To Pay or Not To Pay Ransomware, That Is the Question
Compliance is the driver in cybersecurity, and it will be compliance with some standard, regulation, or law that will put ransomware out of business.
Ransomware attacks have changed as they have become more notorious. Some might think that because the typical target is no longer individuals, but rather larger organizations, they are personally safe. The truth is actually that the risks have gone up for both individuals and organizations.
Before, an individual would know if their data had been taken ransom. Today, it is more likely that data they’ve entrusted to a third party (often entrusted to yet another third party) is being taken, leaked, or sold. The individual may not be aware of the situation until the organization notifies them, always long after the fact. Usually organizations announce incidents only when obligated to. As a result, individuals face just as much risk, but without the knowledge or agency to protect themselves.
We Need To Starve the Cybercrime Industry
The scope of the ransomware problem has grown exponentially in the wake of Covid-19. According to a new report by Emisoft, ransomware demand costs could reach new highs this year, exceeding $1.4 billion in the United States in 2020.
Confronting the problem will take a collective effort, with the entire ecosystem cooperating to starve the ransomware “industry,” and the cybercriminals behind it, so that it is no longer a profitable scam.
Paying a ransom is often seemingly the path of least resistance, but this practice perpetuates the problem. A voluntary embargo of ransom payments is unlikely, so it will fall to social and political pressure to prevent people from negotiating with cybercriminals.
We could make it illegal to pay a ransomware demand, or we could otherwise discourage it. Or, we could look at the effect cyber insurance (and the fact that it covers ransomware payments) has on ransomware attacks. If regulation disallowed insurance from covering these payments to criminals, and instead refused to cover entities that did not engage in the minimal cybersecurity measures needed to protect private data, it’s possible we could snuff out ransomware as a practice.
To reach this point, all businesses would have to either bring their cybersecurity up to levels where they are impenetrable (unlikely) or agree to not pay ransom demands, regardless of the impact of individual business interruptions, in order to “starve” the criminals. It is all too easy to see paying the ransom as the fast, cheap, and effective choice (though it would have been cheaper and more effective to have had the capabilities in place to defend against the invasion in the first place). Beyond the financial hit, there is little cost to the victim—operationally or reputationally—of paying a ransom. And cyberinsurance policies covering ransomware lessen even the financial burden.
The U.S. Treasury Department is now stepping in with official guidance. In an advisory published October 1, it warns that a victimized organization that makes ransomware payments to certain identified notoriously high-profile cybercrime organizations, or entities in certain countries, could be subject to fines from the Office of Foreign Assets Control (OFAC). Any companies or contractors that a hacked organization works with—including those providing insurance, incident response, and digital forensics, as well as all financial services that help facilitate or process ransom payments—could likewise be subject to fines.
Cybercrime Is Organized Crime
Following the path of least resistance is admittedly human nature, but ransomware should be treated as organized crime. Though cooperating with criminals targeting your business is sometimes easier, and was even seen in the past as “a cost of doing business,” the law has stepped in to free businesses and individuals from predatory gangs offline.
Similar steps should be taken to curb ransomware gangs. These rules should be even more stringent than the Treasury Department’s recent guidelines, especially as larger public institutions have become attackers’ target of choice.
Several of these institutions, like Michigan State University and even municipalities like Atlanta and Baltimore, have done the right thing by standing fast against ransomware criminal operations. Maybe it should be the law to do so. Engaging with cybercriminals—even as victims in their schemes—is aiding and abetting future cybercrime.
At the beginning of the summer, Maze ransomware, a known hacking group, attacked MaxLinear, a chipset manufacturer. MaxLinear was prepared, citing in a statement to the SEC that they would not pay the ransom because the attack did not have an effect on their ability to operate: “The ransomware attack has not materially affected our production and shipment capabilities, and order fulfillment has continued without material interruption. We have no plans to satisfy the attacker’s monetary demands.”
Under further pressure from the attackers, including leaks of stolen information as well as threats of further leaks, MaxLinear maintained their position that they would not benefit from payment. “Although we have incurred and will incur incremental costs as a result of forensic investigation and remediation, we do not currently expect that the incident will materially or adversely affect our operating expenses. We carry cybersecurity insurance, subject to applicable deductibles and policy limits. We have also engaged with the appropriate law enforcement authorities.”
