Nobody chooses to be victimized by ransomware attacks or face extortion. So, when it happens, it’s only natural to get angry and seek revenge on the guilty party. Yet, no matter how satisfying it might seem to strike back at attackers, or “hack back”, the rapid escalation of risk overshadows all emotional rewards.
In August, one victim company struck back, and illustrated exactly why this practice – even when performed by experts – is never the right solution.
In many ways, cybersecurity is much like healthcare: an ounce of prevention is worth a pound of cure. Investing in preventative measures leaves you further ahead than those who spend resources on incident response, investigation, and recovery.
Let’s explore five key reasons hacking back is bound to backfire.
Entrust Hacks Back
The online trust and identity management security company, Entrust, provides services to some of the largest corporations and government agencies. They even cover the US Departments of the Treasury and Homeland Security.
However, in June, the security firm suffered a cyberattack, with the LockBit ransomware gang stealing over 300 GB of data.
As with most similar attacks, when Entrust refused to pay the ransom, the LockBit gang proceeded to leak the data.
Here’s where the story takes a dramatic turn.
Shortly after publishing the leaked data, LockBit’s website was hit by a massive Distributed Denial of Service (DDoS) attack. Naturally, the LockBit gang blamed Entrust for the attack, especially since the attack included a string of text: “DELETE_ENTRUSTCOM_MOTHER[expletive deleted].”
Unfortunately, criminal cyber gangs aren’t exactly known for backing down.
LockBit soon created a more DDoS resilient IT architecture, released the Entrust data on multiple data sharing sites, and thanked Entrust for showing them the power of the DDoS. Now, after becoming a victim, LockBit now has decided to add DDoS attacks to their arsenal of extorsion threats.
As you can see, a hack back doesn’t always go as hoped.
Hack Back Issues
Let’s be honest: most organizations don’t have the technical skill to hack back, even if they wanted to. Even an expert like Entrust couldn’t block the release of data, and their DDoS attack only provided a delay of a few days.
Did that delay really offset the potential risks of hacking back? Was it really worth the effort?
Here are five key risks of a hack back that emphatically say ‘No.’
Hack Back Risk 1. Attack Escalation
Many ransomware attacks involve moderately skilled attackers following scripts and using pre-programmed malware. Rarely do they operate solo. Rather, a group or ‘gang’ work together, helping each other in attacks.
If a victim hacks back, the original attacker will surely turn to the most skilled hackers in the group and escalate the attack.
Most victims couldn’t defend against the weak attackers in the first place. After all, had they been secure, they wouldn’t be victimized. To engage an army of expert attackers with vulnerable infrastructure is a fool’s errand.
2. Nation State Provocation
The LockBit ransomware group is indirectly linked to pro-Russian causes. That said, it’s unlikely that Entrust’s DDoS attack will provoke any official Russian government response.
However, with the difficulty in drawing lines between criminal and nation-state sponsored attacks, how can you possible ensure your hack back doesn’t accidentally affect a nation-state entity or infrastructure?
To put it simply, you can’t.
There is no risk worth accidentally declaring a cyber war against a foreign government.
3: Criminal Prosecution
According to the American University, US law currently forbids hack back attacks. In fact, doing so exposes an organization to criminal prosecution.
Now, the LockBit ransomware gang has been responsible for as much as 40% of the reported ransomware attacks in a single month. So, fortunately for Entrust, the gang members aren’t likely to come forward and demand prosecution any time soon.
Still, political pressures could force criminal prosecution to set legal precedent, which makes hacking back an unreasonable legal risk.
4. Voided Insurance
Cyber insurance continues to add restrictive covenants and deny coverage. Certainly, hacking back will void coverage – or at least coverage for damages after the hack back attempt.
Now, think about this: could you really prove which damages occurred before a hack back attempt?
You’d certainly have a hard time, and that’s if you could at all.
Most organizations could never provide the forensic snapshot necessary, while insurance companies place the burden of proof on the victim. It’s just another reason it’s not worth the risk.
5. Collateral Damage Liability
Entrust hacked back at a specific website. However, what if they struck back and affected more than the attacker?
For example, many DDoS attacks use enslaved botnets of compromised devices with unknowing and innocent owners.
If a hack back disables a critical medical device botnet, the hack back attacker might become liable for any deaths or injuries resulting from disabling those devices.
The thing is, you don’t always know who’s going to become caught in the crossfire.
Prevention: More Effective than a Hack Back
The worst damages of a ransomware attack can be prevented through modest investments in security, IT network design, and monitoring.
Ransomware victims pay many times that modest investment just to recover from attacks. And, that’s if they’re able to recover at all.
If your organization wants to prevent, stop, or recover from a ransomware attack, contact Blue Bastion at 412-349-6680, or fill out the form below. Along with the help of our partner division, Ideal Integrations, our experts can act immediately to stop an attack, remediate your compromised systems, or simply provide a no-obligation discussion of possible preventative measures.
No matter what challenges your business faces, we’re here to help.
And, as always, stay vigilant.