An increasing number of enterprises are considering pre-purchasing cryptocurrency in anticipation of potential ransomware attacks. But is this a valid risk-reduction strategy for enterprises?
To get some views on this controversial issue, we spoke with Mike Doran, senior security consultant with the enterprise incident management team at cybersecurity specialist Optiv, and former computer forensics examiner with the St. Louis Metropolitan Police Department.
BN: Explain to us what you’re seeing out in the real world relative to enterprises and cryptocurrency.
MD: Ransomware has become so prevalent that it has become a standard part of the tabletop exercises we do with clients to optimize their incident response processes. What we’ve also noticed is that an increasing number of CISOs are asking us if they should be acquiring cryptocurrency in the event they find themselves victims of a ransomware attack.
BN: And what’s your response to those questions?
MD: It’s interesting: sometimes these questions arise during our CISO forums or tabletop exercises, and invariably they are met by a chorus of ‘No!’ from other CISOs. Keeping cryptocurrency on hand can create multiple problems — first, it indicates you are ready to pay a ransom. Second, if information gets out that you have cryptocurrency on hand, it makes you a potential target for hackers. It is far better to take the steps needed to rationalize your infrastructure and optimize operations, so ransomware never infects your environment in the first place.
BN: So why would an enterprise pre-buy cryptocurrency?
MD: The obvious answer is so it can pay a ransom quickly should it fall victim to a ransomware attack, thus mitigating the length of time data is held ransom. Businesses also do it to get the best price they can on the cryptocurrency — there are so many exchanges on the internet that this can be a complex process, and, as we all know, cryptocurrency prices fluctuate on a daily basis. Pre-buying cryptocurrency enables enterprises to lock in a good price and have it at the ready, should they need it.
BN: Do you believe this is a valid strategy for preparing for a ransomware attack?
MD: I worked in law enforcement for a long time before joining Optiv, so my sentiments gravitate to the FBI’s view, which recommends that enterprises not pay ransoms. The reasons for this are fourfold:
• First, paying ransom perpetuates the problem. If nobody paid ransoms, cybercriminals would move on to another exploit technique.
• Second, enterprises should be taking a proactive, not reactionary, approach and doing the up-front work required to mitigate potential ransomware attacks. If you’re going to invest money, it would be better spent on implementing strategies and technology for protecting against ransomware, rather than paying off ransoms.
• Third, holding a stash of cryptocurrency increases enterprise risk, because it makes you a target for hackers looking to steal it. This is why many companies taking this approach will use third-parties to hold their cryptocurrency wallets.
• And lastly, paying ransom doesn’t always work. Just because a company pays the ransom, they are not assured they will obtain a decryption key for their data. Moreover, there is no assurance that should a company pay the ransom and receive a decryption key, they are getting the only copy of their data back.
That said, if you’re a large enterprise that’s been paralyzed because your network is being held ransom, paying it may be your last resort. For example, if you’re a hospital with patients’ lives on the line, or an eCommerce business losing millions of dollars per minute, and you’ve tried everything to restore normal operations and nothing has worked, paying the ransom might be ‘worth it’ in the short- and long-term.
This is why when people ask me about ransomware, I tell them I take a neutral stance on the issue. You absolutely should do everything you can to avoid having an attack take down your business, but if everything fails and you’re having an ‘Alamo moment’, you may have no choice but to pay. But this choice should be discussed heavily internally to ensure that this is the best course of action given the gravity of the situation. It will always be a risky proposition though, because the people you’re paying off may not hold up their end of the bargain.
BN: How do you go about paying a ransom?
MD: The hackers usually make their demands and provide the victim with the address of a cryptocurrency wallet. From there, it’s a simple cryptocurrency transfer from one wallet to another, with the exchange occurring instantaneously. Once the transfer is complete, the hacker will typically launder the currency through one of the many cryptocurrency laundering sites on the internet, and then shut down the payment address. At that point, it becomes incredibly difficult to ever track down the hacker.
BN: Some legitimate businesses have announced that they now accept Bitcoin payments. Does this mean cryptocurrency is going mainstream?
MD: You’re right — a number of household name companies now accept Bitcoin. This is an interesting question, because Bitcoin was initially designed to circumnavigate the financial system, eliminating the need for a trusted third party. Others are trying to create cryptocurrencies for legitimate purposes. However, because of the DarkNet and the crimes associated with it and Bitcoin, most people are still of the opinion that cryptocurrency is associated with illegal activity. One thing is for certain though — the government will eventually step in and formally regulate cryptocurrency, which will likely make the value plummet. However, that regulation will also help to shed the malicious veneer that coats cryptocurrency today.