"Better to Lose Millions Than Jeopardize a Billion-Won Investment"... 'Nine Out of Ten' Companies Pay Off Hackers [Concealment ①]

A domestic semiconductor parts SME was hit by a ransomware attack in March this year and nearly lost an investment worth tens of billions of won. The ransom demanded by the hacker was 4 bitcoins, which, at market value, was about 500 million won. It was a large sum, but with a new investor scheduled to visit in two weeks, the company immediately chose to pay the hacker. The company’s CEO said, “We had to present the company’s status and show our data to the investor. If the encryption hadn’t been lifted, the investment we had worked on for years would have been ruined.” He added, “Reporting the incident was never even considered. If we reported it, the investor would 100% find out?who would invest in a company that’s been hacked?” He breathed a sigh of relief.

Companies that have suffered hacking damage remain in the shadows. Hacking that locks and steals all information and then extorts the victim is a serious crime, but the overwhelming majority of companies conceal the incident. According to the “2024 Information Security Status Survey” released by the Ministry of Science and ICT in December last year, 1.4% of SMEs with 50-249 employees responded that they had experienced hacking damage. Among these, 95.9% said they did not report the incident. Even among mid-sized and large companies (with 250 or more employees), including conglomerates, 1.3% reported having experienced damage, but 93.5% said they did not report it?a strikingly high proportion.

Even though the seriousness of underreporting is well known, the Ministry of Science and ICT, the responsible authority, has no effective measures other than a “30 million won fine if caught.” The security industry believes that, if anything, this fine has led to even more unreported cases than the survey suggests. An industry insider said, “There are probably many companies that couldn’t honestly admit their experience with hacking damage.”

The main reason companies are reluctant to report being hacked is the “scarlet letter” effect. The moment the hacking incident becomes known, the company suffers enormous damage. Employees of hacked companies, negotiators who deal with hackers in the shadows, and security experts interviewed by Asia Economy all agreed: “The disadvantages of reporting far outweigh any potential benefits.”

Companies also fear losing customers. This is especially true for service industries that handle sensitive matters, such as law firms or patent offices. Last year, a patent office that handled patent registrations for domestic companies suffered a ransomware attack. The hacker locked all documents and stole all the technical data being prepared for patent applications. An employee of the company said, “If we reported it and the company’s name appeared in the media, all our clients would find out. For us, that would be even worse than the hacking itself. To avoid shutting down, we had no choice but to pay the hacker what they demanded.”

For listed companies, their stock prices fall immediately. After the USIM hacking incident last month, SK Telecom’s stock price dropped by more than 10%. The stock price of Seoyon E-Hwa, an auto parts supplier that suffered a hacking incident at a subsidiary a year ago, also fell by about 10% on the day the incident became public.

It is an established view in the security industry that reporting to the government is of little help. A cyber threat analysis expert said, “When you report, the Korea Internet & Security Agency (KISA) and the police just keep repeating that you should never send money to the hacker, and keep asking for more reports. From the company’s perspective, all operations are paralyzed and they are on the verge of collapse, but the government can neither decrypt the files nor negotiate with the hacker. In reality, it’s better to pay and restore operations as quickly as possible.”

In fact, the government’s ransomware infection guidelines state, “The government supports only partial, not full, recovery,” and “We recommend not paying the hacker.” The response procedures are limited to “cause analysis, recurrence prevention, and security training.”

The Incheon industrial area is shrouded in fine dust as seen from the Ara Tower observatory in Seo-gu, Incheon. (The photo is unrelated to the article content) Photo by Kang Jinhyung

As a result, reporting is mainly done by companies where a hacking incident is likely to become public knowledge, such as telecom companies or hospitals with tens of millions of customers. In February, Seoul Boramae Hospital suffered a ransomware attack that crippled its computer systems, making it impossible to access patient records or appointment information. As hundreds of patients were turned away due to the complete suspension of services, the news of the hacking spread rapidly via X (formerly Twitter) and Facebook. SK Telecom was in a similar situation. With 25 million USIM records stolen, there was no way to know when or how the data might be misused and cause a chain of damages, so reporting was unavoidable.

However, for manufacturing companies focused on factories or service businesses with only a few corporate clients, it is possible to conceal the incident if they choose. As long as employees are told to keep quiet, it is difficult for outsiders to learn about the hacking. That is why most companies don’t even consider reporting and instead seek out teams that can secretly negotiate with hackers on their behalf.

According to US cyber insurance company Corvus Insurance, the number of ransomware victim companies posted on the dark web increased every year: 2,551 in 2021, 3,163 in 2022, and 4,475 in 2023. Last year, as many as 5,314 companies were affected. However, the number of domestic reports actually decreased. According to ransomware report statistics from the Korea Internet & Security Agency (KISA), there were 325 cases in 2022, 258 in 2023, and only 195 last year. Does this really mean ransomware damage is decreasing in Korea? A white-hat hacker who requested anonymity says the statistics need to be re-examined.

“Experts in this field estimate that 200 to 300 new hacker groups emerge worldwide each year. When a new type of ransomware appears or a new hacker group site is created on the dark web, it is considered evidence of new hackers. The number of hackers is increasing, but the number of reported ransomware incidents is decreasing. That doesn’t make sense. This shows that more and more companies are simply not reporting incidents, even when they are affected.”

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.