When ransomware strikes … negotiate?
- By Patrick Marshall
- May 13, 2019
When hackers launch a ransomware attack against companies, they’re usually after money. But when ransomware strikes a government agency, the hackers may be after something else.
Did hackers who used ransomware to attack the city of Albany, N.Y., last March think the city was going to pay a big ransom? “No,” said Gregory Falco, CEO of NeuroMesh, an industrial IoT security company, “It was to cause disruption.”
Why would hackers want to disrupt government agencies if not for money? “Street cred,” said Falco, who is also a researcher at MIT’s Computer Science and Artificial Intelligence Laboratory.
With that in mind, Falco urged government IT executives to apply negotiation tactics with ransomware hackers.
Negotiation does not necessarily mean paying ransom, but rather managing risk. It's about being flexible and knowing how to manipulate the situation before, during and after an attack, Falco said in an MIT blog.
“There are other ways that you might be able to ‘give in’ than paying ransom,” he said. “One way might be to cry uncle and acknowledge the fact that your city has been taken down.”
Falco and his team have created a set of social engineering strategies that employ negotiation capacities to alter the way ransomware attacks unfold. Ransomware, he said, is one of the rare types of hacking in which victims have an opportunity for direct communication with the hacker.
“The pathology of most ransomware attacks matches up nicely with what happens in other kinds of negotiations: First, you size up your opponent, then you exchange messages, and ultimately you try to reach some kind of agreement,” Falco said in the blog.
“While we found that no one wants to negotiate with an attacker, under certain circumstances negotiation is the right move, especially when agencies have no real-time backup systems in place,” Falco added. He pointed to last year's ransomware attack on Atlanta that afflicted the city’s utility, parking and court services. While the city didn’t pay the demanded ransom of approximately $50,000, it spent more than $15 million to recover and figure out what went wrong.
Falco also warned that manufacturers must pay more attention to ensuring the security of embedded devices that they sell to government and private-sector customers. “We have a cultural of complacency among the OEMs that create this technology,” he said. “They just don't really have a requirement to ensure that there is no liability.”
NeuroMesh has developed what it calls an “unhackable botnet” based on blockchain that Falco said helps secure embedded devices. “We are able to lock down the operation of these control systems. We do not allow them to do anything beyond what they are supposed to do. And if you do something beyond what it is supposed to it locks the system down.”
The threat to government agencies at all levels from ransomware is growing, Falco said. “Attackers are realizing the destruction they are able to cause for these governments and they are taking advantage of it,” he noted.
“Cyberattacks are inevitable, and even if agencies are prepared, they are going to experience losses,” Falco said. “So, dealing with attacks and learning from them is smarter than covering up the damage. ”
It's also important organizations not "get bogged down in installing expensive technical solutions" when defensive social engineering tactics like honeypots and other obfuscation techniques can reduce the scope and costs of cyberattacks, he said. "It helps to be interdisciplinary and mix and match methods for dealing with cybersecurity problems like ransomware.”
Patrick Marshall is a freelance technology writer for GCN.