Ransomware: To pay or not to pay? Legal or illegal?

August 2021

Caught between a rock and a hard place, many ransomware victims cave into extortion demands. But should they? Why are companies paying and what will it take for them to stop?

It may just be, or at least initially seem, more cost effective to pay than not to pay. The current precedent to pay likely dates back to the ethically brave organisations who refused to pay. When WannaCryptor (a.k.a. WannaCry) inflicted its malicious payload on the world in 2017, the United Kingdom’s National Health Service bore a significant hit on its infrastructure. The reasons why they were hit so hard are well documented, as are the costs of rebuilding: an estimated US$120 million. This is without considering the human costs due to the 19,000+ cancelled appointments, including oncology.

With examples of publicly recorded incidents showing the cost to rebuild is significantly more than the ransom, then the dilemma of whether to pay or not may be one of cost rather than ethics. But there is no guarantee that a decryptor will be forthcoming or that, if provided, it will even work. Indeed, a recent survey by Cybereason found that almost half of businesses that paid ransoms didn’t regain access to all of their critical data after receiving their decryption keys. Why pay the demand, then?

Well, the business of ransomware became more commercialised and sophisticated on both sides: the cybercriminals understood the value of the data involved in their crime, due to the rebuild costs being disclosed publicly, and a whole new industry segment of ransomware negotiators and cyber-insurance emerged on the other. A new business segment was born: companies and individuals began profiting from facilitating the payment of extortion demands.

It’s also important to remember the devastating effects that ransomware can have on a smaller business that is less likely to have access to expert resources. Paying the demand may be the difference between the business surviving to fight another day and closing the doors for good, as happened to The Heritage Company, causing 300 people to lose their jobs. In countries with privacy legislation, paying may also remove the need to inform the regulator.

Are negotiators and cyber-insurance causing or solving the problem?

The current trend of paying the ransom and an attitude that it’s ‘just a cost associated with doing business’ is not healthy. The question at the boardroom table should be focused on making the organisation as cybersecure as possible, taking every possible precaution. With insurance there is likely to be an element of complacency, minimally meeting the need to comply with the requirements set out by the insurer and to then carry on with ‘business as usual’, knowing that if an unfortunate incident happens, the company can step aside and push the insurer to the front line. The two incidents that affected the cities of Riviera Beach and Lake City were both covered by insurers, as was a payment by the University of Utah of $475,000 and reportedly Colonial Pipeline was also partially covered by cyber-insurance, although at this stage it is unclear if it has claimed.

While cyber-insurance may fund the ransom payment and conduct the negotiation that results in a cushioned impact, there are of course many other costs involved, as previously discussed. The insurers of Norsk Hydro paid US$20.2 million when the company suffered an attack in 2019, with the overall cost being estimated to be between US$58 and $70 million; some of the additional amount may also have been covered by insurance. If Norsk Hydro, or any other company that has fallen victim, had its time again it may decide to spend some of the estimated US$38 to US$50 million it then spent above the ransom payment on cybersecurity as a prevention, rather than to cover post-attack expenses to recover from an attack.

A cybercriminal’s first task could be to work out who has cyber-insurance, to narrow the list of targets to those that are highly likely to pay; it’s not their money, so why wouldn’t they? Cyber-insurance is probably here to stay, but the conditions the insurance should require from a cybersecurity perspective – a resilience and recovery plan – should define extremely high standards, thus reducing the possibility of any claim ever being made. The insurance must not be allowed to become the fallback option. ‘Attacked? It’s a nuisance but that’s okay, we are insured.’

Is it time to ban ransomware payments?

The ransomware attack in May by the Conti ransomware group on the Irish health service could highlight the reason not to ban paying the cybercriminal for a decryptor, and ban payment for them to not publish the data they have exfiltrated. As could the attack on Colonial Pipeline; no government wants to see lines forming at the gas pumps and if not paying means providing no or limited service to citizens, this could be politically damaging. There is a moral dilemma caused by an attack on infrastructure and paying while knowing the funds are used to resource future cyberattacks is difficult, especially when you consider healthcare.

“The question at the boardroom table should be focused on making the organisation as cybersecure as possible, taking every possible precaution. With insurance there is likely to be an element of complacency, minimally meeting the need to comply with the requirements set out by the insurer and to then carry on with ‘business as usual’, knowing that if an unfortunate incident happens, the company can step aside and push the insurer to the front line.”

Paying the ransomware demand also seems to create a second chance opportunity for cybercriminals: according to the survey by Cybereason mentioned earlier, 80 per cent of businesses that pay the ransom subsequently suffer another attack, and 46 per cent of companies believe this to be the same attacker. If the data shows that payment of a demand causes additional attacks, then banning the first payment would significantly change the opportunity for cybercriminals to make money. Government selection, via the sanctions list, of which cybercriminals can be paid and which cannot, seems to not be the right course of action.

Conclusion

This complete disregard for decent behaviour and not funding cybercrime by paying ransom demands creates an attitude that funding criminal activity is acceptable. It’s not.

The right thing to do is to make funding cybercriminals illegal and legislators should be stepping up to the plate and going to bat to stop the payments from being made. There may be a first-mover advantage for countries that do pass legislation forbidding payments: cybercriminals that are behind these high-value attacks are focused, funded, resourced, and driven. If a country or region passed legislation that prohibited any company or organisation from paying a ransomware demand, then the cybercriminals will adapt their business and focus their campaigns on the countries that are yet to act.

If a regulator for cyber-incidents that required payment existed, we would better understand the scale of the problem, as one agency would have vision on all incidents. The regulator would also be a central repository for decryptors, knowing who is on the sanctions list, engaging the relevant law enforcement agencies, notifying privacy regulators and they would know the extent and result of previous negotiations.

In short, make paying the ransom illegal, or at least limit the insurance market’s role and force companies to disclose incidents to a cyber-incident regulator, and regulate cryptocurrency to remove the pseudo right to anonymity. All could make a significant difference in the fight against cybercriminals.

T: 053 914 6600
E: hello@eset.ie
W: www.eset.ie

Related Articles

Government departments’ AI approaches

Public procurement buyers should act now to retain past competition data

Innovation in public services

National Data Infrastructure: Data as a strategic asset to the public service