, a recent study has found.
Should organisations give in to cybercrooks? This is the question raised following recent high-profile cases of ransomware attacks, such as the ones against Colonial Pipeline and JBS in the United States last month that resulted in millions of dollars extorted.
It also stirred debate on whether ransom payments should be made illegal.
One quarter of companies in Singapore said they had been targeted for a second ransomware attack by the same people after payment for the first attack was made. This is according to the study by cyber-security firm Cybereason released last Wednesday (June 16). The figure rises to nearly one in two across seven markets globally, including the United States and Britain.
And yielding to the hackers’ demands does not mean the files can be recovered problem-free. About three in 10 firms here who paid the attackers said the released data had been corrupted.
Nearly one in two companies hit by ransomware attacks globally which paid up reported the same.
Cyber-security firms such as Cybereason advise companies against paying ransom. “Threat actors are criminals and profiteers, looking to make as much money as possible,” explained Mr Leslie Wong, Cybereason’s regional vice-president for the Asia-Pacific.
Mr Vicky Ray, principal researcher at cyber-security firm Palo Alto Networks’ Unit 42, said that if ransoms are not paid, then hackers are more likely to shift away from ransomware tactics.
Similar reasons are cited for supporting a ban on ransom payments.
A US task force on ransomware also said in its April report that ransom profits could be used to fund more pernicious crimes, such as human trafficking, child exploitation and terrorism.
“When viewed with that lens, the case for prohibiting payments is clear,” said the report.
But banning ransom payments could lead to other problems.
The US task force said ransomware attackers take little risk and expend a small amount of effort to launch attacks, and warned that a ban could cause hackers to apply more pressure by targeting organisations more essential to society. These include healthcare providers and local governments.
If a government takes a “hard-line approach”, that is, by disallowing the payment of ransom and offering to help victimised firms, the hackers could move to other targets in other countries or sectors instead of abandoning ransomware.
A ransom payment ban could also lead to some companies paying anyway in secret, which could open them up to even more extortion.
In Singapore, half of the businesses hit by ransomware from April 2019 to April this year have coughed up the ransom, said Cybereason’s study. Globally, this is nearly three in five.
The study polled about 100 businesses here online and about 1,200 around the world in April.
Extorted companies in Singapore paid ransoms of up to US$14 million (S$18.8 million), with 37 per cent of them paying between US$140,000 and US$ 1.4 million.
Elsewhere, ransom amounts have gone up. Palo Alto Networks found that in the US, Canada and Europe, ransom paid increased from about US$115,100 in 2019 to nearly US$312,500 last year.
Just last month, Colonial Pipeline paid US$4.4 million after ransomware shut down the largest fuel pipeline in the US. But using the hackers’ tools to decrypt locked data was reportedly so slow that the firm used its data backups to restore its system.
JBS, the world’s largest meat processor, paid US$11 million after ransomware disrupted its US, Canada and Australia operations.
Mr Wong acknowledged that whether a ransom should be paid or not is a decision each affected company has to make.
“In life and death situations, or because of a national emergency, it could be in the company’s best interest to pay,” he said.
Some companies might also feel that giving in to the attackers’ demands is the fastest way to return to normal operations, he added.
Mr Ray said some organisations might feel cornered to pay if they are not equipped to combat the threat. This could depend on whether they have cyber insurance, the quality of their data backups, and the estimated costs of the system outage.
Cybereason said that hackers, seeing how some firms do not give in, adapted by using a “double extortion” tactic – they might now also threaten to leak or sell the data if they do not get paid.
But before companies make that decision, Mr Wong said firms should consult their legal counsel and insurers, as well as keep local law enforcement informed.
When asked if it would consider banning payments to hackers, the Cyber Security Agency of Singapore (CSA) said it does not recommend paying the ransom.
Paying does not guarantee that hackers will keep their word, and paying them “also encourages the threat actors to continue their criminal activities and target more victims”, it said.
“Threat actors may also see organisations that have paid up as a soft target and may strike again in the future,” said the agency.
CSA said it is instead focused on helping companies and providing them with advice on how to take preventive measures. “Prevention is key to avoid falling victim to ransomware,” it said.
Businesses can refer to CSA’s “Ransomware: A growing cyber security threat to businesses” online advisory on how they can protect themselves.