Don’t pay ransom in cyberattacks, FBI director tells companies at CNU: It’s like ‘gasoline that’s pouring on the fire’

Business owners should not pay ransom to attackers threatening to lock up their systems in cyber intrusions, FBI Director Christopher Wray told a crowd in Newport News on Thursday.

Even if the ransom is paid, he said, the demands won’t stop.

“We strongly, strongly discourage paying the ransom,” Wray said before a packed audience at a homeland security symposium at Christopher Newport University.

“We need victims not to pay the ransom because that’s the gasoline that’s pouring on the fire,” Wray continued. “The more people pay, the price goes up and the more victims there are. So we have a shared common interest in not having the ransoms get paid.”

Wray has been at the helm of the FBI the past five years, leading the 35,000-employee bureau that investigates white-collar fraud, violent crime, child predators and national security breaches. On Wednesday, he was in Chesapeake to meet with leadership and hand out an award at the bureau’s Norfolk Field Office.

But his keynote address and a Q&A at CNU’s Gaines Theater focused largely on ransomware and other cyberattacks.

His discussion kicked off a symposium — “Protecting America’s Critical Infrastructure” — sponsored by the school’s Center for American Studies.

A ransomware attack is a growing kind of malware in which the attacker takes control of a user’s computer systems — or the device itself — and demands money in return for the encryption “key” to unlock access.

Companies sometimes pay to get their systems back up and running, which Wray said he understood.

“I recognize that these are difficult decisions for companies,” he said. “And as somebody who spent part of my career in the private sector representing companies, I fully get how complicated and thorny these things can be.”

But paying such ransoms “doesn’t guarantee you will be protected the way you’re hoping.”

“Start with the basics,” Wray said. “It’s not like with these guys their word is their bond, right?”

Moreover, he said, “we’re seeing double and triple extortion.”

“They’re not just locking up the systems,” Wray said. “They are stealing the information and then threatening to sell the information or release it to the public.”

And if a company pays, he says, “they’re going to keep coming at you.”

The best thing a company can do when hit with a ransomware attack, he said, is “to contact the FBI immediately.”

Wray talked of the agency’s big recent takedown of the “Hive” ransomware group. Hive’s 1,500 targets — including hospitals, school districts and financial firms — were based in 80 countries. More than $130 million in ransoms were demanded.

“The FBI gained clandestine, persistent access to Hive’s control panel — essentially us hacking the hackers,” he said.

The agency “repeatedly exploited that access to get Hive’s encryption keys and identify victims,” Wray said. The FBI gave the code to more than 1,300 companies, preventing $130 million in ransoms from being paid.

The targets, Wray said, included a specialty medical clinic where the doctor saw patients and ran security. But the list also included “huge companies” and a major foreign hospital.

The FBI gave the hospital the encryption key, he said, getting their systems running “before the ransom negotiations had even begun — possibly saving lives.”

But only 20% of Hive’s victims reported the attack to law enforcement, Wray said, meaning 80% would have gotten no assistance “if we hadn’t been able to get into Hive’s infrastructure to be able to see what was happening.”

“So while that was a huge success, that disruption was somewhat unusual,” he said.

Wray also noted an increasing “blurring of the lines” between cybercriminals and foreign adversaries. Sometimes, Wray said, the end goal isn’t money, but the ability “to fry your system” later.

It’s sort of like the weaknesses in protecting your home from a burglar.

“Everybody’s running around getting better locks, better alarm systems, the doorbell camera video, the whole nine yards, right?” he said.

But what if “the bad guy somehow managed to get a copy of the key to your house?” Maybe he “paid off the cleaning lady” and got a copy made.

“Now he’s able to go in and out, and all that stuff on the outside won’t amount to a hill of beans,” Wray said. He could be stealing things, rifling through papers or “pre-positioning” himself to wreak havoc later.

“Maybe he’s thinking that one day, he’s going to do a home invasion,” Wray said. “So that access enables a lot of different dangerous things.”

Peter Dujardin, 757-247-4749, pdujardin@dailypress.com