Should ransomware payments be illegal? Policy makers and security professionals have found themselves wrestling with that question after a spree of high-profile ransomware attacks gave criminals multi-million-dollar paydays and crippled organisations in sectors ranging from energy to healthcare – and food.
The latest breach made public occurred at the weekend when Sweden-based grocer Coop closed 500 stores due to an attack that didn’t target the retailer itself but on a software supplier in the US called Kaseya.
Russian-speaking ransomware syndicate REvil has claimed responsibility for the attack, which is scrambling the systems of at least 1,000 companies worldwide, and is asking for a $70m ransom fee to decrypt them.
In response to the news of the Coop store closures, Dominique Schelcher, the president of French grocer Système U, tweeted: “Rarely have the consequences been so radical in our profession. Cyber attacks are the next big threat to business after the health crisis.”
But should affected companies pay up? Or should ransomware payments be legislated against?
“Banning payment would cause some huge problems and an even bigger headache for many companies,” Jake Moore, cybersecurity specialist at Internet security firm ESET, says. “Unfortunately, there is no one-size-fits-all for organisations.”
While officials in the US, UK and elsewhere have strongly advised against paying ransomware demands, governments have so far avoided introducing laws dictating how an organisation should respond.
“In general, we would discourage paying the ransom because it encourages more of these attacks, and frankly, there is no guarantee whatsoever that you are going to get your data back,” FBI director Chris Wray told a US Senate appropriations panel last month.
As ransomware gangs go after increasingly larger targets and demand ever-higher payments – usually made via the cryptocurrency bitcoin – it has raised the question of whether governments should introduce legislation banning companies from making a ransomware payment.
Cybercriminal groups that use malware to hold digital files and systems hostage do so because it is highly lucrative. In June, Brazil-based meat processing company JBS paid the equivalent of US$11m to its attackers to draw a line under a hack that affected its operations in North America and Australia.
Bitcoin records show prolific ransomware gang Darkside has made at least $90m since last August. If making a ransomware payment was illegal, then the criminal enterprises would no longer have a viable business model – or so the theory goes.
But some cyber experts warn bans could have unintended consequences and still not prevent companies from parting with their cash.
Alan Melia, principal incident response consultant at Helsinki-based cybersecurity group F-Secure, which assists companies dealing with ransomware attacks, says he doesn’t see the need to “explicitly” ban making a ransom payment.
He believes organisations will end up doing a cost-benefit analysis to see if any financial penalty and ransom outweighs the cost of lost revenue.
“If the cost of the penalties does not exceed the revenue that the organisations generate, then it’s still worthwhile doing it,” Melia says.
And if the only alternative to not paying is going out of business, then organisations have nothing to lose.
A ban on ransomware payments could also see cybercriminals change tactics and only target the most critical organisations, such as hospitals or schools, hoping they’d be too pressured to not pay.
It could also force more companies to cover up attacks, which experts warn would lead to a loss of information sharing and ultimately making it harder to combat the scourge. Organisations may also find a loophole in which it is legal to pay.
“Let’s be honest, no matter what legislation we put in place there’s always clever accountants who will find their way around it,” says Melia.
Companies in jurisdictions such as the US and the UK already fall under requirements to prove that they are not funding terrorist organisations. This law extends to making a ransomware payment but defining cybercriminal groups as terrorist outfits is a grey area. And clearly, organisations are still paying.
Some believe that a 2015 UK law prohibiting insurance companies from reimbursing companies for terrorism ransoms offers a good model for ransomware.
“Ultimately, the terrorists stopped kidnapping people because they realised that they weren’t going to get paid,” Adrian Nish, threat intelligence chief at BAE Systems, told NBC News.
Rise of “big game hunting”
The debate about making ransomware payments illegal comes as attacks have been shifting from high-volume, low-return “spray and pray” efforts to fewer but more targeted hacks.
So-called “big-game hunting” has seen cybercriminal gangs – often organised criminal enterprises operating out of Russia and eastern Europe – narrow their targets to those likely to pay more.
There was a 50% quarter-over-quarter decrease in the overall number of ransomware attacks during the first three months of 2021, according to research published by antivirus company McAfee last month.
This is a continuation of a trend that has existed since the first ransomware attack in 1989. With the rise of personal computing and widespread adoption of the internet in the late 2000s, cyberattackers found profit in locking individuals from their machines in high-volume attacks demanding hundreds of dollars in ransom.
They then realised wide-net attacks against organisations were more lucrative as they had more cash to pay. Now, ransomware attacks are highly targeted to maximise profits, with ransom thresholds calculated based on companies’ revenue and likelihood to pay.
“The battle against ransomware isn’t so much a fight against gangs of misguided teens peddling a particularly malicious flavour of malware – it’s the battle against a global ecosystem of tens of thousands of suppliers, distributors, enforcers, and money launderers managed by organised crime cartels and nation-states,” says Gunter Ollmann, chief security officer at US-based cloud security company Devo Technology.
