Why businesses must stop paying the ransom

Ransomware payments drive this criminal industry but stopping them is no simple matter
Open Suitcase Full of Money

Once upon a time, ransomware was more of a side dish than the cybersecurity main course. In 1989 consumers got their first taste of the threat, with the AIDS Trojan that demanded a ransom of $189 to decrypt locked-down documents and images. Fast-forward 30 years and everything has changed: consumers are no longer the target of ransomware and highly organised criminal operations are more likely to demand six- or seven-figure ransoms of victimised businesses.

Ransomware has evolved into lucrative cybercrime business models. These criminal operations comprise numerous component parts: the developers of the malware code and the operational software, affiliates that carry out both the execution of the attack and pre-attack intelligence gathering, ransom negotiators and even technical support staff to aid with victim data recovery. Lisa Ventura, CEO of the UK Cyber Security Association, says that ransomware attacks increased globally by 150% last year, growth that isn’t slowing down in 2021. “The volume of attacks makes ransomware the most impactful threat that we currently face,” she insists. 

Ransomware is not always an existential threat. Paying the ransom often buys only a moderately effective decrypter key – which has to be run on systems that need repair

With most of the main ransomware gangs seemingly based in parts of the former Soviet Union, where the long arm of the law cannot reach, the challenge is how to stop this crime. Going on the attack could be part of the solution, according to Ciaran Martin, professor of practice in the Management of Public Organisations at the Blavatnik School of Government and formerly founding chief executive of the National Cyber Security Centre, part of GCHQ. 

“There is a role for offensive cyber, through the new National Cyber Force working with US Cyber Command to attack the technical infrastructure that criminals use,” he says. But perhaps there is a more straightforward option: to make ransomware payments illegal?

Criminalisation is not that simple

The commonality that binds ransomware attacks is that payments fund the growth and development of this criminal endeavour. An obvious solution would be to cut off the funding by making ransom payments illegal. 

As always, the devil is in the detail. Cyber attacks have evolved from locking down network infrastructure to exfiltrating data: backups are no longer the silver bullet they once were. 

Martin says that allowing such payments drives a lazy narrative of ransomware being an existential threat to business with no alternative but to pay. The reality is a lot more complex. “Ransomware is usually very serious but not always an existential threat and rarely a threat to life,” says Martin, “paying often means getting an only moderately effective decrypter key and you still have to run it on battered systems in need of repair.” 

He warns that we shouldn’t be simplifying this in a way that suits the criminals. Recent research from managed service provider Talion, which founded the #RansomAware initiative to stop cyber shaming of victims, determined 79% of cybersecurity professionals were in favour of making payments illegal. Talion principal threat analyst Mitchell Mellard admits there are many parts to the debate, but the fact remains that these criminals are emboldened and enabled to continue with impunity by such rewards. 

“I don’t think the option of payment should be shelved. But it should be regulated,” Mellard says. “Limit it to instances where the network or dataset is critical, such as a hospital or critical infrastructure.” 

Ventura says the government could explore regulation and gives the example of Australia, which has recently introduced a bill to make it mandatory for organisations to disclose when ransomware payments are made. “The aim of this is not to penalise companies who choose to pay a ransomware demand, but to build a nationwide picture of the threat of ransomware through intelligence sharing.”

The role of cyberinsurance

It has also been suggested that cyberinsurance policies that take on ransom payments are complicit in the rise of the ransomware threat and could be another area where regulation is required. Martin is clear about the role of insurance companies, which, he points out, isn’t to make public policy. “You either ban ransom payments or you don’t,” he says, “banning them via insurance doesn’t achieve anything.”

Which isn’t the same as saying the insurance industry doesn’t have a part to play. Engaging with the government, and the businesses it serves, to work out what has gone wrong is common sense. 

Martin thinks the most important thing is to get insurance companies to enable the useful social function of incentivising good security. Without this, what Mellard calls a “malicious feedback loop” is put into play: the ransomware operators invest in new tooling, underground recruitment and the purchase of leaked credentials and exploits. This gives them a greater chance of success in the next attack – and so the cycle continues, he says. 

By allowing a business to determine their security posture as an operating cost, instead of an essential part of the business requiring serious ongoing investment, ransomware insurance policies certainly appear to play their part in the feedback loop. But for how long? Ian Thornton-Trump, CISO at threat intelligence provider Cyjax, recalls that, since 2015, “In virtually all of the thousands of cases of ransomware attack I’ve researched, successful attacks can be broken down into the failure of staff, a flaw in a process or a failure of security technology.” 

Which leads him to the feeling that insurers will “start to balk, refuse and reduce the amount of payments” under business interruption insurance or cyberinsurance policies for a risk which he sees as entirely preventable.

Prevention is always better than costly cure

There’s a real sense of irony about the prevention of ransomware, not least because some of the attackers themselves will proffer mitigation advice as part of the attack wrap-up process. Yes, you read that right: some ransomware groups disclose their attack access routes and provide advice on how the victim can better secure their networks from future attacks. 

While it would never be a sound idea for organisations to take security tips from their attackers, sharing is something that should be on the ransomware mitigation agenda to break the threat cycle. 

The #RansomAware initiative wants to play a pivotal role in doing just that. The UK Cyber Security Association is part of this coalition of businesses that exists to share experiences, exchange ideas and pool intelligence, anonymously if necessary, on ransomware attacks. 

“Information sharing is the only way to get ahead of the cybercriminals. They collaborate to make attacks more successful, so stronger collaboration is key to making our defences stronger also,” Ventura insists. Talking openly about attacks aids a better understanding of the techniques used, whereas pretending they aren’t happening and working to prevent news leaking to the media only benefits the criminals. 

“The more companies are willing to speak out about becoming the victim of a ransomware attack,” Mellard concludes, “the faster and more comprehensively the information security sector can develop detection techniques and countermeasures to the tools employed by ransomware groups.”

But such initiatives on their own cannot succeed; government programmes and regulation must be part of the preventative process. Thornton-Trump even suggests that the judiciary perhaps consider that use of the client-attorney privilege to escape cybercrime reporting is making it harder to prosecute the criminals responsible. 

“Use of this mechanism when it comes to the disclosure of the details of a data breach are, in my opinion, detrimental to the greater good,” he says. It’s an area where many cybersecurity experts agree, unlike the more hotly debated issue of banning ransomware payments. Martin insists that the case for mandatory reporting of ransomware demands to the authorities is a slam dunk. “I can’t think of a single decent argument against it and haven’t heard one,” he says, “the government should implement it at the earliest opportunity.”