Credit: Ireneusz Skorupa
Criminals who hold your data hostage have been around for a while. But the threat is about to get a whole lot worse.
Why? Because success breeds imitators -- and ransom has been paying off big lately. You either pay a large sum of money or suffer the consequences.
[ Also on InfoWorld: Murder in the Amazon cloud | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors. Download the PDF today! | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]
I'm not talking about some CryptoLocker variant holding an individual's computer hostage unless money is sent via PayPal or Coinbase. I'm talking about scenarios in which a hacker gains complete control over a company's valuable digital assets and demands major compensation to keep all that loot from landing in the bit bucket.
Suffering the consequences
Frankly, I'm still in shock. As you've probably heard, a couple of weeks ago, a company that didn't pay up was put out of business in 12 hours. The company in question, Code Spaces, was using Amazon Web Services and had been under heavy DDoS attack for some time. Then Code Spaces was contacted by a criminal hacker who demanded ransom -- or else he would destroy the company's online assets.
The company tried to limit the hacker's control of its Amazon control panel and resources. He detected it and went on a rampage, deleting data, configurations, storage, and backups. In less than a day, he deleted so much data that the company was unable to recover what was left and stay in business. Whatever resources remain will be used to recover customer data before Code Spaces closes its doors for good.
How was this a successful criminal act, since the hacker got nothing? Just like a small-time mobster who breaks the windows of stores that won't pay protection money, the hacker created great publicity for himself: You don't want to cooperate? Here's what happens. You can bet other ransom hackers will claim the story, too.
Ransom-extorting hackers and malware have been around for decades. The first exploit I remember was the AIDS PC Cyborg Trojan horse program of 1989. Then in the 1990s, I began to hear whispers of gambling sites paying ransoms to stay online. I occasionally heard rumor of a reported cyber bad guy ending up cold and stiff because he extorted the wrong gang. Then came word that major corporations were starting to pay ransoms in the millions of dollars to be left alone.
My initial reaction: If I found myself in this situation, I would never pay ransom. It only encourages criminal extortionists. But in the real world, ransom is paid all the time to retrieve valued employees, ships, cargo, and now, data.
Prepare for the worst now
Ransom incidents will increase significantly in the next decade. I'm not taking a leap of faith here or predicting a new trend -- in fact, I'm hopping on late. The trend is already in progress, and I'm sharing what I know. Any company can be a victim, including yours. Your company's management needs to know how to think about this new threat:
- Educate senior management about the threat of ransom-demanding cyber criminals (along with ransom-demanding malware, which they should already be familiar with). Let them know the threat is real, fairly easy to accomplish, and difficult to prevent. Do your research and put everything in a document, so they can't say you didn't warn them.
- Ask management how you should respond if a ransom incident occurs and you believe it to be a viable threat. Should your company ever pay ransom? If your company thinks paying the ransom is the appropriate response (at least in some scenarios), get a sense of what the upper limit might be to save the company. Management won't want to have this discussion, but it's a good way to start a dead-serious dialogue about risk management.
- If your management says no ransom should be paid under any circumstances, then you have your marching orders. Before you accede, however, you might want to have management speak with former CEOs of companies who wish they had paid the ransom. Many companies have paid ransom without customers or other stakeholders being the wiser.
- Ask management if your current business interruption insurance covers data ransom scenarios. If so, to what level? If not, it's time to investigate insurance coverage for this type of event.