The prevailing wisdom in law enforcement has been that it is a bad idea to negotiate with extortionists. Cave to their demands and all you’re doing is encouraging more extortion. And you don’t even have a guarantee that paying a ransom will produce the return of your loved one unharmed, or your stolen assets.
Better to refuse the demands, find the criminals and punish them in a way that will discourage them and others from doing the same thing.
But, in the digital world, where criminals encrypt data and then demand a ransom to provide the key, that prevailing wisdom is getting a forcible adjustment.
The first reality is that, much of the time, cyber extortionists are far beyond the reach of domestic law enforcement. Second, most of them actually make good on unlocking the data once the ransom has been paid, because they want future victims to pay up as well.
In some cases, it is law enforcement itself that is paying the ransoms. The Boston Globe reported recently that the police department in Tewksbury, a Boston suburb, had paid a $500 ransom to criminals who had encrypted data including arrest and incident records.
“(S)pecialists from federal and state law enforcement agencies – plus two private Internet security firms – could not unscramble the corrupted files,” the paper reported.
There have been similar stories in police departments near Chicago, in Tennessee, New Hampshire and Alabama.
In short, this is a growth industry. Most thieves have learned that if they keep the ransom relatively low – a few hundred dollars – and get a reputation for providing the encryption key once the ransom has been paid, those few hundred dollars per victim can add up to thousands per month.
Val Saengphaibul, security response manager at Symantec, said his firm knows of one cyber gang that makes, “at least $35,000 a month. Other cyber-gangs have taken note and there are quite a few of them running this scam,” he said, noting that, “payment is not easily traced or stopped, and targeting specific data files that are valuable to people and organizations increases the likelihood of payment.”
Indeed, a recent survey by ThreatTrack Security found that 30% of the security professionals who responded said they would negotiate with the extortionists. And that percentage rose to 55% among organizations that have already fallen victim to cyber-extortionists.
Some of that was conditional. When asked if organizations should set aside funds for paying ransoms to recover their data, 45% gave a conditional “yes,” but nearly half of them said it would “depend on the data.” The most important, in their view, were employee Social Security numbers, addresses and salaries.”
Cybercriminals’ No. 1 priority is making money, not keeping their word.