Road Transport Forum paid ransomware hijackers, Shirley admits

Road Transport Forum boss Ken Shirley says his group paid after being hit by a ransomware attack.

Ransomware encrypts data on an organisation's computers, rendering them unusable until money is paid to the attackers.

Police, the government's Computer Emergency Response Team (CERT) and NetSafe have all repeatedly told NBR that victims should not pay a ransom.

They say there is no guarantee that access to files will be returned. And, more, it encourages further attacks and often channels funds to eastern European-based organised crime outfits that are also engaged in the likes of selling drugs and human trafficking.

However, tech specialist lawyer Michael Wigley has taken a contrarian position, saying companies should consider paying up, and that they may even have a duty-of-care responsibility to their clients to make a best-effort to retrieve lost files.

"My instinct was not to pay," Mr Shirley tells NBR.

"I was the last one to be dragged across the line. But I had to take into account the counter-factual: It would have cost three times as much to restore our system, and we wouldn't have got our files back." The Road Transport Forum represents the trucking industry, and Mr Shirley and his staff lobby on behalf of its members.

After five data-less days, he relented – only to be shocked that, after following instructions to make contact with the data hijackers, they demanded more money.

He refused to pay any more than the originally requested amount. The attackers backed down and returned access to the files instantly after the ransom was paid in bitcoin.

Preventing attacks
Mr Shirley says he's sharing his story, so others aren't put into the situation of having to make the same difficult decision.

He says a security hole was discovered and has since been patched.

The RTF chief executive refuses to say how much his organisation paid but ransomware attackers typically demand around $US400-500 – an amount pitched low enough to entice people into taking a gamble on getting their files back, and below the likely cost of restoration.

The other key precaution is to keep a backup copy of key files offline and offsite — and to run constant checks to make sure backup processes work, and to keep historic backups in case a current backup is compromised.

Where to turn
CERT says ransomware is the fastest-growing form of attack on computer systems, both globally and in New Zealand.

And Mr Shirley is not alone in paying up.

Recently, Symantec cyber-security strategy manager Nick Savvides told NBR his company is aware of hospitals and even police departments in the US who have paid up after being hit by ransomware.

If an organisation is hit by a ransomware attack then, like Mr Shirley, it should contact CERT. The government agency can advise on triage, both from a technical standpoint and in terms of directing the organisation to the right law enforcement officials.

All content copyright NBR. Do not reproduce in any form without permission, even if you have a paid subscription.