Preventing 182 Billion Won in Ransom Payments and Recovering Negotiated Funds... U.S. Counter-Hacks Ransomware Groups

In January 2023, Christopher Ray, Director of the United States Federal Bureau of Investigation (FBI), held a press conference at the Department of Justice in Washington D.C. Investigators infiltrated the computer network of a ransomware group called "Hive" and secured over 1,300 decryption keys (with damages amounting to 130 million dollars or 182 billion won). Photo by AP News

In 2023, the United States Federal Bureau of Investigation (FBI) counter-hacked the notorious ransomware group "Hive." After infiltrating their network, the FBI secured over 1,300 decryption keys. By providing these keys to victim companies, they prevented ransom payments totaling more than 130 million dollars (182 billion won). At the time, FBI Director Christopher Ray stated that about 20% of companies attacked by Hive reported the hacking incident to the government. This is a significantly higher rate compared to South Korea, where less than one in ten victim companies report such incidents.

There have also been cases where authorities recovered ransom payments taken by hackers. In 2021, Colonial Pipeline, a U.S. oil pipeline company, paid hackers approximately 4.4 million dollars (6.1 billion won) in cryptocurrency. The FBI identified the hackers' digital wallet address as they transferred the Bitcoin and successfully traced and recovered about half of the ransom, roughly 2.3 million dollars.

Helping companies that have been hacked is the starting point for curbing the spread of hacker attacks. The more companies conceal incidents and pay ransoms, the more hackers profit. This, in turn, allows hacker groups to grow larger and leads to an exponential increase in the number of victim companies, creating a vicious cycle. A 2023 report by the global cybersecurity company Trend Micro stated that, on average, hackers use the ransom obtained from one company to fund attacks on another six to nine companies.

Lee Myoungsoo, head of A-FIRST (AhnLab Forensic Intelligence ReSearch Team), AhnLab's dedicated cyber incident response and threat intelligence organization, emphasized, "Reporting by victim companies is essential to break this chain of evil." He added, "It is only possible if companies are made to believe that 'the government will help if you report.'"

For companies to respond effectively to hacking incidents, the role of investigative agencies is crucial. The U.S. FBI, like the South Korean government, does not recommend paying ransoms as a matter of principle. Instead, it focuses on tracking down those behind the attacks. This includes recovering Bitcoin paid by victim companies or counter-attacking the hackers. A representative from a domestic security company stated, "Because the U.S. government provides practical assistance, companies are more inclined to actively consider reporting incidents." When a hacking incident occurs in the United States, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) all concentrate on supporting victim companies, tracking attackers, and conducting investigations.

Security experts predict that if the South Korean government enhances its hacking response capabilities like the United States, the reporting rate will increase. Lee Wontae, former president of the Korea Internet & Security Agency (KISA), remarked, "Currently, even when the government receives reports, it does nothing beyond basic investigation. It does not cooperate with companies in responding to hacks or minimizing damages at all." He added, "We need to develop specialized personnel for hacking response, as the United States does." Park Chunsik, professor of information security at Seoul Women's University, also stated, "We must train experts who can minimize corporate damages and apprehend criminals to rescue companies from crises."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.