To Pay or Not To Pay Ransomware, That Is the Question…
By Stel Valavanis, CEO onShore Security
I’m beginning to think we should ban ransom payments to criminals or at least disallow insurance to cover them. I know that sounds extreme, but hear me out. It’s very worth exploring at this time, as the scope of the problem is exponentially growing in the wake of COVID-19. According to a new report by Emisoft, ransomware demand costs could reach new highs this year exceeding $1.4B in the U.S. in 2020.
Ransomware has Evolved and the Stakes Are Getting Higher
Ransomware attacks have changed over the course of their notoriety. While some might think that because the typical target is no longer individuals, but rather larger organizations, that they are personally safe, the truth is actually that the risks have only gone up for both individuals and organizations. Whereas before, an individual would know if their data had been taken ransom, it is more likely now that data they’ve entrusted to a third party (often entrusted to yet another third party), is being taken, leaked or sold, and the individual is not made aware until the larger organization notifies them, always long after the fact, usually only announcing incidents when obligated to, meaning you are just as at risk, without the knowledge or agency to protect yourself.
We Need to Starve the Cyber Crime Industry
The ransomware problem, however, is not likely something that can be challenged by any individual. It will take a collective effort, with the entire ecosystem cooperating to starve the ransomware “industry” and the cybercriminals behind it so that it is no longer a profitable scam. It is often seemingly the path of least resistance to pay ransoms, but this practice actually perpetuates the problem. A voluntary embargo of ransom payments is unlikely, so it will fall to social and political pressure to prevent people from negotiating with cybercriminals. We could make it illegal to pay a ransomware demand, or to otherwise discourage it. Or, we could look at the effect cyber insurance (and the fact that it covers ransomware payments) has on ransomware attacks. If regulation disallowed insurance from covering these payments to criminals, and instead refused to cover entities that did not engage in the minimal cybersecurity measures needed to protect private data, it’s possible we could snuff out ransomware as a practice.
The Pressures Are Starting to Build
For this to be the case, all businesses must either bring their cybersecurity up to levels where they are impenetrable (unlikely) or get all businesses to agree to not pay the ransom demands, regardless of individual business interruptions in order to “starve” the criminals. It is all too easy to see paying the ransom as the fast, cheap, and effective choice (though it would have been cheaper and more effective to have had the capabilities in place to defend against the invasion in the first place). Beyond the financial hit, there is little cost to the victim, financially, operationally, or even reputationally. And then cyber insurance policies covering ransomware lessens even the financial burden.
The US Treasury Department however, is now stepping in with official guidance in an advisory published October 1st. It warns that any companies or contractors a hacked organization works with including those providing insurance, incident response, and digital forensics as well as all financial services that help facilitate or process ransom payments, could be subject to fines in addition to the victimized organization itself from the Office of Foreign Assets Control if payments are made to certain identified notoriously high-profile cyber crime organizations, or entities in certain countries.
Cyber Crime is Organized Crime
Following the path of least resistance is admittedly human nature, especially in the business world, but ransomware should be treated as organized crime. Though it has perhaps been the case in the past that it was easier to cooperate with criminals targeting your business, and was even seen as “a cost of doing business”, the law has stepped in to free businesses and individuals from predatory gangs offline. Similar steps should be taken to curb ransomware gangs that are even more stringent than the guidelines just out from The US Treasury Department, especially as larger public institutions have become the attackers’ target of choice.
Several of these institutions, like Michigan State University, and even municipalities like Atlanta and Baltimore, have done the right thing by standing fast against ransomware criminal operations. Maybe it should be the law to do so. Engaging with cyber criminals. even as victims in their schemes. is aiding and abetting future cyber crime.
At the beginning of the summer, Maze ransomware, a known hacking group, attacked MaxLinear, a chipset manufacturer. MaxLinear, however, was prepared, citing in a statement to the SEC that they would not pay the ransom because the attack did not have an effect on their ability to operate.
