By Jamie Wilson, Founder and Managing Director of Cryptoloc
It might be the most difficult decision you ever have to make. With the future of your business and the private details of your customers, clients and employees on the line, whether or not to pay the ransom demanded by a cybercriminal can seem like an impossible choice – but here are the things you need to consider.
Ransomware has grown rapidly in both profile and impact over the last couple of years. Traditionally, ransomware attacks have consisted of criminals gaining access to your files and encrypting them, or restricting operations, and demanding a ransom for their return.
But the craft of ransomware has evolved recently, with the emergence of double extortion, in which the criminal threatens to leak your stolen files, and even triple extortion, in which your clients or suppliers are also hit with ransom demands.
The Australian Cyber Security Centre recorded a 15 per cent increase in ransomware over the 2020-21 financial year, while the Director-General of the Australian Signals Directorate recently told the Parliamentary Joint Committee on Intelligence and Security there had been a 60 per cent increase in ransomware attacks on Australian businesses over a 12-month period.
There is seemingly no sector that ransomware won’t touch. Private companies of all sizes have been targeted, but so have schools, scientific and technical organisations, social services, and even hospitals.
Earlier this year, Eastern Health – the operator of four hospitals in Melbourne’s east – was hit by a cyber attack that forced it to postpone certain surgeries, with ransomware the likely cause of the disruption. In the United States, ransomware has recently been alleged as the cause of death for a baby born at a hospital where hackers had shut down crucial systems in an extortion attempt.
Ransomware is serious business – and for those on the receiving end, it can put them in a seemingly impossible situation.
Is paying the ransom illegal?
In Australia, at the time of writing, there are no laws that explicitly prohibit the payment of a ransomware demand.
There are laws that a person considering paying a ransom should consider, however.
Division 400 of the Criminal Code Act 1995 (Cth), which deals with money laundering, makes it an offence to deal with money or property where there’s a risk that it will become an instrument of crime, and you are reckless or negligent as to whether it will be used as an instrument of crime.
Obviously, a hacker demanding ransom has already committed at least one crime, and it’s entirely possible they’ll use the ransom money to carry out further ransomware attacks – meaning there’s a risk the money will become an instrument of crime (even if, ultimately, the hacker ends up using the money for some non-criminal purpose).
Duress is a possible defence here, if you can demonstrate that you believed the hacker’s threat would be carried out unless you paid the ransom; there was no reasonable way the threat could have been rendered ineffective; and the payment of the ransom is a reasonable response to the threat.
It’s also illegal to intentionally make funds available to a terrorist organisation, under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) – so if the cyber cartel that’s demanding the ransom payment is classified as a terrorist organisation, this would be illegal. (Of course, you may not know the identity or status of the organisation making the demand, but the law still applies if you are reckless as to whether or not it’s a terrorist organisation.)
It’s also worth noting that Labor has proposed a Ransomware Payments Bill which would require ransomware attack victims to contact the ACSC prior to making a ransom payment and disclose the amount being demanded and the details of the cryptocurrency wallet provided for the payment. The goal of the Bill, which has yet to pass, is to give the ACSC a chance to offer victims alternative options they might not have considered, and to provide intelligence that could help law enforcement agencies target the criminals making the demands.
Australian entities with an annual turnover of more than $3 million are currently required to report all data breaches that could result in harm to the Office of the Australian Information Commissioner (OAIC) within 72 hours. ‘Harm’ is subjective here – in theory, virtually any data breach has the potential to cause some degree of harm to someone – which is why it’s considered best practice to report any data breach to both the OAIC and the ACSC.
Going forward, I expect all of the countries in the Five Eyes alliance – Australia, the US, the UK, Canada and New Zealand – to eventually pass legislation that does explicitly prohibit the payment of ransomware demands, even though this will put companies that are unable to recover without access to their data in an extremely challenging position.
For instance, if a company feels they truly have no choice but to pay the ransom, they could then find themselves at risk of further extortion if the attacker threatens to reveal the illegal payment – creating a virtual Möbius strip of ransom payments.
Should you pay the ransom?
The ACSC recommends that victims of ransomware do not pay the ransom. Their reasoning is that paying the ransom effectively funds criminal groups, and demonstrates a willingness to give in to criminal demands, which can incentivise these groups to continue deploying ransomware attacks.
The ACSC also notes there’s no guarantee you’ll actually regain access to your systems and your data after paying the ransom. (The files may not be recoverable at all, if the attackers used ‘wiper’ malware, which sometimes masquerades as ransomware.) There’s also no guarantee the group won’t just turn right around and hit you with another ransomware attack – they could even provide you with a payment link that installs more malware onto your system.
In the United States, the FBI recommends against paying ransoms for essentially the same reasons.
Despite this, roughly one third of Australian businesses that are hit with a ransomware attack choose to pay the ransom – for an average amount of roughly $1.25 million, according to a survey conducted by Crowdstrike in 2020. (Exact figures are hard to come by, since most victims of ransomware don’t willingly disclose that fact.)
It’s not hard to see why they decide to give in. I’ve seen businesses brought to their knees by ransomware – especially small and medium-sized enterprises that don’t have backups in place, and simply don’t have the resources to get back on their feet and rebuild if they aren’t able to recover their data.
It’s not just smaller companies that feel the heat, either. JBS Foods, the world’s largest meat supplier, recently paid a $US11 million ransom.
Earlier this year, the United States experienced fuel shortages after Colonial Pipeline, an oil pipeline system that carries gasoline and jet fuel, was hit with a ransomware attack that forced it to shut down its pipelines for days. With the assistance of the FBI, Colonial paid a $US4.4 million ransom to restore their network.
Colonial Pipeline CEO Joseph Blount said that Colonial could have restored from backups, but opted to pay the ransom because of the critical nature of the pipelines and the uncertainty over how badly their systems had been breached and how long it would take to recover them.
A majority of respondents (62 per cent) to CNBC’s Global CFO Council survey for Q2 2021 said that Colonial had “no choice but to pay the ransom”, although only five per cent said it was the “right” choice.
(The Department of Justice was eventually able to recover the Bitcoins from the ransom payment by acquiring the private key of the ransom account, but these were worth only $US2.3 million because of a drop in Bitcoin value since the payment.)
No matter the size of your organisation, it’s clear that the ideal solution is to prevent an attack in the first place. Ensure your operating systems, software and applications are up to date; set your anti-virus and anti-malware solutions to automatically update and scan; turn on multi-factor authentication; and most importantly, train each of your employees not to visit unsafe or suspicious websites, open emails or files from unknown sources, or click on suspicious links in emails or on social media.
Even if you do all of that, you could still fall victim to an attack – but you should be able to recover with minimal downtime, and without paying the ransom, as long as you’ve got a solid backup infrastructure in place. Back up your data regularly, and ensure your backups are stored securely, and aren’t connected to the computers and networks they’re backing up.
You should also report the breach to the ACSC hotline on 1300 292 371, or via ReportCyber, the ACSC’s online portal for reporting cybercrime incidents.
In today’s landscape, a ransomware attack is increasingly inevitable – but if you put effective cybersecurity practices in place and back up your data, you may never have to make that impossible choice.
With Cryptoloc’s patented three-key encryption technology, nobody can ever access your data without your permission. Learn more about how you can safely store, share, sync and secure your files with Cryptoloc here.