Should ransomware payments be illegal? Policymakers and security professionals have found themselves wrestling with that question after a spree of high-profile ransomware attacks gave criminals multi-million-dollar paydays and crippled organisations in sectors ranging from energy to healthcare. However, despite the simplicity of the question, the answer is complicated.
“Banning payment would cause some huge problems and an even bigger headache for many companies,” Jake Moore, cybersecurity specialist at ESET, tells Verdict. “Unfortunately, there is no one size fits all for organisations.”
While officials in the US, UK and elsewhere have strongly advised against paying ransomware demands, governments have so far avoided introducing laws dictating how an organisation should respond.
“In general, we would discourage paying the ransom because it encourages more of these attacks, and frankly, there is no guarantee whatsoever that you are going to get your data back,” said FBI director Chris Wray while testifying before a US Senate appropriations panel in June.
As ransomware gangs go after increasingly larger targets and demand ever-higher payments – usually made via the cryptocurrency bitcoin – it has raised the question of whether governments should introduce legislation banning companies from making a ransomware payment.
Cybercriminal groups that use malware to hold digital files and systems hostage do so because it is highly lucrative. In June, meat processing company JBS paid $11m to its attackers to draw a line under the hack. Bitcoin records show that prolific ransomware gang Darkside has made at least $90m since last August. And in July, the REvil ransomware syndicate demanded $70m after encrypting the systems of thousands of organisations via the Kaseya supply chain attack.
If making a ransomware payment was illegal, then the criminal enterprises would no longer have a viable business model – or so the theory goes.
But some cyber-experts warn bans could have unintended consequences and still not prevent companies from parting with their cash.
Alan Melia, principal incident response consultant at F-Secure who assists companies dealing with ransomware attacks, tells Verdict that he doesn’t see the need to “explicitly” ban making a ransom payment.
He believes organisations will end up doing a cost-benefit analysis to see if any financial penalty and ransom outweighs the cost of lost revenue.
“If the cost of the penalties does not exceed the revenue that the organisations generate, then it’s still worthwhile doing it,” he says.
And if the only alternative to not paying is going out of business, then organisations have nothing to lose.
A ransomware payment ban could also see cybercriminals change tactics and only target the most critical organisations, such as hospitals or schools, hoping they’d be too pressured to not pay.
It could also force more companies to cover up attacks, which experts warn would lead to a loss of information sharing and ultimately making it harder to combat the scourge. Organisations may also find a loophole in which it is legal to pay.
“Let’s be honest, no matter what legislation we put in place there’s always clever accountants who will find their way around it,” says Melia.
Companies in jurisdictions such as the US and the UK already fall under requirements to prove that they are not funding terrorist organisations. This law extends to making a ransomware payment but defining cybercriminal groups as terrorist outfits is a grey area. And clearly, organisations are still paying despite this.
Some believe that a 2015 UK law prohibiting insurance companies from reimbursing companies for terrorism ransoms offers a good model for ransomware.
“Ultimately, the terrorists stopped kidnapping people because they realised that they weren’t going to get paid,” Adrian Nish, threat intelligence chief at BAE Systems, told NBC News.
Rise of “big game hunting”
The debate about making ransom payments illegal comes as attacks have been shifting from high volume, low-return “spray and pray” efforts to fewer but more targeted hacks.
So-called “big-game hunting” has seen cybercriminal gangs – often organised criminal enterprises operating out of Russia and Eastern Europe – narrow their targets to those likely to pay more.
There was a 50% quarter-over-quarter decrease in the overall number of ransomware attacks during the first three months of 2021, according to research by antivirus company McAfee published Thursday.
This is a continuation of a trend that has existed since the first ransomware attack in 1989. With the rise of personal computing and widespread adoption of the internet in the late 2000s, cyberattackers found profit in locking individuals from their machines in high-volume attacks demanding hundreds of dollars in ransom.
They then realised wide-net attacks against organisations was more lucrative as they had more cash to pay. Now, ransomware attacks are highly targeted to maximise profits, with ransom thresholds calculated based on companies’ revenue and likelihood to pay.
“The battle against ransomware isn’t so much a fight against gangs of misguided teens peddling a particularly malicious flavour of malware – it’s the battle against a global ecosystem of tens of thousands of suppliers, distributors, enforcers, and money launderers managed by organised crime cartels and nation-states,” says Gunter Ollmann, chief security officer at cloud security company Devo Technology.
