Is paying ransomware the worst strategy?
Given the huge pressure the pandemic has placed on service providers, cyberattacks have risen considerably, with ransomware being a particularly popular form of attack. Indeed, it was estimated that 51% of businesses were targeted by ransomware in 2020, with a global cost of around $20 billion.
Indeed, as researchers from the Cambridge Judge Business School illustrate, with the conviction rate for cyber crimes so low, ransomware attacks are fairly low-risk affairs, which perhaps explains why over a quarter of victims pay up to get their systems or data back. In many cases, this is actually the course of action recommended by cyber-insurance firms.
It’s perhaps no surprise that the rare occasions when ransomware criminals are actually prosecuted become such notable events, such as in 2019, when a Nigerian cybercriminal was prosecuted in the United States, or the recent prosecution by French and Ukrainian officials of the Egregor ransomware attackers.
Given the paucity of prosecutions, it’s perhaps understandable that so many simply choose to go along with the attacker’s demands, as the criminal justice system seems to offer minimal support. Is it the best strategy though or does paying criminals off simply encourage more to follow suit? After all, many IT security staff now believe cyberattacks are a matter of when and not if.
Indeed, a recent report from the European Union revealed that ransomware attacks had increased by an incredible 365% during 2019. The situation has become worse during a pandemic in which hospitals and other healthcare facilities have been actively targeted, due both to often antiquated IT systems and the strong desire to get systems back up as quickly as possible so that service levels are maintained and patients not put at risk.
This has prompted governments to up their game somewhat, with the former US spy chief Chris Krebs recently arguing for the US Cyber Command to be put to use against the ransomware gangs that are blighting the world. Such government-led intervention has been seen after the US government worked with Microsoft in targeting the Trickbot malware, which is commonly used by ransomware gangs, last year in a bid to ensure that the US election wasn’t disrupted.
To date, however, the Australians are the only country that has gone on record as saying they’re using offensive cyber capabilities to disrupt and destroy the infrastructure used by foreign cybercriminals. This kind of deliberate and proactive action could be effective, especially if the efforts are targeted at the servers used by the gangs and, of course, the infrastructure the gangs use to turn the bitcoins they so often receive as ransoms into cash.
It’s not an approach that is without significant risks. However, the normalization of the use of state agencies or even the military against individuals operating out of other countries provides a slippery slope from a diplomatic perspective. Indeed, it could easily justify such an approach being similarly adopted by some of the more unscrupulous countries in the world.
It also runs the very real risk of disrupting the vital infrastructure of completely innocent civilians who just happen to be using the same web services as the criminals the state agencies are targeting. The picture is further muddied by the fact that many of the cyber criminals operating in countries like China and Russia also work for state intelligence agencies, or act as state employees who do some cybercrime on the side. Either way, it might provoke a far higher level of retaliation than one would ordinarily expect from cybercriminals on their own.
From an insurance perspective, the common approach advocated by the insurance industry is to pay the ransom as quickly (and as quietly) as possible to minimize disruption. The victims are then able to claim back the ransom on their insurance, albeit with an inevitable increase in their insurance premiums.
The payment of the ransom itself is often handled by a broker, which can easily create the impression that this is akin to a protection racket backed by the insurers who are able to secure higher premiums after each attack. It’s an approach that has a few issues, even aside from the obvious moral objections one might raise.
Firstly, it can easily encourage organizations to become lackadaisical with their cybersecurity and simply fall back on insurance to cover them for inevitable losses. Cybercrime, therefore, becomes yet another “cost of doing business”. Suffice to say, this is not an approach that is recommended, not least as there are examples of companies being targeted, and then being re-attacked after they failed to investigate the cause of the original attack, much less plug the hole in their security.
Equally, the more money criminal gangs are able to secure, the more likely they are to invest in ever more sophisticated ways of attacking the systems of victims. There is already growing concern in the cybersecurity community about the increasing sophistication of malware attacks, and so it seems ill-advised to actively encourage further developments by bankrolling them with a ready and easy supply of capital.
We have already seen the former head of the National Cyber Security Centre in the UK call to ban cyber-insurance policies that include ransom payments to discourage this trend. While the insurance industry defended itself from such accusations, it’s hard to shake the notion that ransomware attacks inevitably help the industry.
Ultimately, the only viable long-term strategy is for organizations to improve their cybersecurity defences so that criminals don’t have such easy prey to feast upon. For this to be achieved, organizations will need great support and commitment from the board all the way down throughout the workforce so that cybersecurity is given the priority it deserves.