Ransomware gangs are running riot -- paying them off doesn’t help

Building a more robust cybersecurity culture stands a better chance of repelling ransomware gangs than calling in the cavalry or paying off cybercriminals.

The Conversation

In the past five years, ransomware attacks have evolved from rare misfortunes into common and disruptive threats. Hijacking the IT systems of organizations and forcing them to pay a ransom in order to reclaim them, cybercriminals are freely extorting millions of pounds from companies – and they’re enjoying a remarkably low risk of arrest as they do it.

At the moment, there is no coordinated response to ransomware attacks, despite their ever-increasing prevalence and severity. Instead, states’ intelligence services respond to cybercriminals on an ad-hoc basis, while cyber-insurance firms recommend their clients simply pay off the criminal gangs that extort them.

Neither of these strategies is sustainable. Instead, organizations’ need to redouble their cybersecurity efforts to stymie the flow of cash from blackmailed businesses to cybercriminal gangs. Failure to act means that cybercriminals will continue investing their growing loot in ransomware technologies, keeping them one step ahead of our protective capabilities.

Daylight robbery

Ransomware is a lucrative form of cybercrime. It works by encrypting the data of the organizations’ that cybercriminals hack. The cybercriminals then offer organizations’ a choice: pay a ransom to receive a decryption code that will return your IT systems to you, or lose those systems forever. The latter choice means that firms would have to rebuild their IT systems (and sometimes databases) from scratch.

Unsurprisingly, many companies choose to quietly pay the ransom, opting never to report the breach to the authorities. This means successful prosecutions of ransomware gangs are exceedingly rare.

In 2019, the successful prosecution of a lone cybercriminal in Nigeria was such a novelty that the U.S. Department of Justice issued a celebratory press release. Meanwhile, in February 2021, French and Ukrainian prosecutors managed to arrest some affiliates Egregor, a gang that rents powerful ransomware out for other cybercriminals to use. It appears that those arrested merely rented the ransomware, rather than creating or distributing it. Cybersecurity experts have little faith in the criminal justice system to address ransomware crimes.

The frequency of those crimes is increasing rapidly. An EU report published in 2020 found that ransomware attacks increased by 365% in 2019 compared to the previous year. Since then, the situation is likely to have become much worse. The U.S. security company PurpleSec has suggested that overall business losses caused by ransomware attacks might have exceeded US$20 billion (£14.3 billion) in 2020, up from US$11.5 billion (£8.2 billion) in 2019.

Even hospitals have suffered attacks. Given the potential impact of a sustained IT shutdown on human lives, healthcare databases are in fact actively targeted by ransomware gangs, who know they’ll pay their ransoms quickly and reliably. In 2017, the National Health Service fell afoul of such an attack, forcing staff to cancel thousands of hospital appointments, relocate vulnerable patients, and conduct their administrative duties with a pen and paper for several days.

Waging war?

With ransomware spiraling out of control, radical proposals are now on the table. Chris Krebs, the former head of the U.S. Cybersecurity and Infrastructure Security Agency, recently advocated using the capabilities of U.S. Cyber Command and the intelligence services against ransomware gangs.

The U.S. government and Microsoft coordinated over such an attack in 2020, targeting the “Trickbot botnet” malware infrastructure – often used by Russian ransomware gangs – to prevent potential disruption of the U.S. election. Australia is the only country to have publicly admitted to using offensive cyber capabilities to destroy foreign cybercriminals’ infrastructure as part of a criminal investigation.

Sustained operations of this kind could have an effect on cybercriminals’ ability to operate, especially if directed against the gangs’ servers  and the infrastructure they need to turn their bitcoin into cash. But unleashing offensive cyberwarfare tools against criminals also creates a worrying precedent.

Normalizing the use of the armed forces or intelligence units against individuals residing in other countries is a slippery slope, especially if the idea is adopted by some of the less scrupulous regimes on this planet. Such offensive cyber operations could disrupt another state’s carefully planned domestic intelligence operations. They could also negatively affect the innocent citizens of foreign states who unwittingly share web services with criminals.

Further, many cybercriminals in Russia and China enjoy de facto immunity from prosecution because they occasionally work for the intelligence services. Others are known to be state hackers moonlighting in cybercrime. Targeting these people might diminish the ransomware threat, but it might just as well provoke revenge from hackers with far more potent tools at their disposal than ordinary cybercriminals.

Paying up

So what is the alternative? Insurers, especially in the U.S., urge their clients to quickly and quietly pay the ransom to minimize the damage of disruption. Then insurers allow the company to claim back the ransom payment on their insurance, and raise their premiums for the following year. This payment is usually handled discreetly by a broker. In essence, the ransomware ecosystem functions like a protection racket, effectively supported by insurers who are set to pocket higher premiums as attacks continue.

Aside from the moral objections we might have to routinely paying money to criminals, this practice causes two important practical problems. First, it encourages complacency in cybersecurity. This complacency was best exemplified when a hacked company paid a ransom, but never bothered to investigate how the hackers had breached their system. The company was promptly ransomed again, by the same group using the very same breach, just two weeks later.

Second, some ransomware gangs invest their ill-gotten gains into the research and development of better cyber-tools. Many cybersecurity researchers are concerned about the increasing sophistication of the malware used by leading cybercrime groups such as REvil or Ryuk, which are both thought to be based in Russia. Giving these ransomware groups more money will only enhance their ability to disrupt more and larger companies in the future.

Banned aid

In January 2021, the former head of the UK’s National Cyber Security Centre called for cyber-insurance policies that cover ransom payments to be banned, arguing that such payments fund criminal organizations and only make ransomware attacks more common.

In response, the British Association of Insurers became the first European organization to publicly defend the practice, arguing that paying the ransom was the cheapest option for companies. Naturally, that also makes it the cheapest option for insurers. Ransom coverage also helps brokers sell cyber-insurance policies.

In the end, neither calling in the cavalry nor paying off cybercriminals are viable solutions to the growing ransomware problem. Instead, a sustained effort must be made to build a more robust cybersecurity culture that stands a better chance of repelling ransomware gangs in the first place. This will demand commitment, not just from boards and CEOs, but from employees at every level of an organization.

Improving cybersecurity in all companies won’t just protect them from extortion hackers: it’s the next frontier in our battle to harden our defenses against state hackers, too. The sooner we start shouldering this pressing responsibility, the better.

This article was first posted on The Conversation.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.