Ransomware payments are digital extortion: don’t pay

It is every manager’s nightmare: a crippling cyber attack blocking access to your own data followed by a chilling ransom demand. That was precisely the scenario faced by Sweden’s Coop supermarket chain last weekend as it was forced to shut 800 stores after being targeted by the REvil cyber crime group.

Kaseya, the Florida-based software provider that was initially compromised by hackers, thereby exposing its customers, later revealed that between 800 and 1,500 organisations may have been affected, including 11 schools as far away as New Zealand. The hackers have demanded $70m to release the digitally padlocked data.

Such ransomware attacks are becoming increasingly common, costly and disruptive as we plug new and often poorly secured devices into the internet at a reckless rate. Our collective vulnerability has swelled during the Covid-19 pandemic as we have lived our lives online and worked from less-secure remote locations.

Last year, the number of ransomware attacks increased by more than 60 per cent to 305m as hackers sought to exploit these new opportunities, according to SonicWall, a security company.

This flurry of ransomware attacks highlights our critical dependence on digital services as well as far broader vulnerabilities in cyber space. “The world is on the precipice of a cyber catastrophe,” Nicole Perlroth concludes in her book This Is How They Tell Me The World Ends: The Cyber Weapons Arms Race. 

Alarming though that prospect may be, there are many things that can be done to step away from the brink. First, the US and allied states should switch their priority from offence to defence. As Perlroth explains, the US security machine has for decades been priming the market for insecurity by rewarding hackers for finding so-called “zero-day” vulnerabilities in computer systems that can be used against their adversaries. But these exploits sometimes escape into the wild and rebound against the world’s most digitalised societies.

Paying hackers to find vulnerabilities that then remain unchecked has only fed “the research and development” that has undermined the security of core technologies, says Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council. “Defence and offence are symbiotic. At the moment we are pulling on the tail of the tiger and it is turning round to bite us,” he says.

To strengthen defence, Herr believes tech companies must be more open about the potential vulnerabilities of their own services. He adds that public money should be spent patching the freely available but buggy open-source software that runs so much of our modern world. 

But technology vendors and users must also do far more to improve basic cyber hygiene. The vast majority of attacks use fairly basic hacking techniques, such as scam “phishing” emails. These profit from simple vulnerabilities stemming from the poor design and use of legacy systems, often called technical debt by software developers. 

In that sense, cyber experts are right to describe ransomware groups as “technical debt collectors”. Unless we collectively pay off that debt by constantly improving our computer systems we will always remain at risk, warns Emily Taylor, chief executive of Oxford Information Labs, a cyber policy centre. “We are in a collective hallucination that cyber security is different from every other type of security. Ultimately, it comes down to people and processes,” she says.

There remains one specific, and controversial, policy that could help tackle the scourge of ransomware: pass legislation outlawing all ransom payments. One of those arguing the case is Ciaran Martin, the former chief executive of Britain’s National Cyber Security Centre. His argument is one of both principle and pragmatism.

“We should start from the presumption that large scale transfers of wealth to Russian hackers should not be allowed,” he says. He adds that paying ransoms rarely acts as a “magic switch” to restore blocked services anyway. Cybercriminals may leave malware in the system and come back again. That sounds like the 21st century version of Danegeld, the extortion racket run by Viking raiders.

As in cases of terrorist hostage-taking, a policy of banning ransom payments is easy to accept in principle, far harder to follow when your own child is at risk. That makes it all the more vital that we devise a considered and collective response in anticipation of attacks rather than leaving it to panicking hacking victims to respond in a crisis.

john.thornhill@ft.com