Jewelers' Ransomware DilemmaJuly 14, 22
Last year's cyberattack on Graff came as a stark reminder to the jewelry world that nobody's safety is guaranteed. Many months later it has emerged that the exclusive London jeweler handed over the Bitcoin equivalent of $7.5m to prevent the hackers who had already released details of many high-profile clients from releasing additional data.
Hackers stole their list of high-profile clients in October 2021, which included former US President Donald Trump is reportedly among those whose files have been stolen. Also on the list are Oprah Winfrey, Tom Hanks, Samuel L Jackson, Tony Bennett, Alec Baldwin, Ghislaine Maxwell, footballer David Beckham, Saudi Crown Prince Mohammed bin Salman and Tetra Pak billionaire Hans Rausing. The theft had the potential to cause huge damage, not least to anyone who had purchased an item of value for somebody other than their spouse or partner.
Any business that has a computer - that's to say any business of any description anywhere in the world - is vulnerable to ransomware attacks, when hackers threaten to publish data they've stolen, or permanently block the owner's access to it, unless a ransom is paid.
So what would you do if hackers sneaked in through a back door? Pay up or take the hit? A global survey of 5,600 IT professionals in 31 countries (for security software specialists Sophos) found that one in 10 organizations targeted by ransomware attacks last year had paid out over $1m to the criminals who had stolen their data. It's certainly tempting to do whatever it takes to get your business back, and let the insurance company deal cover the financial loss.
But getting cyber insurance cover is becoming more difficult and more expensive as attacks become more commonplace. And as Graff discovered, insurers can refuse to pay out. The company quickly and quietly bargained the ransom down from the $15m originally demanded to $7.5m and made a crypto payment. But word of the settlement became public when it was reported last week that insurers Travelers Companies Inc were refusing to pay up, and that Graff was suing them.
Bear in mind also the uncomfortable truth that, unlike lightning, hackers are quite likely to strike twice in the same place. A report last year on 1,200 ransomware victims, by the US-based cyber-tech company Cybereason, found that 80 per cent of those that paid a ransom were hit a second time, often by the same attackers.
But aside from insurance there's now another piece to consider in the ransomware jigsaw, namely Ukraine. Conti, the cyber gang that targeted Graff, is based in Russia, is one of the world's most prolific ransomware cartels, and in the days after the invasion of Ukraine, it announced its full support of the Russian government. It later threatened a full-scale retaliation if the US launched cyber-attacks on Russia.
The US Department of State announced in May that it was offering a reward of "up to $10,000,000 for information leading to the identification and/or location of any individual(s) who hold a key leadership position in the Conti ransomware variant transnational organized crime group".
The question now for victims of cyber-attacks is more than simply the cost/benefit analysis or the concern that paying up will serve to encourage more attacks. In the case of Conti attacks, it's become another sanctions issue. At a time when the US, the EU and others maintain boycotts and banking restrictions to prevent Alrosa exporting its diamond exports, can it be acceptable to line the pockets of unquestionable wrongdoers, namely the Russian cyber gangs?
Have a fabulous weekend.