Should ransomware payments be illegal? Policymakers and security professionals have found themselves wrestling with this question after a spree of high-profile ransomware attacks crippled organisations in sectors ranging from energy to healthcare. In drinks, we’ve seen the likes of Campari Group, Lion Co and Drizly come under attack.
Despite the simplicity of the question, though, the answer is complicated.
“Banning payment would cause some huge problems and an even bigger headache for many companies,” says Jake Moore, cybersecurity specialist at ESET. “Unfortunately, there is no one size fits all for organisations.”
While officials in the US, UK and elsewhere have strongly advised against paying ransomware demands, governments have so far avoided introducing laws dictating how an organisation should respond. In a testimony to a US Senate appropriations panel this week, FBI director Chris Wray said: “We would discourage paying the ransom because it encourages more of these attacks. Frankly, there is no guarantee whatsoever that you are going to get your data back.”
Indeed, last month, Ari Schwartz, MD of cybersecurity services & policy at US law firm Venable, told a panel hosted by the Institute for Security & Technology, that if ransomware payments were made illegal immediately, “we could all be in trouble”.
As ransomware gangs go after increasingly larger targets and demand ever-higher payments – usually made via the cryptocurrency Bitcoin – it has raised the question of whether governments should introduce legislation banning companies from making ransomware payments.
Cybercriminal groups that use malware to hold digital files and systems hostage do so because it is highly lucrative. In June, meat processing company JBS paid $11m to its attackers to draw a line under the hack. Bitcoin records show that prolific ransomware gang Darkside has made at least $90m since last August.
If making ransomware payments was made illegal, then the criminal enterprises would no longer have a viable business model – or so the theory goes.
But, some cyber-experts warn that bans could have unintended consequences and still not prevent companies from parting with their cash. Alan Melia, principal incident response consultant at F-Secure, which assists companies dealing with ransomware attacks, doesn’t see the need to “explicitly” ban making ransom payments. He believes organisations will end up undertaking a cost-benefit analysis to see if any financial penalty outweighs the cost of lost revenue.
“If the cost of the penalties does not exceed the revenue that the organisations generate, then it’s still worthwhile doing it,” he says.
If the only alternative to not paying is going out of business, then organisations have nothing to lose.
A ransomware payment ban could also see cybercriminals change tactics and only target the most critical organisations, such as hospitals or schools, hoping they’d be too pressured to not pay. It could also force more companies to cover up attacks, which experts warn would lead to a loss of information sharing and ultimately making it harder to combat the scourge. Organisations may also find a loophole in which it is legal to pay.
“Let’s be honest,” says Melia, “no matter what legislation we put in place there’s always clever accountants who will find their way around it.”
Companies in jurisdictions such as the US and the UK already fall under requirements to prove that they are not funding terrorist organisations. These laws extend to making ransomware payments, but defining cybercriminal groups as terrorist outfits is a grey area. And clearly, organisations are still paying despite this.
Some believe that a 2015 UK law prohibiting insurance companies from reimbursing companies for terrorism ransoms offers a good model for ransomware. “Ultimately, the terrorists stopped kidnapping people because they realised that they weren’t going to get paid,” Adrian Nish, threat intelligence chief at BAE Systems, told NBC News.
The rise of ‘big game hunting’
The debate about making ransom payments illegal comes as attacks have been shifting from high-volume, low-return ‘spray and pray’ efforts to fewer but more targeted hacks. So-called ‘big-game hunting’ has seen cybercriminal gangs – often organised criminal enterprises operating out of Russia and Eastern Europe-– narrow their targets to those likely to pay more.
During the first three months of this year, there was a 50% quarter-over-quarter decrease in the overall number of ransomware attacks, according to research by antivirus company McAfee published this week. This is the continuation of a trend that has existed since the first ransomware attack in 1989. With the rise of personal computing and widespread adoption of the internet in the late-2000s, cyberattackers found profit in locking individuals from their machines in high-volume attacks, demanding hundreds of dollars in ransom. They then realised wide-net attacks against organisations were more lucrative as they had more cash to pay.
Today, ransomware attacks are highly targeted to maximise profits, with ransom thresholds calculated based on companies’ revenues and likelihood to pay.
“The battle against ransomware isn’t so much a fight against gangs of misguided teens peddling a particularly malicious flavour of malware,” says Gunter Ollmann, chief security officer at cloud security company Devo Technology. “It’s the battle against a global ecosystem of tens of thousands of suppliers, distributors, enforcers and money launderers managed by organised crime cartels and nation-states.”
This has coincided with the rise of ransomware-as-a-service, in which criminal outfits rent out their malware and infrastructure to affiliates in return for a cut of any profits. Far from lone teen-hackers operating out of a bedroom, these are slick operations that even come with customer support teams to guide victims through purchasing Bitcoin and negotiate a discounted ransom fee. Some gangs even pose as legitimate so-called red teams that launch attacks to expose cybersecurity weaknesses.
