The big end of town
“The Royal United Services Institute, a think-tank, analysed 1,200 ransomware attacks which mostly took place last year. Two of its findings make the extortionist’s incentives clear. The fact that 60% of victims were based in America or had their headquarters there can be explained by Sutton’s law: that’s where the money is. The fact that there were no victims in Russia or most other post-Soviet countries can be explained by other rules—rules about activities which are inappropriate on your own doorstep, or where you eat.” (The Economist, 2021) Like any challenge or decision-making process, for a hacker there would be a trade-off between ease of access vs the payoff that is generated. When Ireland’s health-care system was infiltrated and infected with ransomware, the demand was for EUR16.5 million. The Health Service Executive elected not to pay.
Hackers had more luck with the Colonial Pipeline in the US which generated a ransom return of USD4 million. If you are able to operate from a nation where your chances of prosecution are effectively zero, then the risk-reward is clearly very attractive. This really supports the idea that since being invulnerable to attack isn’t an option, players need to be on the right side of the security line such that the payoff for an attack doesn’t warrant the effort it takes.
Unfortunately, as students of economics, we know that dollars and cents aren’t everything, since utility means that much of the value of a possession may be in the eyes of the beholder. This is why state-sponsored attacks may be after information that may not have an immediate value commensurate with multi-million-dollar ransoms but provides insights into effectiveness of defences and the like. The same article previously referenced (The Economist, 2021) highlighted that the volumes of information that can be gathered and whisked away in an instant makes historical forms of espionage appear painfully inefficient. This again highlights the issue of asymmetry since the victim only has to have their defences breached once to lose swags of data. The really disturbing aspect of ransomware is that it has its roots in much smaller targets with individuals having personal data and photos held for relatively small amounts (though clearly traumatic for the individual). The fact that the operation is so readily scalable and can be done simultaneously to so many potential victims meant that looking for bigger targets was inevitable.
This was demonstrated locally with the data breaches from Optus and Medibank which saw personal data exposed for around 10 million and 9.7 million people respectively. Both companies are facing class action lawsuits as a result with final settlements yet to be seen. Interestingly, under the current legislation companies who have come up short on privacy protection are in a much better position than some of their foreign counterparts with the fine in Europe or California for something comparable to the Optus data breach expected to be in the hundreds of millions of dollars (Burton, 2022)
“Banks, in particular, have found themselves more exposed to hackers in recent years — despite being part of most countries’ critical infrastructure — because of their digital transformation and moves to cloud computing, which bring a reliance on a web of third-, fourth- or even fifth-party suppliers. Not only must they protect their own assets and data from both criminal groups and nation-state hackers, they must also protect their clients from falling foul of scams or identity theft, for example. Given the amount of sensitive personal information they hold on customers, as well as their funds, they remain a prime target — ever bombarded by attacks.” (Murphy, 2023)