National Opinions

Five myths about ransomware

Josephine Wolff is assistant professor of cybersecurity policy at the Fletcher School of Law and Diplomacy at Tufts University.

Most ransomware news is bad news, so it was a welcome surprise to learn this week that U.S. law enforcement had recovered $2.3 million of the ransom Colonial Pipeline paid to its hackers last month. But even that rare win can’t overshadow the significant disruptions ransomware has caused in the past month alone, forcing the temporary shutdowns of thousands of miles of critical fuel pipeline, as well as several plants in the United States operated by JBS, the world’s largest meat supplier. As regulators and companies come to grips with the scale of the problem, ransomware is receiving more attention than ever before — some of it productive, but some of it misleading and incorrect.

Myth No. 1: The most cost-effective way to get data back is paying ransom.

Many resources for ransomware victims advise that, as ZDNet says, “it can make good sense to pay ransomware.” Estimates of how many victims pay ransoms range from 27 percent to 56 percent, so clearly this is advice that many firms take to heart.

But organizations that pay ransoms often don’t receive the decryption keys needed to recover their data. A 2016 survey found that 1 out of 5 companies that paid a ransom failed to get its data back from the attackers. A 2021 report estimated that only 8 percent of victims who paid a ransom got all of their data back, and 29 percent were unable to recover more than half of the encrypted data.

Even when victims are able to recover some, or all, of their data, they often spend considerable resources to ramp up information security, upgrade infrastructure and make changes to security staff after an attack. And most importantly, the decision to pay a ransom contributes to the continued profitability of ransomware for cybercriminals. So while it may seem cost-effective in the short term to pay, that decision may just lead to more ransomware and greater losses down the road.

Myth No. 2: There are only a few thousand ransomware attacks per year.

ADVERTISEMENT

The FBI 2020 Internet Crime Report lists just 2,464 incidents of ransomware reported in the United States in 2020, with losses totaling more than $29.1 million. Other reports in recent years with similarly low numbers, including one from security researchers AV-Test, have been used to indicate that ransomware is relatively uncommon, compared to other online threats.

In truth, we know almost nothing about how many ransomware attacks occur. Unlike breaches of personal information, most ransomware attacks do not need to be reported by law, and victims - especially those who pay - may have many reasons to prefer to keep them secret, such as preventing their customers from panicking and avoiding public censure.

The number of ransomware incidents reported to law enforcement authorities therefore likely vastly undercounts the extent of the problem, but it’s hard to know by how much. One widely cited statistic by data analysis firm Statista suggested that there were actually 304 million ransomware attacks worldwide in 2020 — down from a high of 638 million in 2016 — but the firm offers little insight into its data sources or how it arrived at those figures. So while we can be confident there were well over 2,464 ransomware incidents last year, we don’t have much insight into whether the frequency of such attacks is increasing or whether we’re instead just starting to see more high-profile targets across critical infrastructure sectors.

Myth No. 3: There’s no way to decrypt data once you’ve been infected.

Like the idea that the cheapest way to recover from an attack is to pay the ransom, the notion that “ransomware is irreversible,” as one researcher puts it in the peer-reviewed journal ICT Express, is widely held. (That exact phrase also crops up in another recent paper by researchers from Australian and Malaysian universities.) The concept is that there’s no way to get your data back — or to regain control of your systems — without purchasing a decryption key.

But while ransomware is sometimes designed so that decrypting the victims’ devices is an insurmountable obstacle, many common strains of ransomware have been successfully reverse-engineered to allow victims to decrypt their own computers without having to make any payment. The No More Ransom Project, supported by Europol as well as security firms McAfee and Kaspersky, was designed to aggregate these decryption tools so that victims can quickly identify what strain of ransomware they had been infected with and search for any software that could help undo the damage. The project’s Crypto Sheriff tool allows victims to upload ransom messages and other identifying features to determine what kind of ransomware they are dealing with. If it is a poorly implemented program, or if the decryption keys associated with it have been seized by law enforcement authorities or publicized by other victims, then it may be possible to recover compromised data without paying. Some companies also offer similar services to aid victims.

Myth No. 4: The rise of cryptocurrencies isn’t to blame for attacks.

Ransomware programs typically demand that victims make a cryptocurrency ransom payment because cryptocurrencies are less regulated and often more difficult to track than other forms of payment. Cryptocurrency enthusiasts are, understandably, very resistant to the idea that currencies such as bitcoin are to blame for the rise in ransomware attacks. In 2016, for example, an anonymous “blockchain expert” told Forbes that a recent attack had “nothing to do with bitcoin whatsoever,” and a headline on Coindesk declared, “Bitcoin is Not the Root Cause of Ransomware.”

But just because there are noncriminal uses of cryptocurrencies doesn’t mean that they haven’t been a critical component of ransomware’s proliferation. Without a mechanism for making relatively untraceable and irreversible payments, there would be no way for criminals to profit from ransomware. They couldn’t demand cash because, in many cases, they are located very far away from their victims geographically. Nor could they rely on credit card payments or bank transfers because those modes of payment can usually be traced back to specific individuals, and setting up new accounts takes time and resources.

While it’s true that ransomware predates the ubiquity of cryptocurrencies, such attacks didn’t take off until recently. This suggests that criminals couldn’t easily make money from ransomware until they could find a way to manage payments that typically protect them.

Myth No. 5: Multi-factor authentication protects against ransomware.

IT company Vray exhorts companies to “stop ransomware with two-factor authentication,” while the website Security Boulevard promises to reduce the risk of ransomware “by 40 percent” through the use of multi-factor authentication. Such posts promote the misleading idea that any one security tool can keep ransomware at bay, while also misleading readers about the actual function of these tools.

In fact, two-factor authentication - wherein a user must confirm their log-in credentials via a separate device or platform - is primarily designed to protect users against phishing and other credential-harvesting attacks. While stolen credentials can be an attack vector for ransomware, there are many others, ranging from email attachments to malicious websites and apps. Two-factor authentication provides little protection against these types of initial paths into a computer system, so while it’s a useful and important security tool, it would be a mistake to rely just on this - or any other individual security product - to protect against ransomware. As with all cyber risks, there are no silver bullet solutions.

Five Myths is a weekly feature from the Washington Post that challenges everything you think you know.

The views expressed here are the writer’s and are not necessarily endorsed by the Anchorage Daily News, which welcomes a broad range of viewpoints. To submit a piece for consideration, email commentary(at)adn.com. Send submissions shorter than 200 words to letters@adn.com or click here to submit via any web browser. Read our full guidelines for letters and commentaries here.

ADVERTISEMENT