Reducing the volume of ransomware attacks also makes it harder for cybersecurity solutions to recognise strains of malware, a tactic that ransomware gangs appear to have embraced. According to McAfee figures, the number of unique ransomware ‘families’ deployed decreased from 19 in January to nine in March.
“Criminals will always evolve their techniques to combine whatever tools enable them to best maximise their monetary gains with the minimum of complication and risk,” said Raj Samani, McAfee fellow & chief scientist. “We first saw them use ransomware to extract small payments from millions of individual victims. Today, we see ransomware as a service supporting many players in these illicit schemes holding organisations hostage and extorting massive sums for the criminals.”
Governments talk the talk
Officials have made strong statements in response to the surge in large ransomware attacks, but there has been little concrete action yet. This, despite ransomware attacks increasing 150% globally last year, according to the CEO of the UK Cybersecurity Association, Lisa Ventura. “The volume of attacks makes ransomware the most impactful threat that we currently face,” she added.
To date, the UK government has maintained it holds a “strong position” against paying demands, Home Secretary Priti Patel has previously said. Meanwhile, the Biden administration is also looking at giving ransomware intelligence-sharing a similar structure to counter-terrorism and has published an executive order aimed at improving the US’ cybersecurity.
Despite this, there is still no clear fix on the horizon. A coalition of cyber-experts called the Ransomware Task Force (RTF) is now lobbying governments to take meaningful action, but even its members can’t agree if it’s right to introduce a ban against making payments.
However, a survey commissioned by cybersecurity firm Talion found that 78% of 1,000 consumers thought ransomware payments should be made illegal. The figure rose to 79% among cybersecurity professionals, albeit with a much smaller sample size of 200 people.
One area cybersecurity experts appear to be largely in agreement on is that organisations should do all they can to avoid paying. They say it perpetuates the criminal cycle and there’s a likelihood that stolen data will be sold at a later stage, regardless of payment. Speaking to the BBC, Terry A’Hearn, CEO of the Scottish Environmental Protection Agency, said the organisation did not consider paying the ransom demand after a cybercriminal group stole 4,000 digital files on Christmas Eve.
“If we had paid, then we would have increased the risk for everyone else,” he said.
In some cases, a company has sufficient backups and a tested disaster recovery plan in place that means it can refuse to pay the demand without suffering long-lasting damage. Japanese multinational conglomerate Fujifilm – once known for selling photographic film but now peddles diverse products including backup storage – took this approach after detecting unauthorised access to its servers on 1 June. But, backups are not a silver bullet and each situation is different.
“Unfortunately, there isn’t a quick fix to combat ransomware,” says Stu Sjouwerman, founder & CEO of KnowBe4. “While backups are good, they are not enough – especially with the extortion techniques now being used by cybercriminals.”
One counter-attack could be to make cryptocurrencies – one of the preferred forms of ransom demanded by hackers – more regulated. According to the head of security and privacy solutions company Red Branch Consulting, Paul Rosenzweig, the “anonymous, poorly regulated nature of cryptocurrency provided tinder for the ransomware fire”. To better combat the threat of ransomware, Rosenzweig argues that US laws governing money laundering and the financing of terrorism, as well as suspicious-activity reporting conducted in traditional banking should be implemented for digital currency.
Further muddying the water is the revelation that ransomware payments may also be tax-deductible, which could have the perverse effect of incentivising some businesses to pay up and write it off as a loss.
“This is a very grey area that demands immediate attention,” says Talion’s threat intelligence analyst, Lewis Jones. “While claiming tax back isn’t necessarily wrong, it could encourage more payments to cybercriminals if businesses know they can at least get something back. However, this also makes attacks more profitable to criminals.”
Governments could also explore alternative legislative options to banning payments. Last month, the Australian Government introduced a bill that would require organisations to disclose to its national cybersecurity agency when they make a ransomware payment. The aim is not to penalise companies for choosing to pay, but to build a nationwide picture of the threat through intelligence-sharing. Lawmakers in the US are drafting a similar bill that would require organisations to report a cyber breach within 24 hours.
This information could assist law enforcement in making arrests and seizing the physical infrastructure used to conduct attacks. Such operations are rare and often require international cooperation – but they can be highly effective.
F-Secure’s Melia sees value in this, not just for ransomware attacks but for all forms of data breaches. “People aren’t going to be open and honest unless they have to,” he says. “So, there is that balance between legislation and legislation to encourage the proper behaviour.” Melia believes companies should have to record the number of cyber-incidents in their annual reports.
A bright spot among the spate of recent ransomware attacks is increased public awareness of the problem. On 16 August, US television host John Oliver dedicated a 22-minute segment of his Last Week Tonight show to the issue, bringing ransomware into the living rooms of everyday Americans. “There are some basic things that we should all absolutely be doing,” Oliver said during the broadcast.
Experts all agree that the status quo cannot continue. Or as Talion’s Jones put it: “If the government doesn’t intervene and provide guidance on ransomware soon, things are going to get worse and potentially even out of control.”