One of the biggest internal debates facing ransomware recovery planners is whether to pay an extortion demand or fall back on a process of internal data recovery.
Increasingly, however, victims who decide to pay face a second and potentially complex question: is it worth trying to retrieve a ransom after it has been paid?
For years, this possibility was seen as somewhere between non-existent and remote, so the question was never considered. While the blockchain itself is a public ledger, the ransoms paid in cryptocurrency and recorded in it were seen as untraceable to real identities.
More recently, this assumption has eroded. A good example of this are the investigative tools deployed by companies such as Chainalysis, which are able to form a deeper sense of the transactions moving into and out of specific cryptocurrency addresses.
It turns out that cryptocurrency payments can be traced and connected to illicit activities, and even the shadowy organizations that use them. It just takes a bit of expertise and legwork.
The $220,000 Question
One victim benefiting from this recently is the University of Maastricht in The Netherlands, which suffered a highly disruptive ransomware attack in December 2019.
This was a classic ransomware attack, launched at a moment of maximum weakness less than two days before the Christmas break when admin staff were either away or about to leave. Within 30 minutes, the attack crippled a reported 267 servers, including some used for backup.
The university later disclosed it had paid the attackers a ransom of 30 bitcoins, equivalent at the time to around $220,000. In a later press conference discussing the incident, University Vice President Nick Bos explained that the institution felt it had no alternative but to pay up:
“The damage of that to the work of the students, scientists, staff, as well as the continuity of the institution, can scarcely be conceived,” he reportedly said.
However, the university also reported the payment to the Dutch Public Prosecution Service, which had been able to trace the ransom payment to a wallet connected to Ukraine containing $40,000 in bitcoins.
The good news is that since the discovery, the frozen bitcoins have grown to a value of $500,000, more than the original ransom, hypothetically putting the university in the black. Actually recovering this will require further legal action, which is ongoing, the university said.
Two important themes emerge from this unusual incident. The first is that it is possible, at least in theory, to pursue and retrieve ransom payments after they’ve been made. In the case of the University of Maastricht, being a public institution spending taxpayer money probably made it easier to enlist the help of the authorities.
Hopefully, this experience will convince more law enforcement agencies to offer help to public sector organizations that fall prey to ransomware.
The issue, of course, is whether that effort is worth it, either for the police or the victim. Although ransom payments can be substantial, they remain the lesser part of what it costs to restore an organization’s systems. Undoubtedly, the University attack will have cost it far more than the value of any bitcoins it manages to get back.
A Model Ransomware Response
A second theme is simply the incredible transparency the university has shown in its post-incident communication, including holding a press conference with a Q&A session that explored how the attack happened and might be prevented in future.
This highlights an issue that has bedevilled the response to ransomware attacks—everyone experiences innovative cyberattacks as something new and surprising, even though the same tactics were probably deployed on many occasions against other victims.
If defenders could somehow pool their experience and learning, ransomware would be a much smaller industry.