News / EPISODE 4: When what’s ‘out there’ is already ‘in here’…And it’s demanding money with menaces.


Couldn’t we just have paid the ransom? The CEO’s story.

CEO Doug was now in possession of all the facts relating to the attack that had simultaneously held his business’s data hostage and compromised his employees’ confidential login credentials.

At least, he thought he was.

Because although he’d seen the ransomware note that appeared on the company’s systems, he hadn’t yet seen how much it would have cost him.

What the analysts had originally found, as we reported in Episode 2, was that the Bitcoin wallet that the attacker was using to collect the ransom already bore traces of previously executed ransomware attacks elsewhere.

But what was clearer now was just how much had been extorted in each case – and therefore the financial exposure that Doug’s business potentially faced.

Paying the ransom: you’re never done with it

Two previous Bitcoin ransoms identified by the analysts as using the same Bitcoin wallet specified in the attack on Doug’s organisation totalled 100 Bitcoin – around £250,000 at the market rates of the time.

Doug had at one point contemplated just paying the ransom and getting on with his business – after all, not being able to reach his data was costing him money hand over fist every single day, so surely a one-off hit to the bottom line to make it all stop and go away was worth it?

A conversation with the Reliance acsn analysts soon persuaded him otherwise. Ransom payers, they explained, tend to go onto a ‘suckers’ list’ that is shared between hackers and encourages repeated attacks with ever-increasing stakes.

There is also no guarantee – absolutely none whatsoever – that the ransom attack perpetrators will in fact decrypt the data once they have been paid!

And of course – the big hit – you never know what’s left behind. Backdoors? Information stealing?

The truth is even if you pay – and even if you do get your data back – any business would still need forensic security investigation and clean-up to be sure they aren’t just setting themselves up for more of the same.

We know who’s getting paid – and how. The analyst’s story.

Doug’s security analyst from Reliance acsn – by now in such regular contact with Doug that he was starting to seem like family – had finished some in-depth investigation into the Bitcoin wallet being used by the ransom attackers.

The threat intelligence data Reliance acsn gathered provided a likely attribution to the attack. The use of the Ryuk ransomware and the Bitcoin wallets seen in the ransom notes strongly indicated a link to the threat actor Lazarus Group.

This group has previously been responsible for large-scale ransomware campaigns in the UK, the most notable example being the notorious WannaCry exploit that temporarily paralysed many parts of the NHS.

Where are the Bitcoins going?

The Reliance acsn analysts looked for the Bitcoin wallet that the attackers had used in this and previous exploits, and found it under the address 1Kx9TT76PHwk8sw7Ur6PsMWyEtaogX7wWY.

But what they also found was that the attackers were making concerted efforts to cover their tracks.

There were in fact two further wallets being used –  and it was clear that funds from the previous ransom transactions had been split across them, as a technique to avoid tracing.

Lazarus Group is suspected of receiving state sponsorship by the North Korean government, and in September 2018, the US Department of Justice convicted a North Korean programmer associated with the group.

“The hacker in the hoodie is how everybody likes to think of the typical cyberattacker,” the analyst explained to Doug, “but these days they’re just as likely to go to put on a suit in the morning like you and me and go to work in a government building.”

State-sponsored hackers are backed by significant financial and operational resources and are recruited for their outstanding technical skills – in much the same way governments recruit security analysts.

It therefore makes sense to counter one with the other – not rely on software to do the job for you!

So what did it all cost Doug, Tasneem and Chris?

Paying the ransom would have proven to be a dangerous and expensive move long-term, but that didn’t mean that Doug’s enterprise hadn’t already been hit by some phenomenal costs and losses.

According to analysis from the Ponemon Institute, the average time taken to resolve ransomware attacks is 23 days. That’s 23 days of emergency IT services and incident response, compounded by loss of operations, productivity, and sales output – and, therefore, revenue.

In hard numbers? The WannaCry ransomware attack cost the NHS over £77 million. Yearly, ransomware costs UK companies around £346 million, with over 40% of UK businesses reporting five attacks a year, at a total cost to each of them of around £330,000.

And that’s without paying the ransom!

Of course, there are the ‘hidden’ costs, too.

The damage to the business’s reputation when it couldn’t fulfil its orders, or when Chris’s major accounts suddenly started receiving pornographic material from his email address, or when its login credentials were found for sale on the Dark Web.

The manual overhead to the IT department of resetting and securing login credentials that were stolen from several thousand individuals in the accompanying exfiltration attack, and of restoring data back into the business from a less than user-friendly backup solution.

And, of course, the cost of hiring replacements for Tasneem and Doug. (It could easily have come to that, of course).

So what are the lessons learnt?

In all four episodes of this story, we’ve essentially been exploring what happens when security becomes an exercise in pushing responsibility wholly towards the IT department, and the only way the IT department – stretched, as all IT departments are – can respond is by putting blind faith in the ‘black box’ of security technology, in order to achieve a state of tickbox compliance.

And guess what? Nobody told the attackers about the ticks or the boxes.

Nobody’s there to realise when the attackers are getting round the ticks in the boxes.

And  – worse – nobody’s teaching Chris, or Doug, or anyone else who isn’t in IT how to develop secure behaviours and play their part in keeping the organisation safe, too.

When what’s ‘out there’ gets ‘in here’, these are pretty short odds against being able to do anything about it.

Want to know what Reliance acsn did about it?

Coming soon: our exclusive white paper with all the technical detail! 

  • PLUS
  • Certified Information Systems Security Professional
  • PCi
  • Information Security Management System - ISO Certified
  • Cisco Certified CCIE
  • Centre for Internet Security
  • TOGAF 9
  • HM Government G-Cloud Supplier
  • crest

Get in touch