The Trials and Tribulations of Paying Ransomware Hackers

Hackers hit German enterprise integration and IoT platform Software AG with ransomware twice this month.

On Oct. 5 data was downloaded from the company’s servers and employees’ notebooks, and its internal systems were disrupted. The hackers reportedly demanded more than US$20 million to de-encrypt the data.

When Software AG refused, the hackers released screenshots of the company’s employees’ passports and ID scans, emails, and financial documents from its internal network on to the Dark Web, according to ZDNet.

The Software AG attack is so-called “double extortion,” where hackers extract sensitive commercial information before encrypting victims’ data. The hackers then threaten to publish it unless their ransom demands are met, according to Check Point Research, which provides cyber threat intelligence to customers of its parent company Check Point Software, as well as the intelligence community at large.

Double extortion attacks are one of the “more creative ways” of getting ransom money that hackers are moving toward, multinational professional services network KPMG reports.

Ransomware Gangs Rev Up

“Ransomware gangs are becoming bolder and more sophisticated, going after larger and more lucrative targets with their criminal attacks,” said Saryu Nayyar, CEO of global cybersecurity company Gurucul. The attack on Software AG “is one of the largest ransomware attacks, but it will certainly not be the last.”

There’s no question that hackers are getting increasingly ambitious — the average ransom demand increased from about $29,000 in 2018 to more than $302,000 in 2019, according to the Digital Assets and Data Management Practice Group of law firm BakerHostetler.

The largest ransom demanded last year was $18.8 million and the largest paid was $5.6 million.”We are seeing payments made on a daily basis,” BakerHostetler’s Group, stated. “That’s how big this issue is.”

“Ransomware has gone from opportunistic and transactional agnostic attacks to more targeted and persistent attacks looking to take down big game,” Mark Sangster, Vice President and Security Industry Strategist at managed detection and response firm eSentire, told TechNewsWorld.

The gangs are also more active now — there were almost twice as many ransomware attacks in the past three months in the U.S. as there were between January and June, according to Check Point Research.

That is partly due to the pandemic forcing organizations to change their business structures, which often leaves gaps in their IT systems, Checkpoint said. “These gaps have given cybercriminals the opportunity to exploit security flaws and infiltrate an organizations network. Hackers will encrypt hundreds of thousands of files, incapacitating users and often taking whole networks hostage.”

Remote working “increases the risk of a successful ransomware attack significantly,” KPMG stated. This “is due to a combination of weaker controls on home IT and a higher likelihood of users clicking on COVID-19 themed ransomware lure emails. Given levels of anxiety, criminal groups are increasingly switching to COVID-19 themed lures for phishing.”

To Pay or Not to Pay?

The victim’s data is encrypted in almost 75 percent of ransomware attacks, a global survey of 5,000 IT managers commissioned by cybersecurity firm Sophos found.

The survey also revealed that 56 percent of the victims retrieved their data from backups and only 26 percent got it back by paying the ransom.

However, “In certain situations, paying the ransom may not be the only option but it might be the best expeditious option for various reasons,” Ron Pelletier, Founder and Chief Customer Officer at managed detection and response firm Pondurance, told TechNewsWorld.

Take the municipality of Lafayette, in Colorado, which paid hackers $45,000 ransom in July after they took over its system and blocked access to its data.

Lafayette paid up after looking at alternative solutions because “in a cost-benefit scenario of rebuilding the City’s data versus paying the ransom, the ransomware option far outweighed attempting to rebuild,” the City said. “The inconvenience of a lengthy service outage for residents was also taken into consideration.”

Pondurance has worked with “several new clients” that had paid a ransom and turned to it for help, Pelletier remarked.

The FBI suggests victims contact it instead of paying a ransom as otherwise they will be considered easy marks by cybercriminals.

Paying ransom also makes it more expensive to deal with ransomware attacks. Sophos found that the average cost to rectify the impacts is just over $730,000 for organizations that do not pay up and more than $1.4 million for those that do.

Legal Issues of Paying Ransom

U.S. law doesn’t prohibit paying ransom per se; but when victims pay monies to people or organizations who have been sanctioned by the U.S. government…they get into more trouble.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory in October, stating that Americans “are generally prohibited from engaging in transactions, directly or indirectly,” with entities on its Specially Designated Nationals and Blocked Persons List (SDN List), as well as with other blocked persons, and those covered by comprehensive country or region embargoes.

OFAC imposes sanctions on cybercriminal gangs “others who materially assist, sponsor, or provide financial, material, or technological support for these activities” under the authority of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA) of 1917.

The IEEPA is a U.S. federal law authorizing the President to regulate international commerce after declaring a national emergency in response to any unusual and extraordinary threat to the nation that is located partly or wholly abroad. It has been used to target non-state individuals and groups such as terrorists and cybercriminals.

The TWEA is a U.S. federal law that gives the President the power to oversee or restrict any and all trade between the nation and its enemies in times of war.

Any transaction that causes a violation under IEEPA, including transactions by a non-U.S. person which causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited under the authority of these laws.

OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even “if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited” under OFAC regulations and sanctions laws.

Civil and criminal penalties “can exceed millions of dollars,” Gregory Szewczyk and Philip Yannella of legal firm Ballard Spahr wrote.

The payments could also violate anti-money laundering laws and result in a company being categorized as a Money Services Business under the U.S. Bank Secrecy Act and Treasury Department regulations, Szewczyk and Yannella cautioned.

That would require the company to register with the Treasury Department and make it “subject to a complex array of laws and regulations” designed to combat money laundering.

Due Diligence Is Crucial

That said, not all criminals are connected to a sanctioned entity, Ted Kobus, Chair of BakerHostetler’s Digital Assets and Data Management Group, told TechNewsWorld. “In fact, the overwhelming majority are not.”

The OFAC advisory makes it clear that cooperation with the FBI is critical and that this cooperation “will be viewed as a significant mitigating factor” when it comes to enforcement, Kobus noted.

BakerHostetler says companies generally retain a third party to conduct due diligence to ensure that the ransom is not being paid to a sanctioned entity and ensure money laundering laws are not being violated.

“The due diligence process is not costly, and if you involve the right experts, it can happen without tremendous expense and effort,” Kobus remarked. “As such, companies of all sizes will be expected to undertake an appropriate due diligence process.”

Richard Adhikari

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology. Email Richard.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Cybersecurity

Technewsworld Channels