Cyberattacks are on the rise, with major corporations, media companies, the healthcare industry and even the federal government becoming targets of hacking. Recent incidents involved media content as hackers threatened early releases of movies and streaming series if the property owners failed to pay ransoms. Hackers called the Shadow Brokers told the NSA they would release secret espionage tools unless the agency pays up. Security experts suggest that this type of extortion has had mixed results thus far.
Last week, Disney refused to pay hackers who claimed to have stolen the new “Pirates of the Caribbean” movie and threatened to release it if the company didn’t pay up. That followed on the heels of Netflix, which also didn’t give in to hackers who threatened to release the new season of “Orange Is the New Black.” The hackers made good on the latter threat, posting episodes to The Pirate Bay, a popular torrent site.
According to Wired, extortion can pay, but “recent examples suggest that once a hack reaches a certain level of notoriety, the shakedown falls apart.” None of the entities mentioned above want to be seen as negotiating with hackers, since “giving into extortion demands once only invites further attempts.” But even when people do pay up, it’s often at a very reduced rate. Hollywood Presbyterian Medical Center, for example, got its ransom down from $3.6 million to a mere $17,000.
“To pay or not to pay is tough; there’s clearly strong interest in seeing people not paying,” said security firm Forcepoint chief scientist Richard Ford. “The less profitable the attack, the less attractive it is, long term. But, as threat intelligence firm Digital Shadows executive Rick Holland says, one of the problems is that people who do pay hackers don’t talk about it. Just the fact that the hacking continues “seems to indicate [it’s] worth it for criminals at least sometimes.”
These attacks are fairly inexpensive to mount, and, as Holland said, “there is a ton of low hanging fruit out there,” particularly in healthcare entities. The hacks that pay off more reliably, reports Wired, are those that “target the little guy instead of standalone mega-corporations.” In other words, target thousands of individual computers, asking $100 to decrypt it, and the dollars — or, rather Bitcoin — can add up.
“Crime as an industry is digitizing,” said crisis response firm Guidance Software chief executive Patrick Dennis. “It’s getting more efficient and it’s getting to be lower cost and so it gives [criminals] the flexibility to conduct crime using all different business models.”
Dark Overlord, the group that hacked “Orange Is the New Black,” is behind at least 20 recorded attacks since last June, according to Holland, meaning “that the group could be raking in a lot more than it appears.” On the other hand, the recent incident involving Disney reportedly garnered nothing at all.