This has coincided with the rise of ransomware-as-a-service, in which criminal outfits rent out their malware and infrastructure to affiliates in return for a cut of any profits. Far from lone teen-hackers operating out of a bedroom, these are slick operations that even come with customer support teams to guide victims through purchasing bitcoin and negotiate a discounted ransom fee. Some gangs even pose as legitimate so-called red teams that launch attacks to expose cybersecurity weaknesses.
Reducing the volume of ransomware attacks also makes it harder for cybersecurity solutions to recognise strains of malware, a tactic that ransomware gangs appear to have embraced. According to McAfee figures, the number of unique ransomware families deployed decreased from 19 in January to nine in March.
“Criminals will always evolve their techniques to combine whatever tools enable them to best maximise their monetary gains with the minimum of complication and risk,” said Raj Samani, McAfee fellow and chief scientist. “We first saw them use ransomware to extract small payments from millions of individual victims. Today, we see ransomware as a service supporting many players in these illicit schemes holding organisations hostage and extorting massive sums for the criminals.”
Governments talk the talk
Officials have made strong statements in response to the surge in large ransomware attacks, but there has been little concrete action yet.
The UK government has a “strong position” against paying the demand, Home Secretary Priti Patel has previously said. Meanwhile, the Biden administration is also looking at giving ransomware intelligence sharing a similar structure to counter-terrorism and has published an executive order aimed at improving the US’ cybersecurity.
Despite this, there is still no clear fix on the horizon. A coalition of cyber-experts called the Ransomware Task Force (RTF) is now lobbying governments to take meaningful action on ransomware, but even its members could not agree if it is right to introduce a ban against making a ransomware payment.
However, a survey commissioned by cybersecurity firm Talion found that 78% of 1,000 consumers thought ransomware payments should be made illegal. That figure rose to 79% among cybersecurity professionals, albeit with a much smaller sample size of 200 people.
One area cybersecurity experts appear to be largely in agreement is that organisations should do all they can to avoid paying. They say it perpetuates the criminal cycle and there’s a likelihood that stolen data will be sold at a later stage regardless of payment.
Terry A’Hearn, CEO of the Scottish Environmental Protection Agency, told the BBC that the company did not consider paying the ransom demand after a cybercriminal group stole 4,000 digital files on Christmas Eve.
“If we had paid then we would have increased the risk for everyone else,” he said.
Fortunately for Colonial Pipeline, the FBI was able to recover some $2.3m from the bitcoin wallet used by the culprits in an extremely rare outcome for ransomware victims.
In some cases a company has sufficient backups and a tested disaster recovery plan in place that means it can refuse to pay the demand without long-lasting damage. Japanese multinational conglomerate Fujifilm – once known for selling photographic film but that’s now peddling diverse products including backup storage – took this approach after detecting unauthorised access to its servers on 1 June. But backups are not a silver bullet and each situation is different.
“Unfortunately, there isn’t a quick fix to combat ransomware; and while backups are good, they are not enough – especially with the extortion techniques now being used by cybercriminals,” says Stu Sjouwerman, founder and CEO of KnowBe4
Further muddying the water is the revelation that ransomware payments may also be tax-deductible, which could have the perverse effect of incentivising some businesses to pay up and write it off as a loss.
“This is a very grey area that demands immediate attention,” said Lewis Jones, threat intelligence analyst at Talion. “While claiming tax back isn’t necessarily wrong, it could encourage more payments to cybercriminals if businesses know they can at least get something back, however, in turn this also make attacks more profitable to criminals.”
Governments could also explore alternative legislative options to banning ransomware payments. The Australian government this month introduced a bill that would require organisations to disclose to its national cybersecurity agency when they make a ransomware payment. The aim is not to penalise companies for choosing to pay, but to build a nationwide picture of the threat through intelligence sharing. Lawmakers in the US are drafting a similar bill that would require organisations to report a cyber breach within 24 hours.
In turn, this information could assist law enforcement in making arrests and seizing the physical infrastructure used to conduct attacks. Such operations are rare and often require international cooperation – but they can be highly effective.
F-Secure’s Melia sees the value in this not just for ransomware attacks but for all forms of data breaches.
“People aren’t going to be open and honest unless they have to. So there is that balance between legislation and legislation to encourage the proper behaviour,” he says, adding that he believes companies should have to record the number of cyber-incidents in their annual reports.
One thing that experts can agree on, though, is that the status quo cannot continue.
Or as Talion’s Jones put it: “If the government doesn’t intervene and provide guidance on ransomware soon, things are going to get worse and potentially even out of control.”