This week, Disney CEO Bob Iger reportedly revealed to employees that a hacker claimed to have stolen the new Pirates of the Caribbean movie, and threatened to release it if the Mouse House doesn’t pay a hefty ransom. But Disney, which has enlisted the FBI’s help, says it won’t pay to keep its billion-dollar franchise under wraps. It’s just the latest in a string of high-profile extortion hacks that didn’t pan out.
A few weeks ago, Netflix faced a similar threat. Hackers stole and threatened to release the new season of Orange Is the New Black. Netflix didn’t pay, the episodes landed on popular torrent site The Pirate Bay, and that was that. Even the NSA has dealt with an extortion attempt recently, thanks to a hacking group called the Shadow Brokers that claims it will keep releasing valuable clandestine spy tools until someone pays up.
Extortion plots can and do pay. But recent examples suggest that once a hack reaches a certain level of notoriety, the shakedown falls apart.
Public and Private
It makes sense that the NSA can’t be seen negotiating with hackers, and Disney and Netflix probably don’t want that image either. Giving into extortion demands once only invites further attempts. Even in highly publicized cases where payment does happen, it can come at a highly reduced rate. Hollywood Presbyterian Medical Center, for instance, was able to get its decryption bill down from the original $3.6 million demand to a mere $17,000 after a ransomware attack in 2016—in part because regional medical facilities don’t have that kind of cash to begin with.
“To pay or not to pay is tough; there’s clearly strong interest in seeing people not paying. The less profitable the attack, the less attractive it is, long term,” says Richard Ford, the chief scientist at security company Forcepoint.
That doesn’t mean big payments never occur. On the surface it may seem like enough organizations decline to pay that it would make sense for criminals to give up on this type of attack. But attackers may get paid more often than it seems. “One of the challenges we have with it is people don’t talk about paying their extortions,” says Rick Holland, vice president of strategy at the threat intelligence firm Digital Shadows.
And while the continued proliferation of large-scale breaches seems to indicate that they’re worth it for criminals at least sometimes, it’s also important to remember many of the attacks require a fairly low investment to pull off in the first place. Attackers can find incredibly easy avenues into corporate networks without putting a lot of resources into their attacks, potentially making them worth a try even if they don’t have a high chance of success. “There is a ton of low hanging fruit out there,” Holland notes. “If you look at healthcare in particular, that’s a target-rich environment.”
This is also reflected in the hacks that seem to pay off more reliably: shakedowns that target the little guy instead of standalone mega-corporations.
Wide Spread Panic
Locking down thousands of individual computers and demanding a small sum, like $100, can generate a lot of revenue for criminals. Enough people want to just pay the ransom and move on, rather than fully deal with the situation on their own, that the business model works. Even back in 2015, the Cisco Talos research group found that attackers made $60 million per year off of a type of ransomware kit called Angler.
“Crime as an industry is digitizing—it’s getting more efficient and it’s getting to be lower cost and so it gives [criminals] the flexibility to conduct crime using all different business models,” says Patrick Dennis, the CEO of the crisis response firm Guidance Software. “Attackers are thinking through the process of who is my target, how do I monetize that target, and what technology do I use to do it?”
In truth, hacks of all sizes can work—just not all the time. For example, the hacking group known as Dark Overlord, which stole Orange Is the New Black, has conducted at least 20 recorded attacks since last June, according to Digital Shadows’ Holland, and may have also perpetrated others that haven’t been disclosed. This means that the group could be raking in a lot more than it appears. But it’s telling that the one that received the most media attention—and the public threat of release—ended up netting them nothing at all.
For now, Disney is probably just relieved that the hackers got Pirates and not something even more valuable. “Things would get really interesting if it was the new Star Wars movie,” Holland says.