In a recent statement to the press, ANZ’s Bank chief information security officer, Lynwen Connick warned organisations against paying ransoms to hackers, saying the payments only lead to more attacks.

The statement came off the back of two international high profile cyber-attacks.

Connick referred to the incidents involving the meat-processing company JBS and USA Georgia-based Colonial Pipeline, both of which ended in multi-million ransoms being paid to hackers after they froze computer systems and brought their respective operations to a halt.

“When organisations pay ransoms, it gives the perpetrators more funding and more motivation to continue with their attack,” said Connick.

Professor Paul Haskell-Dowland, Associate Dean for computing and security, Edith Cowan University, Perth, and member of the ACS Cyber Security Committee, said that most police and cyber advisory units recommend against paying ransom demands.

In the case of Colonial Pipeline, the CEO authorised the payment as they simply didn’t know how or when they would be able to recover their systems.

“What is interesting, in the Colonial case, is the FBI were able to recover some of the ransom money,” said Professor Haskell-Dowland.

“The fact that the monies were recovered indicates the FBI somehow had access to a Bitcoin wallet containing the funds, quite likely from other criminal investigations.”

He said the recovered ransom for Colonial was remarkable.

“It’s almost unheard of – raising the question of whether it was a deliberate strategy, to recommend payment and trace the funds until they reached a known destination or whether it was just good fortune.”

Sobering statistics

In a recent Sophos annual report, The State of Ransomware 2021, the study found 37 per cent of respondents’ organisations were hit by ransomware in the last year.

Fifty four percent that were hit by ransomware in the last year said the cybercriminals succeeded in encrypting their data in the attack.

The average ransom paid by mid-sized organisations was US$170,404.

And, on average, only 65 per cent of the encrypted data was restored after the ransom was paid.

The average bill for rectifying a ransomware attack – considering downtime, human resources, device costs, lost opportunities and ransom paid – was a staggering US$1.85 million for each attack.

Paying the ransom

Prof Haskell-Dowland said that paying the ransom doesn't always help.

A company paying the ransom is 'trusting' that this will be the end of the problem.

Cyber criminals are likely to be motivated to leave a 'back door' open into the system to re-infect or further exploit.

“Even if you pay the ransom, what you don’t know is whether a hole or malware in your systems that was introduced in the attack will be used to implement the next ransomware attack.”

“You have no guarantee that the attack is over once you pay or that some other group could then exploit that same vulnerability, so you could get hit again.”

Another issue is when a ransom is paid, the bad actors know that you’re willing to pay. “This could identify you as a vulnerable profitable target.”

Then there is the inconvenience, the public relations disaster and the massive bill to fix it all.

Increasingly, cyber-criminals are extending their attacks beyond simply locking out systems and data. To encourage payments, many attacks will exfiltrate data.

“This data is then used as a 'threat' to pay up, or the data will be sold or leaked online, This is often referred to as 'double extortion',” adds Professor Haskell-Dowland.

“The worst situation is you get hit and your systems go down and you lose business and public face and then you pay ransom for this – a full whammy!”

What to do

Professor Haskell-Dowland said the most critical part of not getting attacked is to be ‘ransom ready’:

1. Educate staff. One person can bring down an organisation, just by opening a single email attachment or by visiting a dodgy website. Avoid opening attachments from unknown sources.

2. Implement appropriate technical counter-measures such as firewalls, anti-malware, intrusion detection systems, monitoring logs and ensuring back-ups are functioning (and tested).

3. Have a strategy on how to deal with the inevitable. Know how and who to handle the investigation and how to recover, and how to deal with post-incident investigations and repair work.

If you are facing a ransomware incident:

1. Disconnect devices – it is critical to ensure the malware does not spread further inside your organisation or externally.

2. Keep accurate records – ensure you have photos and copies of any pertinent information, including the ransom demands.

3. Get advice from the right people at the right time – contact the Australian Cyber Security Centre immediately.

Recently, the Australian Shadow Minister for Cyber Security, Tim Watts, introduced a private member’s bill to parliament to help fight the surge in online extortion.

The bill would require organisations to notify the Australian Cyber Security Centre (ACSC) before making any ransomware payments or risk incurring a $220,000 fine.