How does it actually work?
Companies sometimes pay millions of euros after a cyber attack that shuts down computers. Cybersecurity company Northwave negotiates the amount of the ransom on behalf of hacked companies. "We see it as the very last option and we do it with a heavy heart," says commercial director Marc de Jong Luneau.
Dental company Colosseum Dental is the latest example of a hacked company that paid a ransom. Last week, the company transferred more than 2 million euros in cryptocurrency to cybercriminals. With that, the hostage computers were released. It also had to deter criminals from publishing the stolen patient data.
The mantra in the cybersecurity world is to never pay after a ransomware attack. But that is not always realistic, says De Jong Luneau. "In some situations, it's the only option a customer has."
Dave Maasland, director of cybersecurity company ESET Netherlands, is, like De Jong Luneau, not in favor of paying after an attack. But he understands that it is used as a last resort.
"Companies sometimes see paying as the way to get on with their work quickly. But it just doesn't work that way. It's not like: we take the wheel clamp off the car and we can drive again. On the other hand, sometimes you really have no other choice: then it is pay or the company falls over and there are two thousand employees on the street."
Northwave is one of the few organizations that helps hacked companies negotiate with cybercriminals. "Sometimes there is no other option than to pay," says De Jong Luneau. "For example, if there is no backup of encrypted files and the company is idle for months. Then it is sometimes less harmful to just pay."
Contacting criminal customer service
Criminals not only encrypt computers, but also steal data. They threaten to publish it if organizations don't pay. "When it comes to customer data or patient records, there is often nothing else. Companies bear responsibility for that data."
On hostage computers, criminals leave a message. It states how to reach them. Negotiators then end up with a kind of criminal customer service. Then there is contact via an anonymized e-mail address or a chat environment.
"We always speak to a criminal on behalf of the affected customer," says De Jong Luneau. Northwave employs specialists in the field of negotiation and psychology who help with this.
During the conversations, as much information as possible is gathered from the hackers. Do the criminals actually have the keys? What information did they steal? With these results, the experts go back to the customer to discuss the options.
Proof required, but no guarantee
The amount of the ransom requested is not a shot in the dark. Criminals look for financial information from the company and then they want a percentage of the turnover. That is often around 2 percent, says De Jong Luneau.
"We try to keep that amount as low as possible," he says. "Companies can't just pay millions and sometimes that can be demonstrated. The criminals also have something to lose. Not only have they purchased the malware from other criminals and have to recoup those costs. The people from the 'customer service' also just have a target. They are judged on the number of bitcoins they bring in."
The hackers must first provide evidence before companies pay. They must demonstrate that they can indeed open systems, for example, by decrypting a few files. Cyber criminals must also show that they are destroying stolen files. But even then, there is a bit of trust involved. Because there is no guarantee that criminals will not make copies or secretly resell them.
"Every ransomware group is recognizable to us; they work under their own 'brand name' and have a specific working method," says De Jong Luneau. "And cybersecurity companies are in close contact with each other. If it turns out that a gang is not reliable, then everyone knows that they are doing bad business. That's of no use to criminals either."
Storing data differently
Maasland says that companies basically have to store data differently. "It has to be stored in a different way. Maybe extra encrypted, physically in a safe or only accessible to certain people."
De Jong Luneau agrees. "Security is an ongoing task. Cybercriminals are finding new ways to attack. The way in which organizations deal with data also changes from time to time. Organizations that want to protect themselves adequately should therefore set up a permanent quality control on cyber security."
Source: nu.nl