The new ransom
Ransomware attacks are on the rise. Should victims pay up? Cybersecurity experts weigh in on the crime wave and what can be done to stem attacks.
To pay or not to pay? That is the multimillion-dollar question that governments, companies and even universities are being forced to confront as ransomware attacks proliferate.
Ransomware prevents companies or individuals from accessing data on their computer systems. The two most prevalent types are screen lockers, which block access to the system with a basic lock screen, and encryptors, which make content useless without a decryption key.
Victims of cyberattacks paid more than $400 million last year, a 337% jump from the 2019 total, according to Chainalysis, a firm that tracks ransomware payments.
Attacks are on the rise in large part because they are lucrative and relatively safe for criminals, said Steve Beaty, Ph.D., professor and chair of the Computer Sciences Department at Metropolitan State University of Denver.
“In this case, crime really pays well,” he said. “A criminal can launch a ransomware attack while sipping an espresso in a coffee shop from anywhere on the planet. And because it is not a crime of locality, the person has a very low risk of being caught.”
Cryptocurrency also enables the crimes, he said, as the anonymous currency is difficult to trace.
Ransomware attacks have a low barrier to entry, said Richard Mac Namee, director of MSU Denver’s Cybersecurity Center.
“Some shady organizations basically lease out the capability of launching ransomware and take a slice of the profit,” he said.
The attacks seemingly present a simple choice: Pay a ransom to restore operations or don’t. But the reality is more complex.
“It’s really a business decision more than a cybersecurity one,” Beaty said of the dilemma. “Companies have to weigh how much the issue is costing them, which can be incredibly expensive.”
While the U.S. government generally chooses not to pay ransoms, private businesses have to make their own choice, Beaty said.
And as attacks increase, it’s not just businesses being targeted. The City of Lafayette in 2020 paid $45,000 to hackers after a ransomware attack affected some services. Regis University in 2019 paid a ransom to unlock computer systems attacked at the start of the academic year. The Colorado Department of Transportation, on the other hand, was hit in 2018 and chose not to pay. Mitigating the damage cost the state an estimated $1.5 million.
Mac Namee said paying ransom does not always have the desired outcome and that there is no guarantee that criminals will be true to their word.
“If you can settle a ransom in 24 hours, it tells criminals that you have access to more money,” he added. “It’s likely that the problem could get worse.”
The challenges posed by ransomware attacks are compounded by a limited talent pool in the cybersecurity field.
Despite industry growth in recent years, almost a half-million cybersecurity jobs remain unfilled, according to CyberSeek, a project sponsored by the National Institute of Standards and Technology. The Department of Homeland Security is also racing to fill more than 2,000 cybersecurity jobs.
To meet industry demand, Mac Namee and his colleagues at MSU Denver are designing education that prepares professionals to hit the ground running. The University’s Cybersecurity Multi-Use Training Environment (C-MUTE) offers students a fully immersive educational experience focused on real-world practice.
This includes the Atos Security Operations Center, which launches on campus in August. The University partnered with international cybersecurity provider Atos to build the SOC environment, where paid student interns will work alongside industry professionals and monitor client networks in real time.
The University’s Cybersecurity Program will also offer professional certifications this fall, in partnership with the Computing Technology Industry Association.
“These initiatives will provide future cybersecurity professionals with a great degree program, high-value certifications, work experience in the SOC and hands-on scenario testing in the cyber range,” Mac Namee said. “They will be well-prepared for the field.”
Companies and individuals looking to prevent ransomware attacks can take some proactive steps.
“That starts with better training for employees,” Mac Namee said, “because most attacks come from a phishing email or scam that targets the uninformed.”
Mac Namee said he is stunned by how many companies don’t have simple patch mechanisms (updates or fixes to bugs) in place or delay patch work for too long, which can allow bad actors into the system.
Klaus Streicher, a May 2021 Cybersecurity graduate and senior cyber range instructor, said organizations should have backups that are detached from their network. Most ransomware code is sophisticated enough to search for backups online.
“The challenge is that the volume of data and cost can be prohibitive,” he said. “But it’s an effective way to restore operations in the event of an attack.”
Beaty said solutions such as multifactor authentication also make a big difference.
“It might be a little painful for employees at the front end but certainly less painful than ransomware,” he said.