Cybersecurity experts have warned businesses against meeting hackers’ demands for money in the wake of the “unprecedented” attack on hundreds of thousands of computer systems around the world.
Ransomware is a type of malicious software that blocks access to a computer or its data and demands money to release it. The worm used in Friday’s attack, dubbed WannaCry or WanaCrypt0r, encrypted more than 200,000 computers in more than 150 countries for ransoms of $300 to $600 to restore access.
The full damage of the attack and its economic cost was still unclear, but Europol’s director, Rob Wainwright, said its global reach was precedented, and more victims were likely to become known in the coming days.
The extent of the WannaCry attack prompted questions about what to do in the event of a ransomware infection, with many experts advising against paying the ransom, saying not only could it fail to release the data, it could expose victims to further risk.
Peter Coroneos, the former chief executive of the Internet Industry Association and an expert on cyber policy, said whether or not to agree to ransomware demands presented practical and ethical dilemmas.
“As a matter of principle, the answer should always be no … based on the simple dynamics of perpetuating bad conduct.
“However, as a matter of practicality and necessity, the situation is somewhat more complex.”
Coroneos pointed to the Telstra cybersecurity report 2017, which found that that 60% of Australian organisations had experienced at least one ransomware incident in the previous 12 months.
Of that figure, 57% paid the ransom. Nearly one in three of the organisations that paid did not recover their files.
“You really are rolling the dice if you choose to pay a ransom, and your chances aren’t good,” the researchers found.
Coroneos said paying the ransom was a “dubious choice” when it did not guarantee the release of the data and could have the effect of labelling businesses as “soft target”, increasing their chances of being attacked again in future.
For that reason, if meeting a ransomware demand did eventuate in the data being released, Coroneos said improving cyber security practices was of the utmost priority.
But choosing not to pay was not without consequences, said Coroneos, particularly for businesses without backup or recovery strategies in place. “You may have to be pragmatic this time and hope you’re dealing with a reliable ransomer.”
Trevor Long, a technology commentator for EFTM.com.au, said ransomware attacks were now commonplace, and part of what made them so hard to guard against was their typically “scattergun, random” approach. “It’s rare a business or person is targeted … victims are the unlucky ones.”
He acknowledged, in the event of an attack, that businesses’ options were limited.
“The moral and ethical challenge is the ‘we don’t negotiate with terrorists’ line we’ve all seen in movies,” he said. “We feel that’s the right approach, but we are also presented with losing valuable personal memories like photos and videos – or, in the case of businesses, important documents or financial data.
“Sadly, once infected, you really only have two options: pay, or walk away.”
The “No More Ransom” online resource developed by Europol, Dutch police and industry partners advises that paying the ransom is “never recommended, mainly because it does not guarantee a solution to the problem”.
Its Crypto Sheriff tool was designed to help victims define the type of ransomware affecting their device in the hopes there is an existing solution available, but warns: “Unfortunately we don’t have decryption tools that work for all types of ransomware. Yet.”
Assoc Prof Mark Gregory, leader of the network engineering research group at RMIT University, said paying the ransom “should be a matter of last resort”.
“These people are criminals, and paying money to a criminal is never a good idea. However, if it’s a trade-off between losing your lifetime’s family photos and making a payment to a criminal, then it’s up to the individual to make that judgment call.
“It would be very hard to walk away.”
But Gregory said it would be “self-defeating” for hackers not to release data upon receipt of a ransom, “because that would immediately hit the media, and no one would pay”.
But not all ransomware attacks were motivated by financial gains, he added.
“If they’re a professional criminal organisation, their business model will be to release people’s computers once they’ve paid the money, but you don’t know. It could be someone having a laugh, or someone who’s trying to learn, or someone who’s released it accidentally.
“You just do not know – that’s the problem.”
With such attacks hitting computer systems at an “ever-increasing rate”, Gregory said prevention was the best course of action.
With outdated operating systems “easy targets”, he urged individuals and businesses to automate updates and invest in software that protected against viruses, malware and ransomware across not only their computers, but tablets and mobile phones as well.
“It’s a combination of factors that will keep people safe ... For individuals, families have got to work together and companies have to take the time to ensure that their cybersecurity practices are up to date.”
Gregory recommended regular if not daily backups of personal data, which would allow victims to wipe the infected computer, reload their data, and start again.
Of that figure, 57% paid the ransom. Nearly one in three of the organisations that paid did not recover their files.