Ransomware: Paying up won't stop you from getting hit again, says cybersecurity chief

Paying up only advertises that you are willing to pay, warns NCSC boss.
Written by Danny Palmer, Senior Writer

Ireland's Health Service Executive (HSE) has been praised for its response after falling victim to a major ransomware attack and for not giving into cyber criminals and paying a ransom.

HSE was hit with Conti ransomware in May, significantly impacting frontline health services. The attackers initially demanded a ransom of $20 million in bitcoin for the decryption key to restore the network.

While the gang eventually handed over a decryption key without receiving a ransom, they still published stolen patient data – a common technique by ransomware attackers, designed to pressure victims into paying.

SEE: Have we reached peak ransomware? How the internet's biggest security problem has grown and what happens next

HSE's decision not to pay the ransom has been praised by the head of the UK's National Cyber Security Centre (NCSC), Lindy Cameron, especially as the attack had "crossed a line" by disrupting hospital appointments and health services across Ireland.

"I would like to praise the Irish response not to pay the ransom. Cyber criminals are out to make money – the more times a method is successful, the more times it will be used," she said in a speech to the Institute of International and European Affairs (IIEA), an Irish think tank.

The HSE ransomware attack happened around the same time as two other high-profile incidents – the Colonial Pipeline ransomware attack and the JBS ransomware attack. Unlike HSE, both of these organisations paid cyber criminals millions of dollars in bitcoin in exchange for the decryption key.

Colonial and JBS are far from alone in paying ransoms. But many in law enforcement argue that paying the ransom perpetuates the problem, and provides gangs with resources to launch even more ambitious attacks against other targets.

There's also no certainty that paying the ransom will even solve the problem, because it involves trusting that criminals will hold up their end of the bargain – they could easily just take the money and run, or return with an additional ransomware attack.

"Payment of ransoms is no guarantee that you will get your data back – and certainly no guarantee you won't be attacked again – in fact, advertising a willingness to pay makes someone a more interesting prospect," said Cameron.

"So it's important that we do all we can to ensure this is not a criminal model that yields returns. The government's strong action of refusing to pay will likely deter ransomware operators from further attacks on health sector organisations – in Ireland or elsewhere," she added.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Despite receiving the decryption key, restoring the network has been a long and arduous process for HSE and disruption to health services across Ireland is expected for months to come. The NCSC has been helping Ireland's defence forces in the aftermath of the incident, using experience from the WannaCry ransomware attack, which disrupted NHS networks across England.

"As you would expect from a close partner, we did all we could to support our partners in Ireland when the HSE attack took place. This included sharing as much relevant information as we could – both from a cybercrime and a law enforcement perspective," said Cameron.

"The global nature of the cyber threat means that our international partnerships are critical to countering and deterring malicious cyber actors who want to cause harm to the UK," she added.


Editorial standards