Ransomware: Banning victims from paying ransoms might reduce attacks, but it won’t stop them
Ransomware is very profitable. The reason why cyber criminals continue to hack into corporate networks, encrypting files and servers, is that enough victims will pay the ransom – usually in Bitcoin or another cryptocurrency – to make it worth their while.
Some of those ransoms can be enormous; recent weeks have seen one company pay $5 million to restore the network after falling victim to Darkside ransomware, while another hit by a REvil ransomware attack paid $11 million for the decryption key.
REvil ransomware was also used in a massive ransomware attack, which saw management software company Kaseya hacked, affecting 1,500 companies around the world.
The attackers demanded a ransom payment of $70 million in exchange for a universal decryption tool to supposedly resolve a problem affecting customers around the world – including a chain of supermarkets in Sweden that temporarily closed due to the cyberattack.
These are just a handful of examples, but cyber criminals are regularly demanding millions of dollars from victims – and in many cases, they’re paying up because they don’t feel as if they’ve got any other option when it comes to restoring their network.
However, there are concerns that this creates a self-perpetuating cycle.
While governments discourage organisations from paying ransoms to cyber criminals, the practice isn’t illegal – but there have been calls for legislation to be drawn up to ban paying ransoms.
The potential positive and negative consequences of banning ransom payments were recently discussed by a group of experts during a panel on disrupting the ransomware ecosystem, which was hosted by Royal United Services Institute for Defence and Security Studies (RUSI), a defence and security think tank.
“From an ideological point of view, most people agree that you want to ban ransom payments. Fundamentally, we are funding crime and that’s a bad thing,” says Jen Ellis, vice president of community and public affairs at Rapid7 and a co-chair of the Institute for Security and Technology’s (IST) Ransomware Task Force (RTF).
Not only does paying ransoms show criminals that ransomware works, encouraging further attacks, but the nature of the criminal ecosystem also means that payments are used to fund other crimes.
Of course, when the network is down and they can’t operate, or if ransomware has compromised industrial control systems and manufacturing is impossible, businesses aren’t thinking about the long-term consequences of paying the ransom, they just want the issue resolved as quickly as possible.
In some cases, businesses can claim back this cost from cyber-insurance policies. This is something a RUSI paper has argued could be enabling ransomware – but according to one insurer, paying ransoms is not something they want to do.
“Believe me, insurers do not want to pay ransoms. It’s our client’s ultimate decision to take and I’m afraid to say there are times when there really is no other alternative,” says Graeme Newman, international cyber underwriter at CFC Underwriting, an insurance provider.
Cyber-insurance policy holders who pay the ransom need to do it from their own budgets and it’s possible to recover that if certain conditions are met – but insurers aren’t just automatically handing over a large sum of money in the aftermath of a ransomware attack. Newman argues that the reason that businesses are paying ransoms, and then claiming the payments back on cyber-insurance policies, is because they’re in a desperate position, one which for many small- and medium-sized businesses would mean they go out of business if they don’t pay.
“If we banned payments, there would be a significant disadvantage to all the businesses which have been attacked,” he says. “What you need is a structured system of a small number of heavily supervised, heavily regulated bodies that can determine when it’s okay to make a payment”.
Currently, there isn’t any guidance over what situations it would be deemed acceptable to pay a ransom or what action should be taken against ransomware victims who choose to pay a ransom in the event of a ban – but there’s an argument that in the event of a ban, it isn’t insurers who should be penalised.
“You ban payments, not the people who may or may not facilitate payments. Banning insurers from covering payments, but not banning payments, doesn’t make any sense – you either ban payments or you don’t. It’s not for insurers to make public policy, it’s for governments to do it,” says Ciaran Martin, professor of practice at the University of Oxford’s Blavatnik School of Government – and former director of the National Cyber Security Centre (NCSC), who says he’s “in favour of a ban in principle”.
Currently, the decision on making a ransom payment is entirely in the hands of private enterprises and they’re ultimately going to decide on what’s best for them – and if that means paying a ransom, then they’ll pay the ransom.
However, while the idea of banning ransoms might sound appealing, it wouldn’t be a silver bullet against ransomware attacks. It’s likely that cyber criminals will continue to conduct their campaigns, but in the knowledge that they can still go after the soft targets that don’t have a choice when it comes to paying a ransom – whether is is illegal to or not.
“They’ll still target organisations that are least able to resist paying – critical infrastructure that cannot face the burden of disruption or small- to medium-sized businesses that don’t have the ability to have resilience. So, the likelihood is if we ban payments, attackers will focus on these groups,” says Ellis.
“Banning payments seems like a good thing to do in the long term, it seems like a desirable outcome – we don’t know how to do that pragmatically speaking to make it work in a way that isn’t going to cause a lot of unintended harm in the short term. That’s the dilemma,” she adds.
What is clear is that ransomware is going to remain a major cybersecurity problem for some time yet – but organisations can attempt to avoid becoming the next major victim by following the appropriate steps to protect their network from attacks.