Though in this instance, MaxLinear cited cybersecurity insurance as a preventative measure allowing the company to refuse to pay ransom demands, many businesses use this insurance to make such payments. As such, cybersecurity insurance may actually discourage organizations from putting into place policies and practices that would prevent the need for any payments at all, such as consistent backup and data inventory.
Ransom Payments Fuel the Cycle
Payment of ransoms do quite a bit to perpetuate ransomware attacks as a criminal practice. “Successful” exchanges make ransomware worse because they:
- Give victims the impression that paying ransom will make them whole again with the least cost;
- Put resources into the hands of criminals, to be used to grow and expand criminal capabilities;
- Solve a single instance of the attack, but do nothing to prevent further attacks;
- Encourage further attacks from the same criminal organization or others, as the company is now known to be willing and able to pay; and
- Establish valuable information for attackers to use as they attack other lookalike organizations.
With each successful attack, criminal organizations expand their offensive capabilities and their resources, continuing to extort new organizations and often prior victims. Those paying a ransom expect to be made whole again upon payment, but they hardly ever are. One would expect cybercriminals to keep their word, in order to encourage successful exchanges in the future, but research has shown that only a quarter of companies which pay ransom demands actually get their files unlocked.
As criminals extract valuable data from the files held for ransom, they can commit further crimes by selling data or using it in future attacks against others. Victims can even be attacked again by the same criminal entity if they do not put security measures into place after the first attack.
Cyber Insurance Is Not a Cure-All
Under the best of circumstances, with insurance covering the ransom payment and attackers releasing the data they held, a business would still have a lot of mitigation and recovery to do after an attack. Even if insurance covers the cost of the ransom payment, it will not cover the hassle and lost time at the business, much less any impact to clients and customers. The insurer cannot make the company’s reputation whole again.
Cyberinsurance does not offer a remedy that will prevent future attacks. In fact, such attacks will become increasingly costly, as ransomware claims are followed by increased premiums. Cyberinsurance cannot be viewed as a protective or preventative measure. If anything, the fact that a company is covered may make it a more enticing target, as it is more likely to be able and willing to pay the demanded ransom.
Just as car insurance may lessen financial burden of a loss, but does nothing to prevent crashes, cyberinsurance should be part of a risk mitigation plan, but it must be augmented by truly protective and preventive measures. In a car, this would mean locking doors, airbags, seat belts, and safe design. In cybersecurity, risk mitigation measures include secure backups, vendor management, and intrusion detection.
As long as executives have the false perception that paying criminals’ demands will quickly eliminate a ransomware problem, some organizations will see that as their best practice. In order to defeat ransomware as a threat, the entire cybersecurity world—and business at large—must stand together and declare their complete unwillingness to negotiate with criminals.
Of course, a voluntary effort to eradicate ransomware as a threat is ambitious. The only way to encourage such a movement is probably through some outward pressure, be it legislation, regulation, or simply a financial penalty that makes paying a ransom more expensive than dealing with the fallout of refusing to pay.
Lawmakers and federal cybercrime agencies could investigate what is within their power to do to make paying ransomware demands altogether illegal. Insurance companies should consider what effect their willingness to cover ransomware payments has on the greater ecosystem, and insurance customers should rethink what it means to be made “whole” after an attack.
Ultimately, compliance is the primary driver in cybersecurity, and it will be compliance with some standard, regulation, or law that will put ransomware out of business.
Stelios Valavanis is CEO & founder of onShore Security, an established provider of managed cybersecurity since 1999 serving enterprise and small to midsize business (SMB) clients in industries with high levels of information compliance regulations, including banking and healthcare. He currently serves on the board of the ACLU of Illinois. He has additional roles on advisory boards and committees for several other nonprofit organizations and companies, and is an active member of Chicago ArchAngels. Stel is an alumnus of The University of Chicago, and is a strong advocate of open source software and its contribution to Internet security.
From: CorporateCounsel