Tackling ransomware without banning ransom payments
What are the benefits and drawbacks of banning ransom payments?
Just before the 2024 general election was announced, the UK government was looking to bring in tougher rules on ransomware payments, including the potential to ban ransom payments entirely. The justification? A decisive action to cut off the business model of cyber extortionists.
But the message around ransom payments is contradictory to say the least. In the UK, the NCSC has made it abundantly clear that businesses should not pay ransoms. Yet, insurance policies recommended by the government's Cyber Essentials scheme clearly state that they provide cover for extortion payments. Ultimately though, this directly funds cybercriminal activity and enables it to gain momentum.
So, what are the benefits and drawbacks of banning ransomware payments, what alternatives can be considered and what role does the cyber insurance industry play in tackling this threat?
Chief Security Evangelist, ESET.
To pay or not to pay
Earlier this year, French hospital, CHCSV, refused to pay a ransomware demand, despite suffering severe operational disruption. Meanwhile, other organizations that have fallen victim, such as Change Healthcare in the US, have gone in a different direction, with this particular private healthcare firm paying $22m to attackers.
The difference here is that one victim falls within the public sector, while the other doesn’t, and when public sector organizations pay ransom demands, it ultimately comes out of tax payers’ money. It’s for this reason, among others, that several states in the US have already made it illegal for public sector organizations to pay extortion payments.
However, there appears to be less public transparency in the UK on whether companies pay ransomware demands. While the US has official government data specific to ransomware payments, the UK lacks official reporting as most of the data available comes from industry reports. For instance, a report from Censornet revealed 85% of SMEs report paying a ransomware demand, while research from Cohesity found that 69% had paid a ransom in the last year.
But not paying can cost businesses more in the long run. For example, last year, MGM Resorts didn’t pay its attackers but has since revealed costs of up to $110m. Similarly, the WannaCry incident, which affected thousands of NHS hospitals and surgeries in 2017, is reported to have cost £92 million in recovery.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
While ransomware victims continue to play this game of ‘will they, won’t they’, according to Mordor Intelligence and Fortune Business Insights the cyber insurance market in the UK is estimated to be $1.35bn in 2024 and $20.88 billion globally, with new policies continually being established as businesses scramble to insure themselves against the inevitable.
Insurers, unsurprisingly, will usually look for the lowest cost option when dealing with the fallout of a ransomware attack: paying the ransom demands. But doing so funds this global cybercrime pandemic. It’s therefore little surprise that ransomware payments, according to Chainalysis, broke the $1bn mark in 2023.
So, while some believe ransomware is becoming more prevalent due to better targeting by cyber criminals, it’s perhaps worth considering whether it’s any coincidence that as the insurance industry grows, so too does the cybercrime landscape.
What other choice do we have?
Despite these somewhat muddied waters, the correct response to ransomware attacks is clear: paying demands should almost always be a last resort. The only exception should be where there is a risk to life. Paying because it’s easy, costs less and causes less disruption to the business is not a good enough reason to pay, regardless of whether it’s the business handing cashing out or an insurer.
However, while a step in the right direction, totally banning ransom payments addresses only one form of attack and feels a bit like a ‘whack-a-mole’ strategy. It may ease the rise in attacks for a short while, but attackers will inevitably switch tactics, to compromising business email perhaps, or something we’ve not even heard of yet.
So, what else can be done to slow the rise in ransomware attacks? Well, we can consider a few options, such as closing vulnerability trading brokers and regulating cryptocurrency transactions. To pick on the latter as an example, most cybercrime monetizes through cryptocurrency, so rather than simply banning payments, it could be a better option to regulate the crypto industry and flow of money.
Alongside this kind of regulatory change, governments could also consider moving the decision of whether to pay or not to an independent body. This would ensure the decision is made regardless of cost and instead based on risk to life and disruption to critical services. Though whether a court, or other independent body, could make these decisions quick enough is up for debate.
Insurance and cyber security can go hand in hand
Digital transformation was expedited during the pandemic and on top of that, extortion based cyber-attacks have been spurred on by cryptocurrency, all within a short time frame.
Meanwhile, the biggest challenge for insurers in today’s digital environment is their lack of data. This perfect storm explains why the insurers are continually adapting requirements and increasing premiums at an escalated pace.
But it’s important to remember that being insured can make the business more of a target because cyber criminals know they may get their ransom payment, fueling this never-ending cycle. It’s therefore essential that businesses adopt a cybersecurity posture that provides them with the best possible protection, insured or not. In fact, opting for an insurer who understands risk based on data can help make a business’ cyber strategy more secure.
For example, insurers who understand risk based on data often require businesses to adopt many different technologies and processes to reduce said risk, for example the use of cloud backup systems, multi-factor-authentication and advanced endpoint detection and response solutions.
In fact, the full list of recommendations these insurers require are typically a subset of those that cybersecurity professionals and cybersecurity frameworks also recommend. And while insurers are focused on reducing the potential of a financial claim, the cybersecurity industry is focused on reducing the risk of any cyberattack, so following these recommendations will inevitably be a positive step for the business.
A match made in cyber heaven?
The relationship between cyber insurance and cybersecurity is inseparable, and these two industries are fast becoming a marriage of convenience. However, there remains one significant obstacle in this becoming a happy and truly fulfilling marriage. The funding of cybercrime through the payment of ransomware demands by insurers needs to stop (unless in exceptional circumstances!).
We've featured the best malware removal tools.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://dhhongbanguniversity.site/news/submit-your-story-to-techradar-pro
Chief Security Evangelist, ESET.