Right before Canada Day, our national spy agency, the Canadian Security Intelligence Service, had its website knocked offline three times in two days. The method was distributed denial of service (DDoS). The motive was hacktivism, in this case a cyber protest against Bill C-51, the federal government’s new anti-terrorism law.
The person or group who claimed responsibility, Aerith, also brought down the websites of the Toronto and Ottawa police departments earlier this year. As far as we know, Aerith (like most hacktivists) never made any financial ransom demands in those cases and none were ever paid.
Police departments in Massachusetts, Illinois and Tennessee reportedly did pay ransom amounts as small as $500 to hackers holding their data hostage via ransomware like CryptoLocker. You know there’s a situation out there when the police admit to paying cyber ransom.
It’s tough to know how common this type of situation is because there still aren’t many statistics on cyber extortion. But in an Incapsula survey last year, 46 per cent of all DDoS victims said they had received a ransom demand.
According to a new report by Verisign, however, “victims of ransom attacks often do not publicly acknowledge the attack for reputational reasons.” If many online extortion cases go unreported, we don’t really know just how often ransom demands are made – or how often they get paid.
Would your organization pay ransom to prevent or end a DDoS or ransomware attack?
One third of all firms would, according to a ThreatTrack survey released in April. Among firms that have already been hit by cyber extortion in the past, the willingness to pay or negotiate ransom rises to 55 per cent of respondents.
It’s easy to see why 30 to 55 per cent of firms are willing to give in to ransom demands. Besides reputational harm, companies also fear the estimated $40,000 per hour in costs they could incur from such an attack. Who wouldn’t be tempted to pay a piddly $300 ransom to avert $40K or more in damage?
Now, some targets are now standing up to – and speaking out about – these cyber extortionists. When Feedly and Meetup were hit with ransom demands last year ($300 in Meetup’s case), they not only refused to pay up, they defiantly took their battles public.
“We refused to give in and are working with our network providers to mitigate the attack as best we can,” Feedly posted on its blog at the time.
“We believe if we pay, the criminals would simply demand much more. Payment could make us (and all well-meaning organizations like us) a target for further extortion demands as word spreads in the criminal world,” Meetup explained in its own blog.
Dan Holden of Arbor Networks agrees in a recent post for Techspective. “It can set a dangerous precedent and encourage more attacks in the future. And while it might make the pain go away in the short term, the long term results are generally not worth it.”
Even if you pay, there are no guarantees the hacker will keep their word and halt an attack. There’s also no guarantee you won’t be hit by them or another culprit later on. The latest data from Incapsula shows just under half (46 per cent) of all application layer DDoS victims suffered repeat attacks within 72 days of the original attack.
What can you do instead? Holden advises investing in multi-layered preventive security, consulting with your ISP and/or hosting provider and backing up everything diligently. Although no one can stop extortionists from making demands, being well prepared might pay off more in the long term than quickly paying ransom.