This has coincided with the rise of ransomware-as-a-service, in which criminal outfits rent out their malware and infrastructure to affiliates in return for a cut of any profits. Far from lone teen-hackers operating out of a bedroom, these are slick operations that even come with customer support teams to guide victims through purchasing bitcoin and negotiate a discounted ransom fee. Some gangs even pose as legitimate so-called red teams that launch attacks to expose cybersecurity weaknesses.
Reducing the volume of ransomware attacks also makes it harder for cybersecurity firms to recognise strains of malware, a tactic ransomware gangs appear to have embraced. According to McAfee figures, the number of unique ransomware families deployed decreased from 19 in January to nine in March.
“Criminals will always evolve their techniques to combine whatever tools enable them to best maximise their monetary gains with the minimum of complication and risk,” said Raj Samani, McAfee fellow and chief scientist. “We first saw them use ransomware to extract small payments from millions of individual victims. Today, we see ransomware as a service supporting many players in these illicit schemes holding organisations hostage and extorting massive sums for the criminals.”
Governments talk the talk
Officials have made strong statements in response to the surge in large ransomware attacks but there has been little concrete action.
The UK government has a “strong position” against paying the demand, Home Secretary Priti Patel has previously said. Meanwhile, in the US, the Biden administration is also looking at giving ransomware intelligence sharing a similar structure to counter-terrorism and has published an executive order aimed at improving the country’s cybersecurity.
There is still no clear fix on the horizon. A coalition of cyber experts called the Ransomware Task Force (RTF) is lobbying governments to take meaningful action on ransomware, but even its members could not agree if it is right to introduce a ban against making ransomware payments.
However, a survey commissioned by UK cybersecurity firm Talion found 78% of 1,000 consumers thought ransomware payments should be made illegal. That figure rose to 79% among cybersecurity professionals, albeit with a much smaller sample size of 200 people.
One area cybersecurity experts appear to be largely in agreement is organisations should do all they can to avoid paying. They say it perpetuates the criminal cycle and there’s a likelihood stolen data will be sold at a later stage regardless of payment.
Terry A’Hearn, CEO of the Scottish Environmental Protection Agency, told the BBC the company did not consider paying the ransom demand after a cybercriminal group stole 4,000 digital files on Christmas Eve.
“If we had paid then we would have increased the risk for everyone else,” he said.
Moreover, those that make a ransomware payment are also more likely to be attacked again, with hackers sharing so-called “suckers lists” of organisations to target. A survey of nearly 1,300 security professionals by US cybersecurity firm Cybereason found four in five businesses that made a ransomware payment went on to suffer a second attack.
Nor are the system-restoring decryption keys ransomware gangs provide in return for a fee guaranteed to work well – as Colonial Pipeline discovered upon paying $4.4m to attackers that closed the US East Coast’s largest fuel pipeline for five days.
Fortunately for Colonial Pipeline, the FBI was able to recover some $2.3m from the bitcoin wallet used by the culprits in an extremely rare outcome for ransomware victims.
In some cases, a company has sufficient back-ups and a tested disaster recovery plan in place that means it can refuse to pay the demand without long-lasting damage. Japanese multinational conglomerate Fujifilm – once known for selling photographic film but now marketing diverse products including back-up storage – took this approach after detecting unauthorised access to its servers on 1 June. But back-ups are not a silver bullet and each situation is different.
“Unfortunately, there isn’t a quick fix to combat ransomware; and while backups are good, they are not enough – especially with the extortion techniques now being used by cybercriminals,” says Stu Sjouwerman, founder and CEO of KnowBe4, a US firm offering IT security training.
Further muddying the water is the suggestion ransomware payments may also be tax-deductible, which could have the perverse effect of incentivising some businesses to pay up and write it off as a loss.
“This is a very grey area that demands immediate attention,” says Lewis Jones, threat intelligence analyst at Talion. “While claiming tax back isn’t necessarily wrong, it could encourage more payments to cybercriminals if businesses know they can at least get something back. However, in turn, this also makes attacks more profitable to criminals.”
Governments could also explore alternative legislative options to banning ransomware payments. The Australian government this month introduced a bill that would require organisations to disclose to its national cybersecurity agency when they make a ransomware payment. The aim is not to penalise companies for choosing to pay, but to build a nationwide picture of the threat through intelligence sharing. Lawmakers in the US are drafting a similar bill that would require organisations to report a cyber breach within 24 hours.
In turn, the information could assist law enforcement in making arrests and seizing the physical infrastructure used to conduct attacks. Such operations are rare and often require international cooperation – but they can be highly effective.
F-Secure’s Melia sees the value in this not just for ransomware attacks but for all forms of data breaches.
“People aren’t going to be open and honest unless they have to, so there is that balance between legislation and legislation to encourage the proper behaviour,” he says, adding he believes companies should have to record the number of cyber incidents in their annual reports.
One thing experts can agree on, though, is the status quo cannot continue.
Or as Talion’s Jones put it: “If the government doesn’t intervene and provide guidance on ransomware soon, things are going to get worse and potentially even out of control.”
A version of this article initially appeared on Just Food sister site verdict.co.uk.