Why Succumbing to Cyber Extortion is Dangerous

On February 5, 2016, the use of ransomware on Los Angeles' Hollywood Presbyterian Medical Center caused a shutdown of their systems and served as a reminder of the increasingly pressing issue of cyber extortion. The hospital released a statement reassuring that neither patient care nor employee or patient information were compromised during the attack. The statement also clarified that initial reports that the hospital paid $3.4 million to the hackers were mistaken, but the hackers walked away with just short of $18K, as it was deemed the "quickest and most efficient way" to obtain the decryption key so they could regain access to their systems. The issue with this statement is that paying the ransom does not guarantee the return of data. In fact, most IT and security resources agree that paying is confirmation to cyber attackers that they should return in the future.

Cyber Crime, Ransomware & Data Security

In 2013, the National Crime Agency (NCA) released a mass warning through their National Cyber Crime Unit (NCCU) about a rise in ransomware and its dangers, and the use of ransomware by cyber criminals has only increased since then. ComputerWeekly.com estimated that online hackers can bring in an average of "thousands of pounds" on a weekly basis using ransomware on small to medium-sized enterprises, but their threat to larger corporations ranges from thousands to millions of dollars per attack. The specifics of these cyber attacks remain unknown, despite the massive amounts of attacks worldwide in the past few years, because the victims have silently paid out of fear for their company and clients. While this fear is understandable, it must be understood that giving in to it will only perpetuate the issue. Without an investigation into how the attacks occur, a future that holds the ability for businesses to prevent these attacks remains most probably impossible.

The attack on Hollywood Presbyterian Medical Center was preceded by a similar attack on the Lincolnshire County Council in the United Kingdom in January 2016. The main difference between the attacks is the L.A. hospital paid and the UK county council refused. Although the ransom was substantially lower (£345 pounds, which is only about $500) in the UK attack, the principal of refusal elicited much praise from news sources and security industry analysts alike.

Both victims have long since restored and secured their systems, but there is a clear message sent in light of these events. It is imperative that more corporations 1) Implement precautions to prevent ransomware attacks, and 2) Take a stand against hackers so that their methods will be known and stopped in the future. The fear tactics used worldwide to gain access to data have been increasingly more successful; but if small businesses and global corporations alike link arms to create a united front for the purpose of fighting back against these attacks, then cyber extortion will be one step closer to extinction.