When Ransomware Attacks, Pay Up or Hold Out?

Wednesday, 14 July 2021


When Ransomware Attacks, Pay Up or Hold Out?

Hacking for profit

Ransomware is big business

The illegal criminal practise of holding corporate business or even personal computer files hostage through virtually impossible to crack encryption tools, commonly known as ransomware attacks, has rapidly increased in scope, public visibility and, indeed, success. In fact, these days so-called Ransomware as a Service (RaaS) is a well-organised, evolving and accessible criminal business endeavour.

Mainstream media are progressively reporting more incidents of ransomware attacks, with the result that the general public has become increasingly aware of the practise.

Usually companies under attack pay up, as they have almost no other choice. Because the criminals who hold files at ransom want repeat business, they almost always also release the key to decrypt the locked files upon payment. Payment is often demanded and received in Bitcoin as the astute cyber thief’s cryptocurrency of choice.

According to an article by Danny Palmer for the influential tech website ZDNet, ransomware industry researchers estimate these kinds of attacks increased sevenfold in 2020 compared to the previous year. The reason, according to Palmer, is attackers are seemingly aiming for bigger paydays all the time. “A single attack can result in cyber criminals making hundreds of thousands or even millions of dollars,” he highlights.

The well-publicised recent ransomware hack of the Colonial Pipeline, an infrastructure system that supplies almost half of the fuel used throughout the east coast of America, has again shone a light on the goal of most of these kinds of actions: Profit. And where there’s profit to be made, even if illegal, business model structures soon follow.

Ransomware as a Service

Similarly to the legitimate business of providing software as a service (SaaS) online, the ransomware industry has developed a sophisticated cloud-based distribution system for programmes that can be used in attacks. This structure is now called Ransomware as a Service (RaaS) and is indicative of the business model that drives these hacks.

Just like in the legal business world, criminal entrepreneurs can now access a network of suppliers that make it easy for virtually anyone to become a computer file hostage taker. They even advertise on the dark web in the same way legitimate businesses market their brands on the open web.

In a recent New York Times exposé about the current trends in cyber-hacking with ransomware, it is stated that a “Russian-speaking outfit called DarkSide offered would-be computer crooks not just the tools, but also customer support”. (DarkSide is suspected of being behind the pipeline attack in May 2021.)

Yes, you read that right. Customer support offered to would-be criminal business operators to use ransomware, which is accessible online, for profit.

In the article, based on secret chats between a hacker entrepreneur and a RaaS operator obtained by the publication, it is noted that: “DarkSide’s attack on … Georgia-based Colonial Pipeline, did not just thrust the gang onto the international stage. It also cast a spotlight on a rapidly expanding criminal industry based primarily in Russia that has morphed from a specialty demanding highly sophisticated hacking skills into a conveyor-belt-like process.

“Now, even small-time criminal syndicates and hackers with mediocre computer capabilities can pose a potential national security threat.”

Now let’s think about this for a minute. These days, in the ransomware industry just like in any other business sector, there’s an advertised, branded supplier (DarkSide) that offers clients (cybercriminals and hackers as intermediaries) paid access to online tools (encryption software variants and associated paraphernalia), with instructions and support on how to use everything, all bundled in a neat package, for payment.

This level of sophistication unfortunately means that unravelling a specific hacking incident becomes difficult to pin to one person or group, as a Byzantine multi-level, vertically decentralised network is at play. In other words, the suppliers of the hacking tools make their money from allowing hackers to use the tools, who in turn do the actual hacking, while another outfit may be responsible for collections, with everyone in the channel collecting a slice of the income paid by the victim organisation.

With anonymity weaved throughout the fabric of the system, no-one in the network need to know who anyone else is. There is also no money trail to follow due to the use of inherently anonymous Bitcoin, so the old All the President’s Men adage of “follow the money” simply can’t be done.

But, in a world first, the American Department of Justice recently managed to seize $2.3 million in cryptocurrency paid to the “ransomware extortionists DarkSide” in the Colonial Pipeline ransomware attack. In this instance, they did manage to follow the money and actually got it back too.


As ransomware attacks are now prevalent and could possibly become more frequent, this topic certainly needs to be debated. Join the UJ Cloudebate™ at 18:00 on 14 July 2021, when a panel of experts will unpack what it all means.



Prof. Ylva Rodny-Gumede (Facilitator)

Ylva Rodny-Gumede (Facilitator) is the Senior Director: Division of Internationalisation and also Professor in the School of Communication at the University of Johannesburg.

She is a Senior Associate Researcher with the Stanhope Centre for International Communications Policy Research at the London School of Economics. She holds a PhD from the School of Oriental and African Studies (SOAS), London University as well as an MA degree in Politics from the University of Witwatersrand in South Africa and an MA in Journalism from Cardiff University in the U.K. Ylva is a former journalist and has also worked in marketing and PR. In addition, she has consulted for several government, private and academic institutions in Europe and Southern Africa on issues concerning media and democracy, including the United Nations Development Programme (UNDP), the Swedish National Agency for Higher Education, and the SADC Parliamentary Forum. Ylva holds a C 3 rating from the South African National Research Foundation (NRF) and is the current President of the South African Communications and Media Association (SACOMM).

Prof Joey Jansen van Vuuren (PhD)

Prof Joey Jansen van Vuuren (PhD) heads the Computer Science Department at Tshwane University of Technology. Her research focus on cybersecurity, education, government and policy. She was the coordinator of the South African Cybersecurity Centre of Innovation for the Council for Scientific and Industrial Research (CSIR) that initiating several cybersecurity government initiatives in South Africa. The centre focused on the promotion of research collaboration, cybersecurity education and the exchange of cyber threats. Previously as the Research Group Leader for Cyber Defence at CSIR, she gave the strategic research direction for the research conducted for the South African National Defence Force and Government sectors on Cyber Defence.

Dr Jaco du Toit

Dr Jaco du Toit works as a senior lecturer at the Academy of Computer Science and Software Engineering at the University of Johannesburg. He is the deputy director at the Centre for Cyber Security. Jaco worked for nearly 20 years in the computer industry before becoming a full-time lecturer. His areas of research include Cyber Security, with a focus on privacy and mobile operating environments. A specific interest to him is research in increasing the protection of private information using decentralised data and access control models.