We don’t negotiate with terrorists.
So say the authorities in action movies, shortly before the hero kicks butt, saves the kidnapped person and then rides off into the sunset.
There is a kernel of truth in that sentiment: policy news tracker Stateline.org reported three states in the United States – New York, North Carolina and Pennsylvania – are mulling a law that would ban state and local government agencies from paying ransom to cybercriminals.
Legislators reason that prohibiting ransom payments would deter ransomware attacks by removing the chance of financial gain for criminals.
As defined by cybersecurity firm Fortinet, ransomware is “a specific type of malware that holds data hostage in exchange for a ransom”, and typically “prevents a user from accessing their computer unless they meet the attacker’s demands”.
CyberSecurity Malaysia’s (CSM) industry engagement and collaboration department head Mohamed Anwer Mohamed Yusoff too warned individuals and corporations not to pay the ransom if their devices had been hacked.
“Paying extortion ransoms only encourages cybercriminals to continue their practice,” he explained, adding that those who pay up will only end up putting a target on their backs.
“By paying the ransom, you are telling cybercriminals that you are an easy victim and they will come back again and again, just like the bully in school that would steal money from classmates,” he said.
Instead, victims should report the attack to MyCERT (Malaysia Computer Emergency Response Team under CyberSecurity Malaysia), he added.
Unfortunately when personal data and the ability to run one’s business is threatened, many victims end up caving in and paying the ransom.
Mohamed Anwer quoted a global study of 15,000 consumers by cybersecurity firm Kaspersky, released in March, which found that 56% of victims paid the ransom to restore access to their data last year.
However, paying up doesn’t guarantee the return of your data. The study also found that whether they paid or not, only 29% were able to restore all their files following an attack. Half (50%) lost at least some files, 32% lost a significant amount, 18% lost a small number of files, while 13% lost almost all their data.
Mohamed Anwer pointed out another trend of victims being instructed to pay using cryptocurrencies like bitcoin, which made it more difficult to track down the criminals compared to a conventional financial transaction.
“Cryptocurrency is relatively anonymous. Moreover, the transactions in cryptocurrencies can be conducted over exchanges or through direct transactions using your cryptocurrency wallet anywhere,” he said.
There are even specific services called Anonymous Cryptocurrency Exchange which enable users to trade currency without the Know-Your-Customer (KYC) requirements typically needed to set up an account with a conventional bank.
In the local context, cybersecurity firm Trend Micro detected 113,010 ransomware threats in Malaysia in the first four months of 2021.
Trend Micro Malaysia and nascent countries managing director Goh Chee Hoh said the most targeted industries are government, healthcare, and manufacturing.
He said criminals were now using a “double-extortion” strategy, where they not only lock up networks but also steal and threaten to expose confidential data.
“Threat actors have evolved their strategies to inflict greater damage on a company’s reputation and potentially collect greater pay-outs from high-profile victims,” Goh added.
Ultimately, prevention is better than cure.
To that end, CSM has organised various competency and professional certification training programmes especially for the local civil service, using the Global Accredited Cybersecurity Education (ACE) certification scheme.
The initiative develops participants’ skills in five areas: awareness, penetration testing, secure application, security operation and data security.
Mohamed Anwer revealed that as of June, CSM had trained more than 400 participants under the scheme.
“The capacity and capability programmes offered by CSM are to help increase the cybersecurity knowledge and building related skills for those from policy makers up to the technical workforce.
“The whole ecosystem has to be equipped with cybersecurity awareness, knowledge and skills to ensure every angle of potential threats can be protected effectively,” he said.