How much would you pay to prevent your company’s reputation being trashed by a data leak? If reports are accurate, the Royal Mail has baulked at paying the oddly precise £65.7m demanded by the LockBit hacking group that allegedly encrypted the company’s data. Are the ransomware gangs getting too greedy?
That companies big and small regularly pay off criminals to free their data is well known. Big firms won’t usually disclose how much they’ve paid, or that they’ve even paid a ransom at all – ransoms are often negotiated and paid through third-party security companies, who are then paid in turn for their services.
The ransomware attack on the Royal Mail has already been hugely damaging for the company. International deliveries were suspended entirely for weeks and still remain disrupted.
Logs leaked by the LockBit group, as reported in the Financial Times, appear to show that the Royal Mail was negotiating with the hackers, but that the company’s board refused to meet the high price being demanded.
That unusually specific £65.7m figure wasn’t plucked out of thin air. The hackers calculated it was 0.5% of the company’s annual revenues, a point that the hackers made during the leaked negotiations.
The Royal Mail, however, decided to play hardball. “Under no circumstances will we pay you the absurd amount of money you have demanded,” the Royal Mail’s negotiator told the hackers, according to the FT report. “This is an amount that could never be taken seriously by our board.”
Ending the payment cycle
If – and it remains a big if – companies are baulking at the inflated demands of ransomware groups, it would likely be a good thing. The ransomware model only works if enough victims are willing to pay up, and some experts have long argued that paying ransoms should be made illegal to thwart the trade.
However, security experts point out it’s a high-risk strategy when you refuse to meet the ransomware writers’ demands. “Ransom negotiations are extremely difficult as both sides have game plans and ulterior motives,” said Jake Moore, global cybersecurity advisor at ESET.
“Victim organisations are desperately looking to extend the timeframe before payments are demanded, whilst criminal groups aim to find the sweet spot in which a ransom amount is viable. However, as both sides often know how the other thinks, it can be a dangerous game to play on very thin ice. Without wanting to see any information released onto the dark web, simply negotiating can upset attackers into releasing stolen data.”
However, even if the ransomware model collapses, Moore fears the criminals will simply find another way to extort companies with their own data. “By not paying a ransom it has the power to overthrow the legacy threat of ransomware, by forcing attackers to target more specifically within organisations and carry on threatening the leaking of data rather than encrypting it,” he said.
More security content
- Fake news: how it can endanger your business and what you can do about it.
- Cyberattacks: why small businesses should be worried
- The three biggest risks of BYOD and why you can’t ignore them
- What is ransomware?
Nathalie Parent, Chief People Officer at Shift Technology: “HR is the conscience of an organisation”
For more than 30 years, Nathalie Parent has led global HR teams, working primarily with software companies. Today she’s Chief People Officer at Shift Technology
Amazon introduces new storage class that makes it cheaper to store rarely used files
Robot carers are real, but caregiving has bigger problems, writes Richard Trenholm in this FlashForward edition