Last week, British rock band Radiohead thwarted an attempted digital ransom, in which unnamed hackers stole roughly 18 hours of unreleased music dating back to the band’s recording of its studio album OK, Computer, revealing some less-than-ok computer security (sorry).
Instead of paying a ransom to keep the music secret, Radiohead released the files themselves, giving listeners a chance to stream the content for free, or download it for £18. All proceeds will go to the organized political group Extinction Rebellion, which fights to address climate change.
As digital ransoms and straightforward ransomware attacks continue to plague companies, organizations, and entire cities, a handful of victims, like Radiohead, are taking novel approaches, often refusing to pay.
But these approaches work for few victims, said Bill Siegel, co-founder of CoveWare, which helps ransomware victims rebuild their databases and negotiate with ransomware hackers if necessary.
“I think what Radiohead did was an amazing thing, but the content they had was for public consumption to begin with, unlike a private company’s data, which is never for public consumption,” Siegel said. “You have to draw that distinction. Every case is unique.”
For everyone who isn't Radiohead, fret not, as there are several other creative solutions when recovering from a ransomware attack.
Ransoms, ransomware, and responses
Ransomware attacks continue to threaten and destabilize small and large businesses, and, according to recent data from CoveWare, the actual ransom amounts demanded are increasing dramatically. In the first quarter of 2019, CoveWare found that ransom amount demands increased 90 percent, with the average amount demanded after a Ryuk ransomware attack hitting $286,556. The average ransomware attack downtime is 7.3 days, and the average cost of that downtime is $64,645.
For Radiohead, the band was told to pay $150,000 or risk having the 18 hours of stolen music released online. On June 11, Radiohead guitarist Jonny Greenwood announced the ransom attempt on Facebook, along with the band's subsequent ransom refusal. To read his words, the whole affair seemed tedious.
“[I]nstead of complaining—much—or ignoring it, we’re releasing all 18 hours on Bandcamp in aid of Extinction Rebellion,” wrote Greenwood. “Just for the next 18 days. So for £18 you can find out if we should have paid that ransom.”
The band’s description of the recorded material is even more mundane:
“it’s not v interesting
there’s a lot of it.”
(The Guardian gave it four out of five stars.)
Less than one week after Greenwood’s announcement, another potential digital ransom victim refused to back down.
On June 15, actress Bella Thorne told her followers on Twitter that, after a hacker attempted to blackmail her with stolen nude photos, she was going to post those photos herself.
"I'm putting this out because it's my decision. Now you don’t get to take yet another thing from me,” Thorne wrote in a note posted on Twitter. "I can sleep better knowing I took my power back. You can't control my life, you never will.”
Thorne’s response echoed another blackmail attempt that was shut down earlier this year by Amazon CEO Jeff Bezos. Following the National Enquirer’s exposé into Bezos’ affair with a television anchor, which revealed several surreptitiously-obtained private messages, Bezos hired a private investigator to look into how his private texts were leaked to the supermarket tabloid. Weeks into the investigation, Bezos said he was offered a proposition by the paper's owner: Stop his investigation or suffer the publishing of more intimate details, including one “below-the-belt selfie.”
Bezos did not buckle. Instead, he wrote on Medium about his back-and-forth with the National Enquirer’s owner, AMI.
“Of course I don’t want personal photos published, but I also won’t participate in [AMI’s] well-known practice of blackmail, political favors, political attacks, and corruption,” Bezos wrote. “I prefer to stand up, roll this log over, and see what crawls out.”
Bezos, Thorne, and Radiohead all responded the same way—they flipped the situation, turning themselves from victims into champions.
“I don’t love @JeffBezos in general, but I LOVE Jeff Bezos in particular here,” wrote Silicon Valley journalist Kara Swisher on Twitter.
“Bella Thorne steals hackers thunder,” wrote one cybersecurity blog.
“Radiohead Just Took On Ransom Hackers—And Won,” read the headline for Forbes.
Siegel said Radiohead’s response “defused” the situation.
“That’s an important word when it comes to public ransomware incidents,” Siegel said. “It is the ability to control the narrative and defuse it. It makes a big difference in the perception of how it was handled.”
But when it comes to how organizations have responded to actual ransomware—which is not the same as the above examples—the publicized results have been less empowering.
Ransomware attacks are unlike the threat made against Radiohead, making the responses to them potentially more complicated. Ransomware authors often target a large organization, deploying malware that encrypts all the files stored on a machine, leaving them indecipherable and completely useless unless decrypted.
Ransomware attackers then give victims a choice: Pay up and get the decryption key, or, lose access to all your files forever.
Recently, one ransomware victim chose the latter.
In April, a two-surgeon medical practice in Michigan shut down early—about one year before the doctors' planned retirement—after getting hit with a string of ransomware that locked all patient files behind a guarded decryption key. Medical records, bills, and patient appointments were all inaccessible after the attack.
