As the impact of another ransomware attack is felt in New Zealand, Hadeel Salman explains how hackers are upping their game – and explores what could be done to dissuade them.
When we think about hostage situations, holding someone captive against their will is usually what comes to mind. The hostage will be released only once the perpetrators’ demands are met. Ransomware cyber-attacks work the same way – a criminal organisation holds your data hostage until you pay to gain access to your files. Ransom hackers employ similar tactics, like ransom notes and countdown clocks, to coerce you into making payments out of fear.
That is exactly what happened when Waikato DHB was hit by a ransomware attack last month. The attackers took control of the district health board’s files and network systems, demanding payment for their release. The attack impacted health services, stalled cancer treatments and halted elective surgeries.
As these attacks become more frequent, it’s worth asking who is responsible, what motivates them, and what can be done about it?
Who is targeted?
Typically, ransomware hackers used to target individuals and demand small payments of roughly $100 to $200. In recent years, however, hackers have realised it is much more lucrative to hold businesses and public services hostage. Indeed, many companies, while reluctant, often pay millions of dollars to regain access to their systems. In the United States, Colonial Pipeline paid 75 bitcoin, equivalent to US$4.4 million, to ransomware hackers.
To pay or not to pay?
The major argument against paying is clear: when companies pay ransoms, it encourages more ransomware attacks. The hope is that denying their demands will remove all incentives for ransomware attacks, thereby eliminating the practice. But for that policy to work, it would require the collective approval and coordination of all organisations. If even a few companies are willing to pay, the incentive remains. Of course, this would be difficult to enforce, even if we made it illegal to do so.
It is often assumed that paying the ransom is much cheaper than rebuilding the company’s systems and data from scratch. When the city of Baltimore refused to pay the US$75,000 ransom, it spent US$18 million rebuilding its systems and services. However, these companies are dealing with criminals. Even if payments are made, there is no guarantee their files will be retrieved. Even when companies recover encrypted data, they still need to upgrade, overhaul or rebuild their systems and networks. Not paying ransoms may have greater short-term costs, but will have greater long-term benefits, as the incentive to launch ransomware attacks will decline.
There are also other, more compelling, reasons to refuse to pay hackers. Ransomware attackers have both financial and political motives. The former is obvious enough; the latter is important to understand.
The recent Colonial Pipeline attack allegedly emanated from Russia, carried out by a criminal group known as DarkSide. While the Russian government was not involved in the attack, the Kremlin has not condemned it. As ransomware expert Allan Liska noted, the hackers “are not operating at the behest of Russia, but they’re operating with the tacit acknowledgements of Russia”.
The Kremlin has long provided safe haven to cyber criminals living within its borders, under the condition of two simple and unspoken rules. Firstly, the hackers must not target the motherland – and this rule is hard-wired into the code. The ransomware code that targeted Colonial Pipeline was programmed to search the language setting of each computer and if the computer’s default language was set to Russian, the code would move right along. Secondly, the hackers must not target those states that are friendly to Russia. The code must only target enterprises of Russian adversaries, such as the United States.
What makes payment even more troubling is that we can never be certain of the attacker’s identity. It could be an individual, an organised criminal group, a terrorist organisation or a sanctioned state. For example, the 2017 WannaCry ransomware attack, which hit businesses and hospitals, was allegedly orchestrated by the North Korean government. It affected between 230,000 and 300,000 computers in more than 150 countries and had a costly consequence of US$4 billion across the world.
When we are paying these ransoms, we are either funding a criminal gang, or worse, terrorist organisations or sanctioned states. Paying any kind of money that supports a criminal group, terrorist organisation or a sanctioned state violates our international and domestic obligations. The Terrorism Suppression Act 2002 expressly prohibits the financing of terrorism either wilfully, without lawful justification or reasonable excuse. Yet paying these ransoms is completely legal. The New Zealand government urges organisations and institutions not to pay these ransoms, but justice minister Kris Faafoi said he would not consider making these payments illegal. In fact, ransom payments may even be tax deductible or covered by insurance, making payment a much more appealing solution.
Where to next?
As I write this, another cyber-attack has come to light, one similar to the Waikato DHB ransomware attack but much larger in scale.
This was a supply-chain attack with ransomware motives. The ransomware hackers embedded a malicious code into a trusted piece of software, in this case, the Kaseya IT management software. Once the code was planted and the software successfully compromised, the hackers were able to infiltrate the networks of companies, institutions and organisations that relied on that software.
The Kaseya supply-chain attack has hit more than 200 organisations worldwide and implicated New Zealand schools, including St Peter’s School in Cambridge. In the wake of the attacks, Swedish grocery chain Coop has been forced to close down 500 of its stores for the second day in a row.
The hackers were clever to target the Miami-based software company on Friday, ahead of the 4th of July weekend. This is a common tactic employed by cyberhackers in order to evade detection by staff celebrating the long weekend. Kaseya staff were slow to respond to the attacks and many customers only became aware of them on Monday.
At this stage, it’s too early to attribute the attack to Russia, but cybersecurity firm Huntress Lab suggests it has come from a Russian-based criminal group, REvil. The only evidence pointing to Russia is the language used by the criminal group to communicate with each other, and further evidence will be required to support the allegations made by US authorities.
Cyber experts have warned against paying the ransom, claiming that any kind of payment will further incentivise hackers into using any personal information obtained by the hack to blackmail victims into making additional payments. Experts also note that it will take months before the full extent of the damage can be accurately assessed. The secret nature of cyber operations means the effects of the attack may only be detected long after the initial attack.
As ransomware attacks continue to threaten our economy, and indeed our way of life, the government needs to take a hard look at how it plans to address this threat. The government has to review the legality of ransom payments to ensure that New Zealand dollars are not funding criminal activities.
Ideally, the government should make any kind of payment illegal, but even in doing so, may not prevent companies from paying the ransom in secret. Making the ransom payments illegal will only prevent companies from reporting these attacks in order to avoid the negative publicity as well as the financial implications of not paying up.
In the meantime, our best defence against ransomware attacks is cyber hygiene. We need to invest in cybersecurity – measures such as regularly backing up our data, turning on multi-factor authentication and updating our software serve to strengthen our systems against cyberattacks.