There is an ongoing debate in the business world when it comes to deciding whether or not to pay a ransom demand when critical data systems are locked up in a successful ransomware attack. As a rule, technology and security professionals recommend against paying the ransom, but often times the business leaders will calculate the loss and potential risks against the ongoing and future harm the current lockout is causing, and decide to pay the money to get back to work quicker. This is a calculus that the attackers also weigh – how much is too much? What sort of threat does the ransomed data represent to the company?
What happens when they don’t pay?
Most of the time when the victim refuses to pay, the hackers move on to their next target, leaving their victim to pick up the pieces on their own. In the case of Clark County School District, critical school systems were compromised 3 days into the new school year. Despite threats by the attackers to leak the data they were holding hostage, CCSD choose to not pay the ransom, prompting the hackers to post some non-sensitive data as a warning that they meant business. When the CCSD continued to stand tough, the hackers apparently shrugged their shoulders and called the district’s bluff by posting the stolen data on both the regular and dark web, free and unprotected for anyone to download. The 25 gigabytes of data included employee social security numbers, addresses and retirement paperwork, as well as the PII of presumably the entire student body, including names, addresses, birth dates, grades and schools attended.
Previously, ransomware attacks seemed to be focused on businesses, allowing most folks to just shrug their shoulders (even if their own information was possibly compromised) as the impact was far removed from home. In this case, what if an organization over which you have very little influence made a decision that results in very real risk to your child’s future (and present!) livelihood? Clark County wasn’t the only school district to be targeted this year – Hartford, CT and Athens, TX school districts were targeted by similar ransomware attacks, resulting in closures and ransoms paid. As you might guess, schools are attractive targets – the stakes are high, and IT is typically not a high-priority budget item, making them easy targets. Even if the school systems had been backing up their systems (unlikely, see budget or lack thereof) it takes several days for systems to be restored even with a highly-trained and prepared IT team (unlikely), and meanwhile, the phone system is being lit like an angry Christmas tree by parents wondering what the heck is going on.
The reason ransomware attacks continue to be an extremely effective criminal activity is because how effective and profitable they can be. As is evidenced by their tactics and continued success, it’s very clear that ransomware campaigns are now an established weapon of organized crime. Unlike the stylized depictions of the “honorable mob” by Hollywood, today’s crime organizations seem to have no problem targeting our most vulnerable organizations, and aren’t squeamish about casualties along the way.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net