When one is confronted by a criminal or terrorist demanding a ransom in exchange for a loved one who has been held hostage, the general rule of thumb is not to pay up and go to the police.
That’s the sensible thing to do, lest you create more incentives for kidnappings and inadvertently finance terrorist and criminal groups. Why then, should individuals and organisations who have been hit by ransomware pay the perpetrators behind those attacks?
Yet, Nayana – a South Korean web hosting company – did just that, dishing out $1m worth of bitcoin to restore the websites and data of its customers that had been held ransom by the Erebus ransomware.
Sure, the business damage (think customer lawsuits) to Nayana of not doing would have been huge, but so would the damage caused by the negative press on the company’s poor cyber hygiene that opened the doors for hackers. Even if the customers got their data back, will they still continue hosting their websites with the company?
Nayana’s website was believed to be powered by older versions of Apache and the Linux kernel with known vulnerabilities that were possibly exploited by Erebus.
Why weren’t the vulnerabilities patched? Was Nayana using a community version of a Linux distro or an enterprise version supported by a vendor? These are questions that every organisation like Nayana needs to ask itself, not just in the aftermath of a cyber-attack but also in making technology decisions.
Cases like Nayana serve as a timely reminder – and a wake-up call for that matter – on the importance of maintaining a good security posture, like how you would exercise some common sense when you’re in a seedy neighbourhood.
In the digital world, things will only get worse with the proliferation of internet of things (IoT) devices.
Many IoT devices are susceptible to ransomware and it is likely that attacks targeting these devices will happen more frequently, says Mark Hearn, director of IoT security at Irdeto.
“When you throw in the potential target of connected cars, where high-profile hacks of a number of vehicles have been reported (impacting manufacturers like Tesla, Mitsubishi and others), it’s clear that action is imperative.
“Payment of these ransoms will only serve to encourage the attackers. Not only should companies avoid paying, they must take cyber security more seriously. Many of these attacks, including the WannaCry ransomware attacks that wreaked so much havoc last month, could have easily been avoided if organisations implemented a defence in-depth approach to cyber security.
“This approach involves many layers of security being implemented throughout the infrastructure, rather than simply protecting systems from the outside-in, in addition to a security in-depth strategy for endpoint devices, incorporating run-time integrity verification of the device,” he says.