To pay or not to pay

Medibank’s very public decision not to pay a ransom for the return of sensitive data on 9.7 million current and former customers has created a lot of debate, and for good reason.

On the one hand, being very transparent and vocal on not paying is a clear message that might deter would-be cyber extortionists from taking that path in the future; on the other hand, you are now virtually guaranteeing that this data will be exposed with untold harm to millions of people – which has already started to happen.

It’s a no-win situation for Medibank, regardless of the decision it had have taken. Ultimately, someone or some group committed a crime in hacking Medibank’s systems and stealing the data in the first place, so you can’t hold the company liable for somebody else’s illegal actions.

Sure, Medibank probably needed to do something more to ensure the security of its data – an obligation that’s not without precedent. In most Australian States it is illegal to leave your car unattended and unlocked. Why is that the case? A vehicle is a dangerous thing that can cause a lot of damage in the wrong hands, so making it easier for those wrong hands to use it should be discouraged.

Our personal data is no different. In the wrong hands, it can cause a lot of damage. Especially financial information and health data. The biggest threat from the exposure of personal health information is identity theft, but it “could also open some people up to blackmail if it were released — or make them less open with healthcare professionals, says Dr Rob Hosking, who chairs the Royal Australian College of General Practitioners’ technology committee.” (ABC News – What do criminals want with our health data — and what could they use it for?)

Taking the unlocked car analogy, we need to be doing a lot more at a regulatory level in enforcing greater security and protection of our personal data – so it’s good to see the Federal Government acting quickly on this.

Putting corporate security obligations aside for a minute and looking at the pros and cons of paying the ransom, they are pretty clear. A typical ransomware case involves a cyber adversary breaching an organisation’s systems and either locking up or disabling core applications or encrypting the data, then demanding a payment to undo the damage. If you can’t quickly recover to full operations (or recover at all!) the economic cost and reputational damage of not paying the ransom is likely to be too great – so it’s better that you pay.

That isn’t too far removed from an old-fashioned kidnapping. Once the ransom has been paid, there is no point in the kidnapper harming the victim, so more than likely they will be returned safely to the family. You could argue that paying the ransom makes sense – as long as you can be sure that your systems are now secure and the adversary is not able to repeat the dose.

How do we try and stop ransomware attacks altogether? I remember being in Italy in the early 1990s when kidnapping was still rife. It was a common sight walking around a city to see police armed with sub-machine guns guarding residential buildings protecting specific families living there. It forced Italy to take a very tough stance. According to Decode39, “after years of high-profile kidnapping cases and ever-larger sums being paid to criminals, in 1991 the Italian government took a decisive step. It enacted a law that established the freezing of the financial assets of the captive’s family and loved ones, i.e. those who could have been coerced into paying. The somewhat brutal reasoning held that it was necessary to destroy the incentive for criminals to kidnap people, eradicating the possibility of a reward.”

Freezing the assets of a corporation (or instituting harsh financial penalties) to prevent a ransom being paid might work in discouraging typical ransomware attacks – but it won’t work for an extortion demand where data has been taken. That’s because the criminal group has an alternate source of income to the ransom demand. It can sell the data, or use it in other ways to make money. So, for Medibank, that’s why it’s been left in a no-win situation. If it paid the ransom, there’s still no guarantee that the data won’t be exposed or sold to other parties. It’s a criminal entity Medibank is dealing with, after all.

If we really want to stamp out ransomware, we’ve got to tackle the core issue – cryptocurrency. As npr puts it, the rise of cryptocurrencies has resulted in a surge in ransomware attacks because it has solved the problem that “has long plagued bank robbers and drug smugglers: how to transport and hide huge sums of ill-gotten gains without getting caught?”

The anonymity and difficulty in tracing some cryptocurrency transactions has made it so much easier for cyber criminals to execute successful ransomware attacks. In the Optus data breach, SmartCompany states that Monero was the crypto of choice for the Optus ‘hacker’ because it is “near-impossible for law enforcement to trace crime-related Monero transactions.”

Law enforcement agencies either need to get much cleverer at tracking down cryptocurrency payments (like the US Department of Justice (DOJ) was in seizing $715,000 in Bitcoin from North Korean ransomware actors) or, as cryptocurrencies become more mainstream, there needs to be a much stronger global regulation of cryptocurrencies … which opens another can of worms …