Is there honor among hackers?
It's an important question for victims of ransom cyberattacks who face the decision of whether to pay real money to have their computers unencrypted or to end a cyberattack.
On one hand, cyber criminals need to cultivate the impression that a ransom payment will end the attack. Otherwise, few people would pay. On the other hand, cyber criminals stand to make more money by targeting victims who have already shown a willingness to pay. If victims have the means to beat the hack, they wouldn't have paid.
The experience of many companies that have faced digital extortion over the past few years shows that not all cyber crooks invest in their self-image, and these are tales that provide a pertinent warning to anyone faced with the question of whether to pay a ransom.
Paid up and attacked again
Back in 2015, Swiss-based encrypted email provider ProtonMail suffered days of outages due to a volumetric DDoS attack. The company, whose product is relied upon by whistleblowers, journalists and other at-risk groups, was reluctant to pay a ransom. When a 100 Gbps attack took ProtonMail's data center and ISP offline, the company faced increased pressure to end the attack from both its social media-savvy constituency and businesses who were losing significant amounts of money to downtime.
But the attacks didn't stop.
For three days after the company paid a ransom, the DDoS attacks continued, this time from a second, unknown actor.
Whether the second attack represented a new group of hackers identifying a weak target, or the original blackmailers taking a second bite of the apple, it isn't clear. But the company immediately issued a statement of regret on its company blog.
"This was a collective decision taken by all impacted companies, and while we disagree with it, we nevertheless respected it, taking into consideration the hundreds of thousands of Swiss Francs in damages suffered by other companies caught up in the attack against us. We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. This was clearly a wrong decision, so let us be clear to all future attackers -- ProtonMail will NEVER pay another ransom."
Data leaked despite paying
A similar scenario played out recently when hacking group, Dark Overlord, broke into a post-production studio's database and stole several unreleased episodes of the Netflix series Orange is the New Black
, threatening to leak them online. The hacking group demanded payment -- and the company, faced with a threat that could potentially ruin their business in the industry, obliged. They paid $50,000. Despite following the hackers' instructions and paying the ransom, the business saw these episodes leak online.
The business's reaction to this event was eerily similar to that of Proton Mail. In an interview with Variety, they stated "Don't trust hackers," noting that "with the information that we had, we made the best decisions we could make at the time. Those would not be the decisions that we would make now."
What does it all mean?
These examples are important for several reasons.
First, they illustrate that paying a ransom provides no safe harbor. In the case of ProtonMail, the hacker who launched the first attack may have decided that there was money left on the table, or a second hacker saw someone who had paid, and decided they'd probably pay again. For the studio, paying the ransom didn't guarantee that their private data would be safe, and it would inevitably prove to not be.
Second, it shows that when making ransom decisions, expediency sometimes wins out. When the DDoS attack took down ProtonMail's ISP, it placed immense pressure on the company to pay, and when the studio was faced with a potential leak, they needed to make a decision quickly or face immediate consequences.
When facing a ransom attack, many companies must weigh the cost of paying the fee against the cost of downtime or a leak. The decision is not easy because, as this example shows, paying a ransom just proves that a business is willing to pay.
Paying ransoms fuels criminal networks in other ways too. It funds research and development among hacking groups, which use their ransom proceeds to develop more sophisticated attacks. It also keeps hackers in business: They would not attack if there were no money in it.
We can look at this at an even higher level. In South Korea in mid-June, web hosting firm Nayana suffered a breach affecting 150 of its servers. To regain access to the stolen data, the company paid around $1 million. After the attack became public, seven major South Korean banks received threats of a ransom attack. While the actors aren't known, the proximity of these attacks has led to speculation that a single ransom payment by one firm tipped off hackers that South Korean companies might be vulnerable and willing to pay.
All of which is to say that when it comes to ransoms, pay if you want to keep paying. And as to whether there is honor among hackers, whether we can trust their promises? We never really know.
— Carl Herberger is an IT security expert and responsible for Radware's global security practice.