Over the past week, several ransomware incidents illustrated the dilemmas a company faces once they fall victim to a ransomware gang. Pay up or struggle on?
Each victim of a ransomware attack deals with the problem differently. Some see the best opportunity in negotiating with the hackers behind the attack, while others use all means to get a company back up and running.
Paying on advice
The April 2023 ransomware attack on the KNVB is the first to show that the consequences can reverberate for a long time. For a long time, there was doubt whether the soccer association would have complied with the demand from the hackers to pay one million euros in ransom. Considering the pros and cons of paying will have taken a lot of time since it was only this week that word came that ransom was being paid. The exact sum involved is not known.
The payment was transferred after receiving positive advice from cybersecurity specialists. According to them the organization behind the attack, LockBit, will comply with the agreements made.
Also read: LockBit 3.0, the market leader in ransomware
Cybersecurity specialists reacted indignantly to the events. According to the experts, the payment could create a domino effect with negative consequences for other Dutch companies. In addition, many experts denounced the timing of informing victims about the possible spread of private data. The opinion prevails that there was no reason for the football association to wait several months to notify victims. Thus, in addition to the ransomware problems, corporate image may also be damaged.
Preventing identity fraud
Ransomware attacks recently occurred in America at two casino and hotel chains. Caesars Entertainment reported the facts to the Securities and Exchange Commission (SEC) on Sept. 7.
The report shows the ransomware gang was able to obtain sensitive data: “As a result of our investigation, on Sept. 7, 2023, we determined that the unauthorized actor obtained a copy of, among other things, our loyalty program database, which contains the driver’s license numbers and/or citizen service numbers of a significant number of members. in the database. We are still investigating the extent of any additional personal or otherwise sensitive information in the files obtained by the unauthorized actor.”
Hackers may be able to link the stolen information to names and addresses, which are usually easy to find through a search on social media sites. That gives them the means to commit identity or credit fraud. For the same reason, Paramount decided to offer victims of a data breach at the company two years of identity and credit protection. The hotel chain offers the same insurance for all loyalty program members.
Caesars hopes to protect victims by paying the hacker group. According to The Wall Street Journal, the amount involved would be about $15 million, or half the amount demanded as ransom.
For the hotel chain, however, the charges and possibly the problems do not end there. “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this outcome. We are monitoring the Internet and have not seen any evidence that the data was further shared, published or otherwise misused,” the report indicates. So, after the payment, a company will still incur costs monitoring the dark web.
MGM Resorts struggles on
Official advice from governments or political institutions typically discourages companies from transferring payments to hacker groups. After all, payments would support the revenue model of ransomware gangs. Hackers get the sign that their operations are working while having new resources to develop or buy more sophisticated attack techniques.
Failure to pay can, in turn, cause disruptions in business operations. That illustrates the ransomware attack on MGM Resorts. They did not respond to the hackers’ demands, which resulted in the unavailability of the booking system. A journalist from Techzine stayed at one of the affected hotels and testified that checking in was done by a staff member of MGM Resort who wrote his name on a sheet of paper. He further noted that most elevators in the hotel were not operational.
It is unclear whether MGM Resorts will be able to process new bookings. In any case, the chain is already losing considerable revenue by not being able to open its casino. So, without transferring payment to receive the decryption key, a ransomware attack can still be expensive as business operations are forcibly shut down.
This week shows that a ransomware attack will incur costs in all cases. Just remember that negotiating with hackers does not guarantee the promised outcome. A decryption key may not be able to recover all files, and it remains appropriate to monitor the dark web for leaks of obtained data even after payment is made.
Also read: Diary of a ransomware attack: attack, recovery, best practices