IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

What Happens When You Don't Pay the Ransom?

One example from England, and what you can do.

The story below shows one instance when specifically "the police" refused to pay. More importantly, see the recommendations from cybersecurity experts that follows.

Providing for a secure operating environment keeps getting harder!

"The Daily Mail reported Sunday Russian hackers leak confidential UK police data on the 'dark web' after their ransom was rejected. The ransomware group “Clop” is reported to have stolen the data from the IT firm Dacoll, a company that handles access to the Police National Computer (PNC), after they refused to pay the demanded ransom. The amount of ransom has not been shared. One of Dacoll’s subsidiaries, NDI Technologies, provides officers remote access to 90 per cent of the UK's police forces."

Baber Amin, COO, Veridium:

"As more distributed compute and storage services become the norm, it is more important than ever to look at complete chain of suppliers and their internal security practices and processes. In this case both the IT firm and UK police should implement matching access control. Preventing successful phishing attacks, as usual requires a layered approach to security and access.

  • Eliminate all unauthenticated access by requiring every connection to be authenticated
  • Eliminate all single factor authentication by enabling multiple factors
  • Depending on the information being accessed, assign different authentication factors based on their trust level. 
  • Create an multi-channel authentication strategy such that a single compromised channel does not compromise the system
  • Do not allow full access across all systems even if the user is authentication via some sort of MFA.  Compartmentalize all access
  • Implement tools that look for unusual activity e.g. probing, multiple failures, large data ingestion or large data extraction
  • Implement tools that evaluate end point trust and can identify bots and automated processes
  • Implement behavioral biometrics to distinguish normal users from bots and bad actors

Experts with Gurucul, Shared Assessments and YouAttest offer perspective:

Saryu Nayyar, CEO, Gurucul (she/her):

After UK police rejected a ransomware demand for police data (primarily evidentiary), the 13 million pieces of data began appearing for sale on the dark web. It’s not clear that evidence released is valuable, although it seems possible that it can be used to identify and blackmail motorists and other individuals.

Attacks are getting more and more sophisticated. In this case, the data, while it should have been treated as confidential, was easily phished and downloaded. The police and their vendor Dacoll have little incentive to pay this particular ransom, so the identity burden is going to fall on those cited by the evidence. That’s unfortunate that a mistake by Dacoll causes a potential loss for others, so the police should shore up their own systems and do right by those whose evidence has leaked.

Ron Bradley, VP, Shared Assessments:

“The recent revelation regarding UK Police records being compromised by Russian hackers is a classic example of the absolute imperative for not just trusting, but verifying 3rd, 4th, and N4th parties are properly vetted and assessed. During the assessment process, it's an excellent opportunity to ensure the tenets of "least privilege and a need-to-know" are followed. Lastly, when vast amounts of confidential records are accessible, data owners must be fully aware and prepared for the eventual impact of a data breach, with all measures being taken to prevent the breach from occurring in the first place.”

Garret Grajek, CEO, YouAttest:  

“Events like Russian hackers stealing police information coupled with the counter hacking going on by western governments and companies, (Microsoft took control of Chinese hacker sites 2 weeks ago) - are telltale signs that there is a full scale cyberwar going on. The gloves are off on both sides - the stakes are too high.

“The real question - is what do enterprises do with all the mayhem occurring? The key is to focus on solid security practices. The NIST guidelines on zero trust (SP 800-27) and cloud security (SP 800-210) are a good place to start. Identity is key to all of these directives and counter measures. This and begins with an enterprise knowing what identities are given authorization to which resources and is imperative to cyber security.”

The above was shared by Jeff Steuart.
Eric Holdeman is a contributing writer for Emergency Management magazine and is the former director of the King County, Wash., Office of Emergency Management.