The first documented ransomware attack occurred in 1989. George Bush, Sr. was president. Microsoft released its first version of Microsoft Office. Million of people watched When Harry Met Sally. That’s a long time ago.
You would think 30 years later we’d have a grip on ransomware. But organizations are still being held digital hostages on a large scale: According to Cybercrime Magazine, this year there will be a ransomware attack every 11 seconds. Since 1989 we’ve seen little, in any, progress in eliminating this problem.
Part of the difficulty is due to the fact that ransomware thieves get increasingly inventive and ruthless. In the past they may have simply broken into a computer system and encrypted the data to make it useless. Today, they steal a portion of the data, demand a ransom, and threaten to reveal that data if they don’t get paid. Based on the amount of attacks and ransoms actually paid, these tactics seem to be successful.
What can organizations do to protect themselves? On a fundamental level, they must understand the true viability of the ransomware threat, and then do the hard work to improve their security.
The software industry also needs to be more accountable for building software that isn’t as secure as possible. Frankly, they need to do a better job. However, we shouldn’t hold our collective breath hoping that they do so. The priority for any software company is to distribute the next version as quickly as possible — that’s how they generate profits. But even if they magically began to ship 100% secure software, holes will emerge due to the many options companies have for customizing and integrating. To make matters even more complicated, cyberthieves have become experts at immediately discovering flaws in the latest software versions. The ransoms end up funding their next round of attacks, creating an endless cycle that appears to be impossible to break.
While corporations and software companies must play their part, we also need to take down the actual perpetrators. Unfortunately, many ransomware attacks occur from Russia, making it extremely challenging for U.S law enforcement to bring the thieves to justice. There is a ray of sunshine, as some of Russia’s efforts with botnets have been disrupted. But any victories will be temporary unless we see more cooperation between the two governments.
Beyond the progress that cybersecurity experts and law enforcement officials can make, the reality is that many companies will still face the dilemma of payment: Do they fork over the ransom or not? It’s a complex decision. And you can’t blame a company for believing they have to pay in order to get their data returned. Of course, doing so is a tacit encouragement to cyberthieves that they can continue to steal with no consequence.
Some have called for global legislation to make it illegal for companies to pay ransoms. Doing so would have a number of consequences. First, it may be years until every country not only learns about the legislation, but also enforces the policy. Most importantly, ransomware thieves are, by definition, criminals, so it’s not as if they’re going to stop just because their demand to be paid is now against the law.
Another dangerous consequence: When a company is restricted from paying a ransom, they’ll have no alternative for restoring their data. At best they’ll face serious disruption; at worst they’ll be forced to go out of business.
As we can see, to eliminate the problem of ransomware, we need a mix of technical, legal, and political action. It won’t be easy, but we have no other choice. Otherwise, we’ll continue to let the cyberthieves have their way.