Many of the victims chose to pay up. In June, the University of California said it paid $1.14 million to extortionists who’d besieged servers at its medical school. CWT, a travel-management company, handed over $4.5 million worth of Bitcoin last month to resolve a hack, Reuters reported. Garmin Ltd., which sells portable devices linked to global positioning systems, suffered outages in the final week of July it said were due to a cyber attack. While the company hasn’t commented on how it solved the interruptions, various media reports put the ransom demand at $10 million.
In the past four years, Kivu Consulting has been involved in more than 700 ransomware incidents. Last year, the cyber security firm was the agent for 143 payments worth more than $17 million. So what should you do when the email arrives saying you’ve been hacked, your data has been compromised and if you don’t pay a ransom, your servers will remain frozen? I caught up with Winston Krone, Kivu’s global managing director, to find out. The following is a lightly edited transcript of our telephone conversation this week.
MARK GILBERT: The number of ransomware attacks has climbed substantially this year. Is lockdown having an impact?
WINSTON KRONE: We’re in the middle of a huge wave of attacks right now. Companies are coming back to work, employees are bringing infected computers back into the organization. Attackers have waited. The value of a ransomware attack is much bigger now that companies have gotten through the worst part of Covid and have the money to pay. It’s all about business interruption, that’s why people pay a ransom. If the company’s not working, if it’s hobbling along, a ransomware attack is not going to have the impact it would if the company was going full blast. We had attacks a couple of months ago where the victim of the attacks said, “We’re not sure we’re gonna be in business, we’re not paying a ransom because we’re not sure we’re gonna make payroll next month.”
MG: Given that companies are reluctant to admit to being hacked or paying ransom, how big is the iceberg that we only see the tip of?
WK: I would suspect the ratio is about 10/1, based on our metrics in the past four years where we know the number of ransomware attacks we were involved in that went public. There are very few unreported cases for publicly traded companies these days. Four years ago there was a huge embarrassment factor, now there’s no incentive to keep it secret. If anything, there’s quite a bit of sympathy for public companies that are hit with ransomware attacks. Of course, it’s different for private companies.
MG: Of the industry-identifiable ransoms your company handled last year, more than half came from manufacturing companies even though they were the targets of less than a fifth of attacks. Why the disparity?
WK: Because of just-in-time manufacturing, they aren’t able to go offline even for just a few days. Increasingly we deal with clients who are under penalty clauses if they can’t get stuff out. It becomes a purely mathematical equation as to whether or not to pay a ransom. And the attackers know this. The hackers know that manufacturers will pay more.
MG: Are cyber terrorists increasing the amounts they demand?
WK: You’ve got different types of cyber extortion, like with other criminal activity. There’s the young thug who will grab your mobile phone late at night outside the tube station, and then you’ve got sophisticated gangs who will break in to steal gold bullion. Some of the attack groups we’ve seen, they’ll stick to their numbers, a quarter of a million dollars where these companies will just pay it, bury it and move on, and they’ll be hitting four or five companies a day. Then you get the guys who are going for the big ones, going for $10 million. It’s grown into an enormous ecosystem. You’ve got groups who will facilitate attacks, you’ve got hackers for hire, you have groups who all they do is dispose of bitcoin.
MG: How willing are they to negotiate?
WK: It completely depends on the group, and that’s something we stress with clients. In the decision about whether to pay, there’s a bunch of different steps you need to think about. Is the decryption going to actually work? Even if it works, a lot of the ransomware can corrupt things like databases. You’ve got to know the ransomware variant. In at least half of the cases, you’re gonna have to go back to the attacker and get their help to get the decryption going, because it’s not one decryption key for the entire attack, every single computer will have its own decryption key, every single infected computer.
Sometimes these attackers are dealing with a dozen victims, so we’ve had the decryption keys for the wrong client sent to us. If you want to bring down the price, that can work so long as it’s a bona fide move and you will pay the lower price. If it’s a question of just stalling for time and you play it badly, the attackers will just double the price. The reason you’re paying is to get back online quickly, but you’re losing time haggling. If you’re losing $250,000 a day in revenue then messing around for several days to try to bring the price down by $50,000 doesn’t make sense.
MG: So it sounds like if you do get hacked, you hope it’s by a more sophisticated player?
WK: You want to be attacked by somebody who’s not a complete clown, who can supply you with the right decryption tool to decrypt your data, and who understands that this is a difficult process for you. There are attackers out there who are completely inept and don’t know what they’re doing. We’ve had situations where, halfway through the attack, the client wanted to pay a ransom, the attacker disappears and never comes back. That’s because other attackers, the head of the Mafia, decides that this group is so bad that they just yank them halfway through the attack. So you want to be hit by someone who’s very technical.
MG: Are the ransom payments always made in Bitcoin?
WK: Traditionally they were. There’s been a move away from Bitcoin. Attackers know that their ransom payments are being traced across wallets and law enforcement is beginning to be able to track people down. Non-Bitcoin currencies are not as traceable. That said, it’s harder for victims to get hold of other cyber currencies, and the attackers know this.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
Mark Gilbert is a Bloomberg Opinion columnist covering asset management. He previously was the London bureau chief for Bloomberg News. He is also the author of “Complicit: How Greed and Collusion Made the Credit Crisis Unstoppable.”
For more articles like this, please visit us at bloomberg.com/opinion
©2020 Bloomberg L.P.