Three quarters of Chief Security Officers ‘stockpiling crypto to pay off hackers’

Bitcoin and Ethereum are being set aside to fend off the threat of hackers…

A staggering 73 per cent of IT security bosses are setting aside supplies of cryptocurrencies like Bitcoin and Ethereum in order to pay ransomware demands, a new study claims.

Minneapolis data security firm Code 42 released its 2018 Data Exposure Report to little fanfare. But the results make for shocking reading.

The growing threat of intrusions from cybercriminals and other hostile actors have lead nearly three-quarters of chief information security officers (CISOs) to stockpile cryptocurrency, according to the survey. Of the 73 percent of CISOs who admitted they had accumulated reserves of Bitcoin in the event of a ransomware attack, 79 percent said they had paid a ransom.

These statistics suggest that not only are CISOs ignoring guidance from policing and security agencies, but also that paying off hackers in their chosen cryptocurrency is standard practice across the industry.

Official advice from Action Fraud, the UK’s national cybersecurity reporting centre, remains that companies or individuals should immediately report ransomware attacks to authorities, and should under no circumstances make payment.

They say: “Don’t pay extortion demands as this only feeds into criminals’ hands and there’s no guarantee that access to your files will be restored if you do pay.”

One of the largest state-level ransomware attempts remains the Wannacry attack from May 2017, widely attributed to hackers from North Korea.

Using a previously-known exploit in the Windows operating system, a cryptoworm transmitted itself across hundreds of thousands of machines, locking down access and claiming it had encrypted user files. A screenshot popup then demanded $500 Bitcoin ransoms to unlock infected computers.

Among the victims across 150 countries whose systems were penetrated were German railway company Deutsche Bahn, Spanish multinational telecoms firm Telefonica and the Nissan car manufacturing plant in northern England.

The worst hit was England’s National Health Service. 80 out of 236 hospital trusts were affected. Accident and Emergency departments across the country had to be shut down and ambulances turned away as staff had no access to patient records.

In a ‘lessons learned’ document NHS England noted that it had no record of any hospital paying off hackers, but said: “The occurrence of cyber attacks across the UK economy is increasing so, in the judgement of most industry experts, it is not a question of “if” but “when” the next cyber-attack strikes the health and social care system.”

Self-fulfilling prophecy

We asked Code42 for further comment to explain these figures. Jadee Hanson is the company’s Chief Information Security Officer. She is the lead on global risk, security, insider threat monitoring and investigations.

Why does she think that so many CEOs and CISOs are stockpiling cryptocurrency?

“Research from our recently published report tells us that top of the list on the factors contributing to these numbers are the increasing threat of instrusions. Among CISOs, 61 percent say their company has been breached in the last 18 months.

“Are executives resigned to the inevitable? Perhaps. Despite companies spending billions protecting security perimeters, they are still left vulnerable and exposed – especially if they are working under the false assumption that paying a ransom guarantees the safe return of corporate data.”

80 per cent of CEOs who have accumulated reserves of Bitcoin to guard against an attack have paid off hackers who penetrate their systems, according to Code42.

The proportions have also been trending upwards for the past three to five years, suggesting that quietly paying off cybercriminals is becoming standard industry practice.

Hanson admits to being surprised by the level of acquiescence from C-level executives in response to ransom demands.

“In lieu [of making cryptocurrency payments] CISOs should identify security tools that ensure data is automatically backed up without end user intervention. This prevents the spread of ransomware throughout an organisation.

“With backup in place, IT leaders can regain access to data in minutes, rather than spending hours or days recreating lost folders and files.”

“Stockpiling cryptocurrency as a ransomware contingency plan is a very dangerous practice and does not solve the larger problem,” says Hanson. “Paying a ransom does not guarantee the safe return of corporate data; it only enables and emboldens cybercriminals.”

Image: BigStock