Hey! That’s a nice business!
With guest author, Tim Redhead, DotSec.
In the real, physical world, extortion is a real problem worldwide. From the mafia in Italy, Germany, the US and Russia, to organised crime gangs in Australia, the Yakuza in Japan and drug cartels in South America, extortion is seen as a legitimate way to earn money. The Internet of course is similar in many ways to the real world. If there are assets that are valuable to the owners, and if those assets are easily accessible and poorly protected, then criminals are likely to take advantage of the situation, especially if the level of risk is low, and the likelihood of return is high.
The Optus and Medibank debacles are the first time that large numbers of Australians have come first-hand, face to face with ransomware attacks and their consequences. These kinds of attacks have actually been taking place for many years, but Australia’s reporting laws are so weak when compared to laws in some US and European jurisdictions that many people (even those who have been unknowingly affected) have been unaware.
This lack of awareness has led some organisations to mistakenly believe that these attacks are uncommon and that the perceived level of business risk does not warrant expenditure on improving cybersecurity maturity. Consequently, many organisations are poorly protected and open to compromise, and are unable to even provide details regarding the information that has been lost or stolen when an attack does occur.
To pay or not to pay
The first time I had anything to do with assisting with a Ransomware attack was around eight years ago. The victim was an engineering company whose servers and backups were encrypted in the attack, so the victim organisation only really had two choices:
a) Close the doors, or,
b) Pay the ransom.
Of course, Option (a) is not actually a valid option for a viable business. Therefore, unless the victim thinks that it’s OK to hang their customers out to dry in order to prop up some moral “we don’t pay ransoms” hobby horse, or else is a forward-thinking business that has invested in a robust level of cyber security maturity, the likelihood of return for the attacker (i.e. the business will pay) is almost certain. This is backed up by studies which show that the percentage of organisations that paid ransoms increased by approximately 5% over the past year.
And that all leads to the second main point which is “you can’t trust the criminals to do what they say they will”. This line is popular with Medibank and the government at the moment but is it really true?
Studies have shown that real ransomware gangs establish a reputation for punishing non-compliance and victims decide whether or not to pay depending on how likely it is that they’ll be punished for non-compliance. On the flip side, the real ransomware gangs have also realised that victims are more likely to pay when compliance is rewarded with the recovery of lost data. Over the past two years the percentage of ransom payers who did recover their data rose to 72.2%. (Source: 2022 Cyberedge Cyberthreat Defence Report)
This backs up my experience: The real ransomware gangs provided help files in a range of languages and also provided assistance with bitcoin and funds transfer, and the engineering company was able to recover all their files. In other cases, the extortionists even provided a “list of recommendations to avoid such things in future”.
Managing cyber risk
So where does that leave us? As business owners, one of our jobs is to manage business risks, especially risks associated with business reputation and continuity. In theory, risks can be:
- Avoided. Well, not really in this case, unless your business has somehow travelled back to the pre-Internet time of Abba and flared jeans.
- Transferred. That’s usually done through cyber insurance but coverage relies on the business being able to show that it already manages its risks.
- Managed (reduced). This where the business is pro-active and sets up a well managed and reasonably funded maturity-improvement plan to manage (reduce) cyber risks to an acceptable level.
- Accepted. This is where the business has conducted a risk assessment and has formally agreed that the risk is acceptable.
The attackers that are currently in the headlines are criminals; yes, agreed, move on. More importantly is the fact that the real gangs are also sincere (illegal) business people, apparently very similar to the organised crime groups in the physical world. But even that is not the point! The point is that you do not have to do business with those people if you don’t want to, assuming of course that the business properly manages the majority of its cyber risk appropriately, and transfers any residual risk through insurance.
In conclusion, a meditative thought: The gardener toils in the sun from dawn ‘til dusk but in the night the thief will come. And by the shining of the moon shall those most juicy of fruits be revealed hanging low to the ground! Then will the thief strike! And thus, the fruit, and the gardener, will surely be plucked!
DotSec are a Brisbane-based firm specialising in cyber security. If you would like more information on how you can better manage your cyber security and risk, contact Tim Redhead from DotSec on (07) 3221 2442.
To learn more about the studies referenced in this article, visit https://www.dotsec.com/