“The ransomware attack has not materially affected our production and shipment capabilities, and order fulfillment has continued without material interruption. We have no plans to satisfy the attacker’s monetary demands.”
Under further pressure from the attackers, including leaks of information stolen as well as threats of further leaks, MaxLinear maintained their position that they would not benefit from payment.
“Although we have incurred and will incur incremental costs as a result of forensic investigation and remediation, we do not currently expect that the incident will materially or adversely affect our operating expenses. We carry cybersecurity insurance, subject to applicable deductibles and policy limits. We have also engaged with the appropriate law enforcement authorities.”
Though in this instance, cybersecurity insurance is cited as a preventative measure allowing MaxLinear to refuse to pay ransom demands, for many companies, this insurance actually enables them to make such payments and as such can actually discourage organizations from putting into place policies and practices that would prevent the need for any payments at all, such as consistent backup and data inventory.
Ransom Payments Fuel the Cycle
Payment of ransoms do quite a bit to perpetuate ransomware attacks as a criminal practice. “Successful” exchanges make ransomware worse because they:
- Give victims the impression that paying ransom will make them whole again with the least cost.
- Put resources into the hands of criminals, to be used to grow and expand criminal capabilities.
- Solve a single instance of the attack, but do nothing to prevent further attack.
- Encourage further attacks from the same criminal organization or others, as the company is now known to be willing and able to pay.
- Establish valuable information for attackers to use as they attack other look-alike organizations.
With each successful attack, these organizations expand their offensive capabilities, their resources, continuing to extort new organizations, and often prior victims. While those paying the ransom expect to be made whole again upon payment, this is hardly ever the case. One would expect that these criminals would be obliged to keep their word, in order to encourage successful exchanges in the future, but research has shown only a quarter of companies that pay ransom demands actually get their files unlocked. As criminals have also begun to extract valuable data, they can commit further crimes by selling your data or using it in future attacks against others. Victims can even be attacked again by the same criminal entity if they do not put security measures into place after the first attack.
Cyber Insurance is Not a Cure-All
Under the best circumstances, with insurance covering a ransom payment, and the attackers releasing the data they held, a business will still have a lot of mitigation and recovery to do after an attack. While insurance may cover the cost of a payment, they cannot cover the hassle and lost time at your business, much less any impact to your clients and customers. They cannot make your reputation whole again. Nothing your cyber insurance does will prevent further attack and in fact, if you are attacked again, it will be more costly, as ransomware claims are followed by increased premiums. Cyber insurance cannot be viewed as a protective or preventative measure. If anything, the fact that you are covered may make you a more enticing target, as you are more likely able and willing to pay. Just as car insurance may lessen financial burden of a loss, but does nothing to prevent it, cyber insurance should be part of a risk mitigation plan, but it must be augmented by truly protective and preventive measures. In a car, this would mean locking doors, airbags, seat belts, or safe design; in cybersecurity this would include secure backups, vendor management, and intrusion detection.
As long as there exists the false perception that ransomware can be waved away quickly by paying criminals’ demands, there will be organizations that see it as their best practice. In order to defeat it as a threat, the entire cybersecurity world, and the business world at large, must stand together and declare their complete unwillingness to negotiate with criminals.
Of course, a voluntary effort to eradicate ransomware as a threat is ambitious, and it is probable that the only way to encourage such a movement is through some outward pressure, be it legislation, regulation, or simply financial burden that goes beyond fines that still make it worth paying ransom rather than dealing with the fallout. Lawmakers and federal cybercrime agencies could investigate what is within their power to do to make it illegal to pay ransomware demands altogether. Insurance companies should consider what effect their willingness to cover ransomware payments has on the greater ecosystem and insurance customers should rethink what it means to be made “whole” after an attack. Ultimately, compliance is the driver in cyber security, and it will be compliance with some standard, regulation, or law that will put ransomware out of business.