Is legislation the best defence against ransomware attacks?
Even as it was winding down last year, the infamous Russian-based gang behind the Conti ransomware mounted successful attacks on Costa Rica’s public institutions in a bid to foment a popular uprising. The government of President Rodrigo Chaves refused to pay up, but it had to declare a state of emergency to deal with the fallout.
Another Russian-linked group, prolific LockBit ransomware gang, has attacked more than 1,000 organisations worldwide and extorted at least $100m (£83m) to date. Among its targets in 2022 was a children’s hospital in Canada, although it apologised for that attack and gave the victim a free decryptor in a rare show of conscience.
Since the start of the Covid pandemic there has been a huge increase in the frequency of such attacks. The ransom demands tend to be onerous. Despite this, the victims – terrified of data loss and the associated legal and reputational costs – often give in to them. Proofpoint data indicates that 82% of UK organisations hit by ransomware attacks in 2021 chose to pay up.
Showing a determination to crack down on the increased threat from cyber attacks, the US and UK governments recently announced joint sanctions against seven Russian individuals linked to the prolific Trickbot cyber gang. The sanctions make it illegal to make ransomware payments to Trickbot and are a first of their kind.
But demands for new laws that would prevent companies from paying any ransoms or require them to report ransomware attacks are becoming more insistent. Legislators around the world have been debating what to do about this.
Proponents say that this is a common-sense way to discourage attacks, but others argue that this risks re-victimising businesses and that monitoring and enforcing such regulation would be tricky.
The US’s increasingly strong stance against ransom payments
One of the places these conversations are playing out is the US, where officials are increasingly concerned by the criminal activity that ransomware payments help fund.
“In the context of the Ukraine-Russia conflict, bad actors waging cybercrime campaigns are a threat not only to networks and data,” says Julie DiMauro, director of compliance training at Compliance Week and adjunct professor at the Seattle University School of Law, “but they further a crisis that the US is actively trying to assuage.”
By paying ransomware fines companies could unwittingly be breaking sanctions or, in the US, engaging with individuals or organisations listed on the US Treasury’s Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals and Blocked Persons List. In 2021, OFAC issued this advisory notice: “The US government strongly discourages all private companies and citizens from paying ransom or extortion demands.”
DiMauro notes that directives not to make ransom payments “further valuable national security goals, such as curbing terrorist financing”.
Senate bills such as the Cyber Incident Reporting Act of 2021, which stipulate companies would have to report all ransomware incidents have so far failed to pass Congress, but states are taking the issue into their own hands. North Carolina and Florida have both banned state government entities from paying ransoms connected to ransomware attacks, while similar legislation is under discussion in states like New York.
Ransomware regulation in the UK
In the UK, the Network & Information Systems Regulations dictate that service providers and operators of essential services must report cybersecurity incidents of “substantial impact” to the UK’s Information Commissioner’s Office (ICO). Examples include when an incident results in a loss of confidentiality of data and affects more than 15,000 UK users. Last July, the ICO and NCSC both urged companies not to pay ransoms and requested that solicitors stop facilitating those payments. Meanwhile, the UK government is proposing new laws on cybersecurity standards.
Right now, cybersecurity insurance that covers ransomware payments – and the fact that ransomware payments are tax-deductible in some countries – normalises ransomware payments as simply the cost of doing business in the digital age.
“I would like to see a law in the UK that would ban ransom payments,” says Subhajit Basu, associate professor in information technology law at the University of Leeds. “Not just that, I would like to see much tougher regulation – if possible, outright banning – of cryptocurrency operations as most ransom payments happen through them.”
A major argument against companies paying ransoms is that, on average, only 65% of the data is recovered after the organisation pays for the decryption tool, and only about 8% of organisations that pay manage to recover all of their data. Even so, many point out that legislation preventing payments would be difficult to enforce and might end up penalising the companies least able to recover from attacks.
“Criminalising what [companies] may see as their remaining route to recovery is arguably serving to further punish organisations for falling victim to the threat,” says Steven Furnell, professor of cybersecurity at the University of Nottingham. He notes that whether making ransom payments illegal would act as a deterrent depends on what penalty the crime would incur. “If the organisation has suffered a significant incident that may otherwise jeopardise a large amount of business, then paying a fine may seem a small price in comparison.”
The best offence is a good defence
Ultimately, prevention is the best solution, and experts argue that more effort must be made on the part of the government to help businesses fortify their cybersecurity measures, such as implementing multifactor authentication systems, says Basu.
At a minimum, though, most argue that ransomware incident reporting is a crucial intermediate step. Right now, many companies choose not to share whether they have fallen prey to an attack, meaning that there’s a dearth of accurate data on this. “Disclosures would help to reveal the full scale of the threat, which could help to shape the level of resources made available to combat it and support potential victims,” says Furnell.
David Wall, professor of criminology at the University of Leeds, advocates taking lessons from how the financial sector tackles fraud. Businesses should be encouraged or compelled to form an independent body to which they could report both attacks and their impacts (for example, data loss).
“Cyber-extortionists exploit the stigma of a ransomware attack by playing to the psychology of fear of potential embarrassment and business backlash of having to report compromised systems or a breach of privacy,” says Basu.
A culture of data-sharing and collaboration could help change that.