To pay or not to pay? For HBO and other companies targeted by cyber criminals, that is increasingly becoming the question.
The network behind Game of Thrones is the latest victim of a massive digital breach, with hackers claiming to have stolen 1.5 terabytes of data that includes unreleased show episodes, scripts, and internal company documents.
Now, the perpetrators behind the cyber heist are demanding a solid chunk of Bitcoin as ransom, threatening to dump the pilfered info online unless HBO pays up.
So should HBO pay the ransom? And what happens if it does?
Unfortunately, the answer isn’t exactly clear. HBO isn’t the first company to be hit with some digital form of extortion. In April of this year, a group managed to get its hands on unreleased episodes of Netflix’s Orange is the New Black, and asked for a payment of “tens of thousands of dollars in electronic currency” in exchange for not releasing the files.
Netflix decided not to pay, and the episodes were later leaked to a torrent site. As you’ve surely noticed, Netflix seems to be doing just fine after the ordeal. Does that mean HBO should take a page out of Netflix’s book? Maybe, but maybe not.
“Publicly paying a ransom has the unfortunate byproduct of encouraging the bad behavior,” Dimitri Sirota, the CEO and co-founder of data privacy company BigID explained over email. “If crime pays, it invariably leads to more crime.”
“It’s possible to make the counter argument,” he added, “that if you pay now, the target and similar companies win a reprieve to plug security holes and fight another day while minimizing immediate collateral damage.”
Notably, the latest HBO hack appears to differ from last April’s — with hackers claiming to have more than just the upcoming season of shows like Vice Principals. The hackers, in broken English, claimed they obtained “highly confidential documents” including IT related data, show scripts, financial documents and more.
If we are to take the hackers at their word, which of course is a risky proposition, it would seem that they can release more than show spoilers should HBO decide not to pay up. Speaking of which, how much are the hackers demanding, anyway?
The public ransom note itself isn’t exactly clear, using “XXXX” to represent what presumably is a hard figure presented to HBO. We reached out directly to the group via email, but so far its members have declined to clarify the amount. We can, however, gather an approximate ransom from the 1,712 word ramble. The crew says they make around “12-15 million dollars” annually, and want HBO to fork over the equivalent of six months worth of “salary.”
As to how HBO should pay? The ransom note left nothing in doubt: Bitcoin. The pseudonymous cryptocurrency has long been a favorite of ransomware authors, and it appears that that proclivity has extended to digital extorters as well.
And while we only have examples from companies or hackers that have gone public, if HBO does go ahead and score $6.5 million worth of Bitcoin to buy off its extorters, it will be breaking with past hacking victims that have mostly elected not to cooperate.
Why all the decisions not to play ball? Well, it’s hard to say for sure (we reached out to HBO to see if it’s considering paying, but a spokesperson refused to comment), but at least from the outside the calculus is pretty clear: Essentially, the damage has already been done.
There’s no way to know that the hackers won’t dump the information, regardless if a payment is made or not. It perhaps makes more sense to work from the assumption that everything stolen will be released at some point or another, and to spend whatever cash you would have forked over to the attackers on readying your company for the storm.
Of course, it’s entirely possible that other entertainment companies have paid out ransom in order prevent the release of stolen files. Those companies, however, likely kept that information close to the chest. In fact, according to The Hollywood Reporter, at least one “Hollywood company” has paid such a ransom, although the publication did not name it.
Should HBO follow suit? Alex Heid, a white hat hacker and Chief Research Officer at SecurityScorecard, thinks no.
“It is never a good idea to pay a ransom during a cyber-extortion attempt,” he told Mashable via email, “especially when the extortion attempt revolves around a threat of potential malicious action in the near future.” Heid added that “there is a good chance that the data has already been shared among numerous individuals involved or associated with the attack, and there is no guarantee that the data won’t end up online for the general public or hacking underground communities even after the ransom has been paid.”
But what if HBO decides to hope for the best and pay anyway? The crew behind the hack might very well get away with it. As we saw with the WannaCry ransomware, Bitcoin ransom can be quickly moved and there are numerous ways to launder it.
Oh, also, things might not turn out so great for the New York-based company. If HBO makes it clear that it’s willing to give into the demands, according to Heid it won’t be a shock if other hackers came knocking.
“The payment of ransoms embolden attackers to continue with these types of campaigns,” he noted, “and there is no guarantee that the agreement will be honored.”
So, to pay or not to pay? For HBO and other companies suffering from cybersecurity breaches, it’s a garbage question with no good answer. Unfortunately for all involved, it’s also a question that going forward will need to be answered — likely time and time again.