Background
According to Wikipedia, the generic meaning of the word ransom is the payment made to a captor for the release of a captive (person) or a valuable. This meaning does not differ in the world of cybersecurity since the concept remains that a captor (cybercrime actor) captures the data belonging to an organization or person by using specialized software tools (ransomware) to encrypt the data or by modifying the access path to the data so that the legitimate owner of the data is denied access to it either in full or in part and sometimes to exfiltrate the data. In most cases, the motivation of these cybercriminals is to demand the payment of ransom to them by the owners of the system or data.
The dilemma
The dilemma then arises whether to pay the ransom and have the data decrypted/retrieved or not to pay the ransom and lose the data permanently. Again, is there a guarantee that once the ransom is paid to the attackers, the data will be decrypted, and the attackers will stay away from launching further ransomware attacks? While addressing this dilemma, the ethical consideration of the cybersecurity profession must be highly esteemed. This leaves CISOs (chief information security officers) with the challenge of adhering to the ethical standards of their profession, which in most cases discourages the payment of ransom to cybercriminals and the need to retrieve the lost data for their organization.
The growing ransomware trends
One of the worst launched ransomware attacks in recent time (2017) which spanned across industries and continents was WannaCry, which when launched blocked user access to files or systems, holding files or entire devices hostage using sophisticated encryption technologies. Over $500 million was estimated to have been paid in ransom to the attackers, thus making the crime of launching ransomware attacks a rather lucrative venture. According to Helpnet Security, there were nearly 293 million ransomware attacks in 2021, see fig 1. This is an increase of about 134% of the attacks in the previous year 2020. STATISTA depicts a similar ascending scenario between 2016 and the first half of 2022. However, according to statista.com, the number of ransomware attacks/incidents recorded in 2016 is higher than those recorded in successive years as shown in fig 2. This they explained was due to a lack of investment in tools that could prevent these attacks or a lack of sufficient awareness of the trend among ICT professionals.
Figure 1. Ransomware attacks between 2017 and 2021.
Figure 2. Ransomware attack trends according to STATISTA 2022 report
Should data breaches be handled transparently?
Whether or not the handling of data breaches should be made transparent such that affected user groups realize the breach depends on the industry in which the victim organization operates. With the LockBit ransomware attack launched on Accenture’s network, the crime actors had already published some of the stolen proprietary information on their websites thus the customers of Accenture were already previewed to the attack hence the handling of the attack could best be done transparently to allay the customers’ fear. For our Ghanaian setting, if the attacked victim organization is in the FinTech or banking industry, it will not be ideal to handle the attack transparently, since this could lead to panic withdrawal and consequent potential collapse of the affected victim organization. This is premised on the fact that the technology acceptance readiness level of most Ghanaians is not fully fledged, hence there is still a lot of doubt in the minds of people about the security and safety of their digital assets and investments. Hence, the need for the exercise of full disclosure should be looked at with much care.
In the fast spate of global digitalization, more people and organizations are adopting and adapting to the use of digital and online platforms to improve their business processes. More data is being stored on cloud platforms than ever in history; thus, there is a rather sharp increase in the patronage of digital solutions. Owing to this, and the trend depicted in the graph in fig.1, there will undoubtedly be more occurrences of ransomware attacks since cybercriminals are finding it more rewarding. The time to nib this menace in the bud is now. All cybersecurity professionals must reconsider advising their organizations to pay these ransoms and rather invest these monies in building more complex solutions to defend their company’s digital information. This will serve as demotivation for cybercriminals.
Should ransom be paid?
Regarding payment of ransom, the only advantage is that the organization stands the chance of retrieving its stolen data either fully or in part, though this sometimes is not guaranteed. In the heat of the breach, the focus of most victim organizations is to retrieve the data as soon as possible to ensure business continuity other than reinventing the wheel to rebuild the data. However, the aftermath of the breach after the ransom payment presents more disadvantages for posterity. One such disadvantage is that more criminals are going to find it more rewarding to develop ransomware and to launch more such attacks on other organizations, especially those with a huge balance sheets. In a nutshell, payment of ransom comes with immediate but temporary benefits and a long-term disadvantage to other organizations or individuals.
Finally, it is my candid view that a victim organization must consider dealing transparently with cyber criminals regarding a launched ransomware attack. This should be a strategy intended to cause the criminals to compromise so that as much support as possible could be received in order to retrieve the lost/stolen data. The transparency should, however, be limited only to the breached data. Again, transparency should be considered with discretion such that in the process of engagement, the criminals will not get the impression from the onset that the victim organization will refuse payment of the ransom since this could cause the criminal to destroy the data entirely and walk away. Ransom should not, under any circumstance, be paid to any cybercriminals.
Conclusion
In conclusion, a ransomware attack is a threat to the global ambition for digitalization being spearheaded by the United Nations under its Sustainable Development Goals. The persistence of such attacks, especially in the growing era of digital currency and e-commerce, could defeat customers’ confidence in digital solutions, especially in financial transactions and in protecting personal data. Hence, I advise organizations to create backups to safeguard them against breaches in the event of ransomware attacks other than rushing to pay a ransom, thus creating jobs for cybercriminals. Remember, any ransom you pay feeds a hungry cybercriminal.
Author: Elolo Alfred Konglo | Ag. Head, ICT Infrastructure, Directorate of ICT, Ho Technical University | Regional Communication Director, IIPGH, Volta/Oti
For comments, contact Email: ekonglo@htu.edu.gh or Mobile 0244304540/0572089098