Ransomware is in the news. But ransom, and the consequences of ransom, have a long chain of historic precedents. One of my favourite history stories is of a young Julius Caesar taken prisoner by pirates on his way to study in Rhodes. When the pirates demand a sum of 20 talents be paid for his release, Caesar is insulted and demands that they increase the sum to 50 talents.
While waiting for his release bond to be paid, Caesar makes himself at home with the pirates giving them orders and even forcing them to listen to his poetry. They are not impressed, but they do find it amusing when he repeatedly tells them that he is going to come back later and have them all killed. After 38 days his ransom is paid, and Caesar raises forces to capture them and yes does have them all killed.
Such was Caesar’s way of dealing with ransom attacks. Our options might be a little different.
The last two weeks have had their share of ransomware hacks. Attacks on the Colonial Pipeline in the US-led to images being spread far and wide of Americans filling up garbage bags with petrol for fear of running out of fuel. This led to a Twitter thread from the US Consumer Product Safety Commission begging people not to.
Closer to home, news broke on Friday of an attack on Ireland’s Health Services system.
How to handle such attacks is now moving from an individual or company problem to a societal problem.
Colonial Pipeline decided to pay their ransom. Thus far indications are that the HSE will not.
Who is right?
On 7 May, Colonial Pipeline, the largest system for transporting refined oil products in the US suffered a ransomware attack. Operations were to be shut down if a $ 5 Million ransom was not paid.
The ransom was indeed paid and in return, the hackers provided a decrypting tool to reverse the damage to the network. It turned out to be an incredibly unhelpful tool taking far too long to decrypt the data. In the end, the Colonial Pipeline was instead restored using backup data.
The Irish attack took place a week later, on 14 May, forcing the HSE to shut down its systems. A ransom of $19.9 Million has been demanded with the added threat of a mass leak of confidential patient data if this figure is not met.
On Wednesday, 19 May 2021, The Financial Times reported that stolen patient data from the HSE is already being shared online.
As the FT explains:
“The files were offered by the ‘ContiLocker Team’ as samples to prove that they had confidential information, according to screenshots seen by the FT. Conti is the name of the type of cyber attack perpetrated on the HSE. It is characterised by taking control of systems, and stealing data, and is associated with a group operating out of Russia and eastern Europe.”
Attacking a public health system is a pretty sickening move. In fact, DarkSide, the Eastern European Hacking group said to be responsible for the US attack has declared attacks on hospital systems to be unacceptable. The group is a strange one though, cultivating a robin hood image by giving a share of their profits to charities.
However, even if you have been targeted by one of these nicer guys, the fact that some of the money is going to a good cause might not be enough of an incentive to just pay the ransom.
How to deal with a problem like this?
The problem of ransoms here actually has some useful academic antecedents.
One is the “tragedy of the commons” scenario. This dates to the 19th century work of William Foster Lloyd. Lloyd uses the analogy of a pasture shared by numerous shepherds as a way of demonstrating the destructive results of self-interest when applied to a shared problem.
He explains that each shepherd understands that the pasture is only able to feed a finite number of sheep in order to be able to regenerate enough for the future. Nevertheless, each shepherd will make a calculation of the individual benefits to be gained by adding more and more sheep to his own flock.
In this case the net gain will be the profit of a larger flock minus the loss of the added strain on the pasture. However, since the loss is shared by all, the shepherd’s share of it is far smaller than his profit by adding extra animals.
It is logical for the shepherds to think this way and through self-motivation, the shepherds will ultimately overburden and destroy the pasture that is the source of their shared livelihoods. It is this destructive drive for personal gain at the expense of the whole that is the tragedy of the commons.
This 19th century analogy has obvious applications today, with the case of climate change a clear issue where short-term individual motivations weigh against collective interests.
The dilemma also plays out in the case of ransomware attacks. The easier thing to do is simply to pay. Especially if you already have insurance for cyberattacks as many do. But paying out the ransom makes it far more likely for more attacks to happen. Lucrative businesses draw new practitioners.
Is this Sensible?
Writing for Bloomberg, Timothy O’Brien has argued that Colonial made the wrong move and presumably then that the HSE is acting the right way.
He goes onto quote the advice given by the FBI:
“The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illegal activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”
So, what is the alternative?
O’Brien goes on to relate the cases of Baltimore and Atlanta as both had their municipalities targeted. Each refused to pay what were comparatively low ransoms – $51 000 in Bitcoin for Atlanta in 2018 and $76 000 in Bitcoin for Baltimore in 2019. Instead, they took on far more expensive upgrades to their networks at a cost of near $ 10 Million each. This took time, far more inconvenience and in the case of Baltimore, a further $ 8 Million of unpaid taxes were lost from the stolen records.
The cost may be high but there are some reasons to think that this is the way to go.
- That whole “Tragedy of the Commons” thing – Fewer ransoms paid, means fewer ransom attacks = a safer everyone.
- A more personal incentive – The story goes that the bank robber Willie Sutton was once asked why he targeted banks. He gave the obvious answer: “Because that’s where the money is.” O’Brien argues that paying ransoms makes you a more likely target for attacks in the future. It becomes clear that you are a reliable source of revenue for would-be hackers in search of a pay-out.
- The hard work is going to have to be done anyway – The truth is that if you want to avoid being the mark over and again then putting the right systems in place is going to be necessary. This can be costly as in the cases of Atlanta and Baltimore, but it must be done so might as well be done now. An upfront cost might be the cheapest option. Plus there is the satisfaction of not giving in to pressure from those holding you hostage.
All this is easier said than done. There are countless Irish people whose sensitive medical records are likely to be leaked for all to see. There are patients whose scans are being interrupted too. Simply paying out the cash would give a lot of peace of mind. It could even save lives. This could also create insane litigation liability as well for damage done to many people whose information has been leaked. It is a pretty damn awful situation and taking the high road isn’t always viable.