The two doctors decided against paying the demanded $6,500 ransom, because, according to an interview with the Star Tribune, there was no guarantee the decryption key would work or that the ransomware wouldn’t be deployed against them again.
The lost appointment calendar led to one of the doctors staying in the office simply to cover all the upcoming—but unviewable—appointments.
“We didn’t even know who had an appointment in order to cancel them,” one of the surgeons told the Star Tribune. “So what I did was just sort of sat in the office and saw whoever showed up. For the next couple of weeks.”
This outcome, Siegel said, is not desired.
“It’s not super responsible,” Siegel said. “There are still patients who want their records, and they can’t get them anymore.”
Another ransomware victim that failed to appropriately respond is the City of Baltimore.
In early May, threat actors deployed the ransomware RobbinHood against 10,000 computers used by the City of Baltimore, locking city services into digital gridlock. As of June 5, only one third of the city’s employees had received new logins, and the process to obtain new credentials required in-person visits. Some email and phone services had been restored, city officials said, but much of the city’s payment processes were still relegated to manual efforts. Residents’ water bills would be higher in the future, said one official, because the smart meters could not accurately capture water usage for the past month. Parking tickets needed to be paid in person, with the physical ticket in hand.
All accounted, the cost of the ransomware attack would hit $18 million, with $10 million devoted to cleanup and $8 million lost from downtime. The original ransom amount demanded was 13 Bitcoin, or about $116,000 today.
“If you look at Baltimore, it’s a case study of what not to do, across the board,” Siegel said. “If you don’t have a plan, and you make that very obvious, in public, you’re just thrashing around.”
Turning panic into progress
Two weeks ago, we gave users a rundown on how to prepare for a ransomware attack on their systems. While useful, the guide focuses on preparation—after all, the best way to protect against ransomware is to prevent it from happening in the first place.
But what about the company that has already been hit with a ransomware attack? What about a mid-sized business that doesn’t have the resources of the world’s richest man (Bezos), the popularity of the band that made the often-named most influential record of the current millennium (Radiohead), or the courage to post revealing information about themselves, detractors be damned (Thorne)?
What options are left for businesses that can’t shut down overnight, can’t afford to spend $18 million on recovery, and still refuse to pay a ransom?
There are many options, Siegel said. Further, these options are just as ingenuous as every example listed, just maybe not as flashy.
“It’s not as fun a story, but the practical reality of recovery in lieu of paying involves a lot of creativity,” Siegel said. He said that, for CoveWare's many clients, if there is ransom on the table to pay, “our stance is, it’s always the last resort.”
Immediately after a ransomware attack, Siegel said that company employees have three priorities in maintaining their business and limiting downtime: access to email, access to the Internet, and access to a file server to save and share their work.
As a business ensures that its employees can actually work in the following days, it can also start by rebuilding the data that is currently locked by a ransomware attack. There are many methods, and most of them aren’t high-tech. Instead, they’re clever, Siegel said.
“We’ve seen before that everybody gets their laptops, we’re talking 65 laptops in a room, and we start copying emails off of everybody’s Outlook accounts, literally to start rebuilding,” Siegel said. He said he has also seen employees going through all their email inboxes and outboxes and copying attached documents that were sent and received.
“It’s amazing where you can find copies of data,” Siegel said.
While the rebuilding process is happening, companies can also discuss the actual cost of paying a ransom or getting help to rebuild internal databases. For example, Siegel said, if a company has lost its QuickBook files through a ransomware attack, it can determine whether it makes more sense to spend, say $10,000 to $20,000 hiring local contractors to rebuild a database of invoices and accounts payable, rather than paying $100,000 for a ransom. Plus, Siegel said, a rebuilt database is a guarantee, whereas a paid ransom is not—according to CoveWare data, 96 percent of paid ransoms are honored.
The decision to pay off a ransom isn’t just economical, Siegel said. It’s also moral.
Siegel mentioned a client he spoke to who was hit with ransomware. The client’s insurance policy was going to cover the recovery cost (which is not always a guarantee), but the client was considering hiring contractors and local vendors to help rebuild his company’s database rather than paying the ransom. The cost to rebuild, Siegel said, would be about $300,000 to $400,000 for the client.
“The client said ‘Granted, it might take a month [to rebuild], versus paying [the ransom], which takes a day, but I’m going to put that money back into the local economy, hiring contractors and vendors, rather than shipping it over to criminals,’” Siegel said.
Paying a ransom is a last resort for many ransomware victims. But that doesn’t mean victims have to be completely undone by an attack. Instead, they can turn the tables, rebuilding from scratch, or doing their part to keep money out of criminals’ hands. Or, in the extremely unique case of Radiohead’s digital ransom, creating a revenue stream that never would have existed, and delivering that money straight to a social cause.
Perhaps the band was prophetic in 16 years ago naming its sixth studio album: Hail to the Thief. But in the case of businesses and celebrities who refuse to pay the ransom, it's more like Fail to the Thief.