• What should New Zealand do to combat cyber-ransomware attacks?

  • Hadeel Salman describes how hackers are raising their game – and what can be done to deter them – as the impact of another ransomware attack is felt in New Zealand.

    When we think of hostage situations, we usually think of holding someone hostage against their will. Only after the demands of the criminals are met will the hostage be released. Cyber-attacks like ransomware function in the same way: a criminal organization holds your data hostage until you pay a ransom to regain access to your files. Ransom hackers use similar tactics to pressure you into making payments out of fear, such as ransom notes and countdown timers.

    When the Waikato DHB was struck by ransomware last month, that’s exactly what happened. The attackers grabbed control of the files and network infrastructure of the district health board and demanded cash in exchange for their release. The attack disrupted health services, causing cancer treatments to stop and elective procedures to be canceled.

    As these attacks become more common, it’s worth considering who is to blame, what motivates them, and what might be done to stop them.

    Who is the intended audience?

    Typically, ransomware hackers prey on individuals and demand tiny sums of money, usually between $100 and $200. In recent years, however, hackers have realized that holding businesses and government services hostage is far more profitable. Many businesses, despite their reluctance, pay millions of dollars to restore access to their systems. Colonial Pipeline, based in the United States, paid ransomware criminals 75 bitcoin, which is equivalent to US$4.4 million.

    Is it better to pay or not to pay?

    The main argument against paying the ransom is simple: paying the ransom encourages additional ransomware attacks. The hope is that by refusing their requests, all incentives for ransomware attacks will be removed, putting an end to the practice. However, in order for that policy to be effective, it would require the unanimous support and coordination of all organizations. The motivation remains if even a few corporations are ready to pay. Of course, even if we made it illegal, this would be difficult to police.

    It is commonly considered that paying the ransom is far less expensive than completely reconstructing the company’s systems and data. The city of Baltimore spent US$18 million restoring its systems and services after refusing to pay the ransom of $75,000 dollars. These businesses, on the other hand, deal with criminals. Even if they pay, there’s no guarantee that their files will be returned. Even when encrypted data is recovered, firms must upgrade, redesign, or rebuild their systems and networks. Paying the ransom may have higher immediate costs, but it will have larger long-term advantages as the desire to undertake ransomware attacks decreases.

    Other, more convincing arguments exist for refusing to pay hackers. The attackers of ransomware have both financial and political motivations. The former is self-evident; the latter is crucial to comprehend.

    The current attack on the Colonial Pipeline is said to have originated in Russia and was carried out by a criminal organization known as DarkSide. Despite the fact that the Russian government was not involved in the attack, the Kremlin has not issued a statement condemning it. According to ransomware expert Allan Liska, the hackers “are not acting at Russia’s direction, but they are acting with Russia’s tacit acknowledgments.”

    The Kremlin has long given refuge for cybercriminals operating within its borders, subject to two simple and unstated norms. To begin, hackers must not attack the homeland — a regulation that is hard-coded into the system. The ransomware code that attacked Colonial Pipeline was designed to check each computer’s language settings, and if the default language was set to Russian, the infection would proceed. Second, the hackers must avoid targeting countries that are sympathetic to Russia. Only Russian opponents’ businesses, such as the US, must be targeted by the code.

    Even more concerning is the fact that we can never be certain of the attacker’s identity. It could be a single person, a criminal organization, a terrorist group, or a sanctioned state. For example, the North Korean government is suspected of orchestrating the 2017 WannaCry ransomware outbreak, which targeted companies and hospitals. It affected between 230,000 and 300,000 machines in more than 150 countries, resulting in a global cost of $4 billion.

    We are either funding a criminal gang, or, worse, terrorist organizations or sanctioned states, when we pay these ransoms. Paying any amount of money to a criminal organization, a terrorist organization, or a sanctioned state is a violation of our international and local commitments. The Terrorism Suppression Act of 2002 specifically forbids funding terrorism willfully, without legitimate justification, or with a valid excuse. Paying these ransoms, on the other hand, is perfectly lawful. The New Zealand government has urged businesses and organizations not to pay the ransoms, but Justice Minister Kris Faafoi has warned that making the payments illegal is not an option. Payment of a ransom may even be tax-deductible or reimbursed by insurance, making it a far more enticing option.

    What’s next?

    As I write this, another cyber-attack has been discovered, one that is comparable to the Waikato DHB ransomware attack but on a much greater scale.

    This was a ransomware-inspired supply-chain attack. The ransomware hackers infiltrated a trusted piece of software, in this case, the Kaseya IT management software, with malicious code. The hackers were able to access the networks of companies, institutions, and organizations that relied on the program after the code was planted and the software was successfully infiltrated.

    The Kaseya supply-chain assault has impacted over 200 organizations globally, including St Peter’s School in Cambridge, New Zealand. Coop, a Swedish grocery giant, has been forced to close 500 of its stores for the second day in succession as a result of the attacks.

    The hackers were astute in timing their attack on the Miami-based software firm on Friday, just before the Fourth of July weekend. This is a popular method used by cybercriminals to avoid discovery by employees who are celebrating the long weekend. Kaseya employees took a long time to respond to the attacks, and many customers only learned about them on Monday.

    It’s too early to blame the attack on Russia, but cybersecurity firm Huntress Lab believes it was carried out by REvil, a Russian-based criminal organization. The language used by the criminal organization to interact with one another is the only proof pointing to Russia, and more evidence will be needed to back up the claims made by US authorities.

    What's your reaction?