While many commentators exuberantly laud current advances in technology, others are learning that the digital age comes with some serious downsides. Indeed, in the past week alone ransomware—a form of cyber extortion—has been described by experts as “commonplace”, with a major company alleged to have paid a ransom for the return of data.
The issue was brought into sharp relief this week with reports that Eurofins Scientific, a provider of forensics services to police forces across Europe, had suffered an attack that affected its ability to serve customers. Describing the attack as coming from “highly sophisticated and well-resourced perpetrators”, Eurofins said the ransomware appeared to be a new piece of malware—invasive software—that was “undetectable” to its security providers.
The attack began at the beginning of June but news emerged over the weekend that the incursion had been resolved by the payment of a ransom.
Eurofins has not commented on the ransom, though reports from other cybersecurity specialists suggest that the malware thought to be responsible, Ryuk, is believed to have earned its creators almost $4m in ransom payments so far from a raft of victims. Indeed, one payment traced by specialists ran to more than $700,000 in bitcoin transactions. Crowdstrike, a cybersecurity firm, says Ryuk is “specifically designed to target enterprise environments”.
Observers are surprised cybercriminals would target such a large company (Eurofins is listed on Euronext, Paris), but this is not the only case. US local authority Lake City, in Florida, recently paid half a million dollars to cybercriminals, as did another local government body, Riviera Beach.
Here in the UK, cybercrime made headlines last month when the band Radiohead was targeted. Extortionists threatened to post previously unpublished material online if the band refused to pay up. Members chose to release the music themselves instead, thus denying the criminals their leverage.
A growing threat
But ransomware is also in the news due to the sheer volume of criminal activity that appears to be under way. The global cost of ransomware attacks has been estimated to be $20bn by 2021 in ransom payments and lost business, making it the fastest growing form of cybercrime. Databarracks, a firm of IT disaster recovery experts, estimates 28% of companies will be hit by an attack in 2019, up from 16% three years ago.
What are the implications of such attacks and how should companies tackle ransom attempts?
According to Javvad Malik, security awareness advocate for KnowBe4, a security training provider, attacks are on the increase, though small and medium-sized companies are the main targets, along with underfunded sections of government, mostly because they lack sophisticated security measures. This week, Steve Wright, an adviser to the Bank of England, gave an interview in which he said small companies faced the same threat but with fewer defences.
He says that essential to any management of a ransomware attack is advance preparation, including having data backed up on a separate network.
Malik warns that demands for ransom will inevitably involve board members. “When it comes to the payment it’s not just an IT decision,” he says. This is because a decision to pay criminals will involve a strict process of documenting evidence to rule out the possibility of someone internal attempting to launder money or fund terrorists. “You need to exhaust every possibility,” says Malik.
With no data backed up or IT solution to break down the encryption used by ransomware, paying up may seem the only option for some companies. However, there are those who warn against it.
According to Peter Groucutt, managing director of Databarracks, paying ransom money is a mistake. He argues paying up could incite further attacks, or could be illegal in some cases. It’s not even certain payment will guarantee the return of data.
“At best paying the ransom means funding cybercriminals to carry out further attacks and, at worst, potentially funding terrorism, “ Groucutt says.
He echoes the advice that preparation is key; outright prevention is not viable so businesses should focus on having strategies in place to soften the blow of an attack, especially backup data.
Reflecting on the Radiohead incident, Groucutt adds: “Agreeing to pay a ransom demand isn’t conducive to long-term security and emboldens cybercriminals to continue to use this method.”
Whichever view you take, trends suggest many companies will soon face unsavoury demands from cybercriminals. Preparation looks like the only serious option.