Hacking: should you pay ransoms in cryptocurrencies?

The subject is all the more sensitive because Cyril is not an isolated case. In 2021, there were almost 2,000 requests for assistance from French companies for cases of ransomware, according to Cybermalveillance.gouv.fr, an assistance and prevention site for online risks. Around a hundred of these requests concerned cryptocurrency-based ransomware.

French police sources suggest that the number of attacks is actually much higher. "A lot of companies don't dare report themselves", confirms a source close to insurer Axa. And the phenomenon is said to be the same throughout Europe, with a global cost estimated at several billion euros, according to figures from cybersecurity firm ARS Solutions.

Paying the ransoms?

In an attempt to "help" these companies overwhelmed by events, the French government recently proposed introducing a new scheme that would authorise insurers to pay these new-style ransoms. The scheme set out in the Ministry of the Interior's Orientation and Programming Bill (LOPMI), presented to the Council of Ministers on 7 September, would affect all types of ransomware, even those based on cryptocurrencies.

As proposed by the French Treasury, which is attached to Bercy, the only condition for compensation would be that the company has lodged a complaint; and obviously that it is insured against cyber risk!"

This bill, which still has to be passed by the French Parliament (which could take several months), has caused a strong reaction in the insurance sector. "We're shooting ourselves in the foot and what's more, we're paying for the bullet", ironised one insurer.

How can we be sure that once paid the hackers will stop the attack?

When questioned, the vast majority of specialists, who do not wish to be quoted directly, explain that there is no certainty. "Most of the time when a company pays a ransom, the hackers don't bring the system back up to date. And if they do, they leave a bug", explains a good connoisseur of these subjects.

A study carried out in 2021 by Cybereason of just over 1,200 security professionals in several countries, including France, showed that 60% of French organisations that chose to pay the ransom were targeted in the following weeks.

The subject is all the more thorny because if this provision were set in stone in law, it could encourage hackers the world over to target French companies. No country has legislation providing for payment for ransomware. It's only on a case-by-case basis.

Traceability of cryptos

Some explain, however, that cryptocurrencies could also play a decisive role in getting hold of hackers. "If paying the ransom in crypto doesn't put an end to the hack, it could help track down those responsible," explains one French insurer.

The advantage of cryptocurrencies is in fact that they are... traceable. Put simply, it's like paying a ransom by marking banknotes. We could then analyse the flows and so trace the chain 🔍.

In the US, several hacker groups have been caught at their own game with cryptos. At the end of 2021, the attackers of the decentralised finance protocol Poly Network ($600 million stolen) were forced to return the funds after a traceability investigation into the blockchain highlighted their responsibility in the operation.

The most emblematic example is the Lazarus group, which has been carrying out hacks galore for years. In 2021 alone, it is said to have stolen more than a billion dollars, according to the American company Chainalysis, one of the reasons it was identified. The only problem: the group is North Korean, which rules out any police or legal proceedings to recover the money...

‍