It may be time for organizations to stop paying the ransom when they sustain a ransomware attack, according to Caleb Barlow, CEO of CynergisTek. On the CyberWire’s Hacking Humans podcast, Barlow discussed the recent tragic case of a woman in Germany who died after the nearest hospital sustained a ransomware attack, forcing her ambulance to divert to another hospital twenty miles away. While the crooks in that case stopped the attack after being informed that they’d hit a hospital, Barlow said criminals will continue evolving their tactics and targeting critical systems to extract a ransom.
Late last year, for example, ransomware gangs began exfiltrating victims’ data before triggering the ransomware. This allows them to demand a ransom in exchange for not publishing the data, so the victim will be pressured to pay even if they’re able to restore from backups.
Barlow thinks the next evolution will be criminals targeting the integrity of data, in addition to availability and confidentiality. In the case of a hospital, this could have life-threatening implications.
“This is just going to continue to get worse,” Barlow said. “And what I keep cautioning people on is the new thing to worry about isn’t that they lock up your data, it’s not that they release your data – it’s that they change your data. And I don’t think most security systems are monitoring what appears to be legitimate access to data if somebody changed it. That’s the thing we really need to prevent against. And there are ways to prevent this….Imagine if I change data in the supply chain. Imagine if I change data in a healthcare record. All of a sudden, I break all of the trust in that system. I don’t have to change all of the data. I just have to show I can change one record, and no one can trust any of the data.”
Barlow said the increasing sophistication and damage caused by these attacks has changed his opinion on paying the ransom.
“When this first started, these ransomware demands were like $500,” he said. “And I would tell clients all the time, look, you know, law enforcement’s going to recommend you don’t pay it. It’s five-hundred bucks. Pay it. Move on. It’s just – you know, worst-case scenario, you’re losing five-hundred bucks. And I was saying the same thing when it was $10,000. And you would occasionally find me saying the same thing when it was $100,000. Well, now it’s in the millions. Now these are real numbers.”
Even more importantly, he added, these attacks are growing more dangerous.
“But what we also have to realize now is there’s kinetic implications,” Barlow said. “And this is becoming rampant. This isn’t an occasional issue. This is going to happen to everybody. The only way to stop this – and I’m a firm believer in the way to stop cybercrime is to change the economics for the bad guys. Well, unfortunately, the only way to change the economics for the bad guys is to forbid paying a ransom.”
Ideally, however, organizations should endeavor to prevent these attacks in the first place. New-school security awareness training can give your organization an essential layer of defense by teaching your employees to recognize phishing attacks and follow security best practices.