When malicious hackers disable your business and demand a ransom, should you pay up? Many firms do out of desperation, turning to intermediaries to help broker the deal. But law enforcement says this just makes things worse.
Norsk Hydro is a global aluminium producer that got hacked and lost access to all of their computer system. The hackers, once inside, spent weeks exploring this group’s IT systems, probing for more weaknesses. When they eventually launched their ransomware attack, it was devastating – 22,000 computers were hit across 170 different sites in 40 different countries.
Chief information officer Jo De Vliegher reopens the ransom note that appeared on computers all over the company. It read: “Your files have been encrypted with the strongest military algorithms… without our special decoder it is impossible to restore the data.”
The entire workforce, 35,000 people, had to resort to pen and paper. Some productions lines like shaping molten were switches to manual functions where retired workers had to help in running things “the old fashioned way”, but some other production lines simply had to stop.
The hackers waited to receive a reply to their ransom note, after all every, every minute counts for a modern manufacturing powerhouse. But the reply never came: The hackers were never even asked how much money they wanted. Imagine the shock.
All that work. For nothing.
It’s been more than three months since Norsk Hydro was attacked and they are still many months away from making a full recovery. It’s so far cost them more than £45m.
But what they’ve lost in productivity and revenue, they’ve arguably gained in reputation.
The company’s response is being described as “the gold standard” by law enforcement organisations and the information security industry. Not only did they refuse to pay the hackers but they’ve also been completely open and transparent with the outside world about what happened to them.
But there are many other companies and organisations who make the opposite choice, and evidence is growing that ransomware hackers are increasingly being paid off secretly by victims – and their insurance companies – looking for the easy way out.
“It’s become a simple business case for many organisations to pay, and at this point it’s a known secret that this is happening,” says Josh Zelonis, cyber-security analyst at Forrester.
Sources in the information security industry have described multiple occasions when large, well-known companies have paid out thousands of pounds – in some cases hundreds of thousands – to hackers and not told the public or even shareholders.
Just last week, a Florida town paid hackers $600,000 (£475,000) to get its computers working again after a ransomware attack disabled email, hit emergency response systems and forced staff to use paper-based admin systems.
It’s a troubling trend that’s prompted Europol, the European Union’s law enforcement agency, to re-issue its warning that paying ransoms fuels hackers and often leads to more organised crime.
One US-based company, Coveware, specialises in negotiating ransoms between hackers and their victims. Visiting its offices in Connecticut, it’s clear it operates at the sharp end of cyber-crime.
There is no permanent office, instead people move around shared workspaces. The entire team is dispersed around the world.
Chief executive and founder Bill Siegel admits that the service is an “unpalatable” one, but insists that it is needed. He wouldn’t give details on the companies that he’s helped but says: “At any one time we have half a dozen to a dozen cases, some of the companies are big, including public companies and name brands.”