Time to hack back? Calls mount for counter strikes on cyber criminals

Tobias Frömel was furious. The German web developer had just been forced to hand over nearly £600 to a group of hackers that had broken into his server and locked files that he desperately needed.

He decided to retaliate by hacking back into their criminal database, which contained virtual keys to unlock the files of almost 3,000 other victims.

“Good news for you all, bad news for me because I paid already,” Frömel wrote as he released the keys online.

Any hack of a computer, whether it’s carried out by criminals or victims looking to help others, is against the law. Frömel found himself under investigation by German police for his 2019 cyber attack, although he escaped charges. 

Incidents like this may become increasingly common as ransomware becomes a more serious problem. Almost half of British businesses suffered ransomware in the past year, Sophos has found, with 13pc of victims paying the ransom.

Currency exchange business Travelex was one of the UK’s most high profile ransomware victims. It reportedly paid a $2.3m (£1.6m) ransom last year after its systems were shut down for weeks.

Experts say that victims, whether individuals like Frömel or multinational corporations, are keen on the idea of “hacking back” to retrieve files and stop criminal ransomware gangs from returning.

“It is potentially reputationally very bad for clients. They ask me about this all the time,” says Joshua Burch, a former GCHQ employee who now works at FTI Consulting.

“Typically at board level they will ask the cathartic question: is there anything that we can do to hit back at these people? That’s the point at which we have to advise ‘no, it’s illegal.’”

Ciaran Martin, the former head of the UK’s National Cyber Security Centre, rejects the possibility of businesses carrying out their own hacks but believes the issue has become so serious that the Government should step in to shut down criminal groups.

Finding a digital ransom note on a computer is a nightmare scenario for most businesses. It triggers an agonising debate on whether to call the police, how much to disclose to the public and whether to pay the ransom or not.

Last week, Polish video game developer CD Projekt announced that it had been hacked. As criminals began selling off stolen files, the company publicly committed to not negotiating with the hackers or paying any ransom.

Even the companies that do pay ransoms can face further problems. The number of businesses agreeing to pay repeated ransom demands rose 1,500pc in 2020, security firm Proofpoint found.

Businesses taking things into their own hands could lead to further loss as well as police investigations.

“We would need a change in the law to allow ‘hack-back’ techniques in the UK,” says Ashley Hurst, the co-head of cyber and data litigation at law firm Osborne Clarke. “As things stand, the Computer Misuse Act 1990 and various other laws would make such activity unlawful.”

Boardroom conversations in businesses targeted by ransomware may be increasingly turning to a debate over retaliating, but experts are united in believing that it would be a disastrous idea.

“There’s a lot of emotion and feelings about hacking back out there,” says Matt Lock, a director at cybersecurity business Varonis. “Nothing good will come of it. You put a marker on your back. As righteous as it may sound, inevitably you’re going to end up on a list and that list will inevitably cause you more pain down the road.”

While the idea of a Wild West business landscape where businesses tool up with elite hacking software is a no-go, many in the industry welcome increased intervention from the Government.

Perhaps the army and spy agencies including GCHQ could use their skills to shut down particularly serious ransomware gangs using cyberattacks that wipe out their digital tools.

Some experts believe the rise in sophistication of ransomware means it is now time for the Government to step in.

Hackers have become so used to locking files in return for ransoms that they often don’t even bother to let the victim know they’ve been targeted, instead delving through files to find the target’s insurers and negotiating directly with them.

Ciaran Martin, the former head of the National Cyber Security Centre who now teaches at Oxford University’s Blavatnik School, has opposed the proliferation of government cyberattacks, but believes their use is justified in combating ransomware.

“Here is somewhere where I think it does have a potential role,” he says. He welcomes increased government intervention to shut down serious ransomware groups as part of a package of other support for businesses. “They do leave doors open and they do leave a trail so sometimes you can get at them,” he says.

Lock welcomes the idea of government involvement. “They would have spent so much time on reconnaissance that they're in a far better state to understand exactly who the perpetrators are,” he says. “I fully agree that we should be seen to be strong in doing it because we can't sit here as victims with them pummelling us.”

Handing over the responsibility for solving the ransomware problem to the Government isn’t as simple as it sounds, however. It can be extremely difficult to figure out who the criminal gangs are and how to shut down their operations without causing collateral damage.

“We could go down a path that's catastrophic,” says Joseph Carson, the chief security scientist at Thycotic in a video call from his office in Estonia. He sees the role of governments as working to find a political solution to ransomware, not just hacking the criminals.

“You could end up with a geopolitical issue where civilians ultimately pay the price just because they're using the same internet provider that the attackers are using,” Carson says before pointing out that 25pc of the internet connections used by Russia in its debilitating 2007 cyberattack on Estonia were from the US.

Criminal gangs often piggyback on legitimate computer networks used by schools and hospitals, meaning any government attempt to hack back could put innocent civilians in the sights of hacking tools.

Microsoft apologised in 2014 after it accidentally disrupted services for the 18m customers of one internet infrastructure company as it attempted to take down malicious software that had been using part of its network.

Renewed attention on the issue of ransomware from the Government could be what is needed to stop criminals plundering millions of pounds from British businesses.

But experts say any new government hacking campaign should only come at the same time as businesses investing in proper security and backups to lessen the impact of any intrusions.

Even Frömel, the web developer who attracted police attention for his vigilante hack, thinks retaliation should be on the table. He may have succeeded in getting his files back, but the Bitcoin ransom he paid has since skyrocketed in value. His original €670 payment is now worth more than €3,500.

As the experts say, the best way to tackle cyber criminals may be to beat them at their own game.