On March 15, 2020, during the height of the COVID-19 pandemic, hackers attacked the Department of Health and Human Services (HHS) servers. In the past, computers belonging to hospitals, doctor’s offices, and other medical providers have been a particular target for ransomware purveyors who lock computers or files and demand the immediate payment of ransom in return for the unlock keys. Why target medical providers? Simple. Because they will pay. Especially during a crisis when access to data and systems is critical. The same is and will be true for other critical infrastructures, like those that enable workers to telecommute, access VPN’, collaborate, manage supply chains and continue to function during the crisis. Remember, for ransomware purveyors, crisis = opportunity.
For victims of ransomware there are only a few choices, none of which are optimal. If the attack is non pervasive, and you have robust data backup and recovery (hot sites, warm sites, etc.) and these sites have not been corrupted themselves, then your response may simply be to restore from backup, revalidate the systems, lock down from future attacks, enhance your monitoring and endpoint protection, and weather the storm. Good for you. Pat yourself on the back. You are in the minority.
For others, your choices are more limited. You can PTFM — pay the [expletive] money, you can rebuild your data from scratch, or you can try to restore. The latter two are expensive, time consuming, inefficient, and unlikely to completely work. Moreover, your enterprise will be partially or completely down during the process, and you will suffer reputational and other losses in the interim. When municipalities like Baltimore and Atlanta refused to pay ransom, they were down for weeks, with losses in the tens of millions of dollars. Not optimal. And even worse now with entire workforces telecommuting and data being more diffused and network connectivity more critical.
Or you could pay the money. Maybe not the entire amount, but a hefty portion. For that, you need access to money, access to cryptocurrency, and a process for connecting with, engaging, and validating the ransomware actors. And there are legal, privacy, policy and law enforcement concerns about paying ransom. Also insurance concerns — does your cyber policy (you DO have a cyber policy, right) cover ransomware losses in general and ransomware payments in particular. Ask now. I’ll wait.
But there is an alternative.
In the classic movie “War Games” Professor Falken is in NORAD headquarters having a heated discussion with General Beringer. He asks, “General, are you prepared to destroy the enemy?” And the General responds, “You betcha!” to which Falken replies, “Do you think they know that?” Beringer “I believe we’ve made that clear enough.” Looking at the “big board,” Professor Falken sighs and advises, “Then… don’t.” Don’t destroy the enemy. Don’t pay the ransom. Don’t engage. The supreme art of war is to subdue the enemy without fighting.
Most ransomware works in a manner very similarly to the tools and techniques we use every day to protect data at rest or in transmission. The attacker generates and encryption key based upon factoring of prime numbers which is designed to be “unbreakable” without having certain information. The idea is that the longer the key, the more difficult (exponentially) it is to “crack.” Encryption keys are “cracked” either through brute force attacks (try every possible combination), through knowledge of the attacker’s techniques and methodologies, because the encryption process has inherent weaknesses or vulnerabilities, or because the attacker has made small errors in the implementation of the cryptography. During WWII, the German Enigma ciphers were cracked in part because of predictable patterns by users which created a vulnerability in the ciphertext which could then be used to discover the algorithm for encryption. Finally, hackers are lazy. Just like any other programmer. They tend to reuse code, not update, and stick with patterns they know. The tried and true.
All of these facts present an opportunity for victims of ransomware. It is more than theoretically possible for sophisticated security researchers, trained and knowledgeable, with access to encrypted systems, and the ability to extract from these systems certain data, to decrypt the very keys used to encrypt the data. It takes a bit of time, a lot of expertise, and some substantial computing power. But. It. Can. Be. Done.
Maybe.
If it is successful, it can save a ransomware victim millions of dollars in data restoration and recover costs, downtime, and — during these increasingly tenuous times — gives them the ability to continue business operations. Not a small feat. Even if not successful, it’s worth a shot. It’s relatively low cost, low risk, and potentially huge payoff. And it beats giving money to hackers.
Insurers should add this capability to their cyber response arsenal, as this decreases their own risk, their own payment, and their own costs as well. Win. Win. For everyone. Except the ransomware purveyors. To them you say, “would you like to play a game?”
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.