Elliott Frantz, founder of the cybersecurity firm, Virtue Security, agrees that ransomware is easier to monetize than the theft of medical records. The WannaCry hackers demanded bitcoin for ransom — but sometimes extortion is not the attack’s objective. The so-called Petya or Goldeneye attack, which may have originated in Russia and attacked many nations, including the Ukraine, could have been designed and executed out of malice: the sites designed to receive the ransom payments were not functional.
What was interesting about the Petya attack was the sophisticated way it infected and spread, says Mr Frantz. “The people who were attacked were not necessarily at fault. [Petya] could spread to systems that are fully patched,” unlike the NHS WannaCry breach last May.
Petya “digs very deep into the Windows system internals to extract passwords and uses those passwords to log into other computers,” explains Mr Frantz. “It targets institutions. It’s designed to spread laterally. That’s one of the key things about this that makes Petya new and interesting. The WannaCry ransomware was primitive by comparison.”
One effective way to prevent such attacks, whether their aim is ransom or disruption, is to practice what security experts call “hygiene,” or safe and secure computer habits that prevent the virus from entering a system. Yet computer hygiene is only as strong as its weakest link: Mr Frantz points out that “there’s always going to be someone who falls for the age-old trick of opening attachments.” Phishing emails are designed to appear as if they came from a known person. And if one person clicks on the link, the malware burns like pandemic influenza through an entire system. “Hackers go to significant lengths to learn about their victims,” he added.
What then? According to Jon Neiditz, a partner in the Atlanta-based law firm Kilpatrick, Townsend & Stockton and an expert in privacy and health security law, “you can’t rule out needing bitcoin at some point,” though he acknowledges that the FBI in 2016 advised institutions never to pay ransom.3 He points out, however, that in 2015 an FBI expert admitted that sometimes bitcoin is the only recourse.4 In one instance, Mr Neiditz says, a company paid a ransom fee that the hackers promised would keep them safe for a year. Six months later, the hackers came back for more. The company objected that they had been promised a full year. The hackers agreed, apologized, and disappeared again for another 6 months. “Honor among thieves,” says Mr Neiditz. “In the information security world, no one would ever say ‘I’ll never need bitcoin.’”