Online criminality has become a big business and new faces of social engineering and fraud are sweeping the globe. News articles regularly report on major breaches and outages, but rarely, if ever, do we see the underlying ransom demands that are presented before a business is attacked. The stand that organizations often take is that they do not negotiate with terrorists or pirates. But this approach, while noble, can become costly to a business, some may lose everything.
This year we learned the story of Code Spaces. This company went out of business in 2014 due to taking the non-negotiation approach. Their other crucial error? Trusting their cloud provider to have them covered – this was fatal for their business. What would you or your company do if you received a ransom letter demanding compensation? What if those threatening you aren’t just looking to capture the flag and sell it back to you? Let’s look at some hypothetical (but potentially real-world) scenarios:
“Attention Business X:
We know you are hosted behind a CDN, and we know it costs you money to serve content. We have decided that we will load content from your website, non-stop, across all of the nodes of the CDN using our botnets and other reflection mechanisms to raise your bill by $100,000 per month. This will go on indefinitely unless you pay us $50,000.
We will take the payment in the form of BitCoin or Online Wire Service X. Failure to meet our demands will result in a never ending campaign to run up your bill up until you start showing major losses from IT costs.”
If you were an online business, what do you do if you saw that letter? Would you leave your CDN provider?
A CDN provider is designed to serve content and charge you for it, but they do not guarantee your protection. To repeat – your CDN provider does not guarantee your protection. Our team has seen instances of customers receiving monthly bills in excess of $1.5 Million from their CDN provider because of this misunderstanding because they thought they were protected.
The above letter is different than most traditional ransom letters that either threaten a DDoS attack or a full breach of the systems. A letter from a more traditional cyber-criminal looks more like this:
“Dear Company X:
We have heard rumor that a large cyber army is in control of a 100,000 node botnet and intends to attack you this Friday. We know that to respond to these kinds of threats, it may cost you $50,000-$100,000 to deal with this kind of attack. We are willing to convince this cyber army not to attack you if you send us $20,000 in the form of Bitcoin today.”
The letter above was similar to what Feedly, the popular news aggregator application, received. And as you may know from the news, the attackers were not successful in extorting the money. Feedly, however, was offline for many days in a row and had major reputation damage following this incident. Would you pay the ransom next time?
Often people think about protecting themselves after the fact. You can’t buy car insurance after an accident, so why consider insuring your safety only after a breach occurs. The best course of action is to defend against cyber-attacks before they occur and this should include a hybrid defense solution, one that pairs on-premise and cloud mitigation. Having a good defense in place ahead of time is necessary if you wish to stop attacks when they do happen. Otherwise, you may find that paying ransom is an acceptable option that would minimize the damage to your business, despite the cost.