Tackling ransomware without banning ransom payments
Just before the 2024 general election was announced, the UK government wanted to introduce stricter rules on ransomware payments, including the ability to ban ransom payments entirely. The justification? A decisive action to cut off the business model of cyber extortionists.
But the message surrounding ransom payments is contradictory, to say the least. In Britain, the NCSC has made it abundantly clear that companies should not pay ransoms. Yet insurance policies recommended by the government’s Cyber Essentials program clearly state that they provide coverage for extortion payments. Ultimately, however, this directly funds cybercriminal activities and allows them to gain momentum.
What are the pros and cons of banning ransomware payments, what alternatives can be considered, and what role does the cyber insurance industry play in tackling this threat?
Chief Security Evangelist, ESET.
To pay or not to pay
Earlier this year, French hospital CHCSV refused to pay a ransomware request despite serious operational disruptions. Meanwhile, other victimized organizations such as Change Healthcare in the US have gone in a different direction, with this particular private healthcare company paying out $22 million to attackers.
The difference here is that one victim falls within the public sector and the other does not. When public sector organizations demand ransoms, it ultimately comes out of taxpayers’ money. It is for this reason, among others, that several states in the US have already made it illegal for public sector organizations to make extortion payments.
However, there appears to be less public transparency in Britain about whether companies are paying ransomware demands. While the US has official government data specific to ransomware payments, the UK lacks official reporting as most available data comes from industry reports. For example, a report from Censornet found that 85% of SMBs reported having paid ransomware, while research from Cohesity found that 69% had paid a ransom in the past year.
But not paying can cost companies more in the long run. Last year, for example, MGM Resorts did not pay its attackers, but has since revealed costs as high as $110 million. Similarly, the WannaCry incident, which affected thousands of NHS hospitals and surgeries in 2017, is reported to have cost £92 million in recovery.
As ransomware victims continue to play this game of ‘will they, won’t they’, the cyber insurance market in Britain is estimated to be worth $1.35 billion by 2024 and $20.88 billion by 2024, according to Mordor Intelligence and Fortune Business Insights worldwide, with new policies. continually established as companies scramble to insure themselves against the inevitable.
It will come as no surprise that insurers typically look for the cheapest option when dealing with the fallout of a ransomware attack: paying the ransom demands. But that is what is funding this global cybercrime pandemic. It’s no surprise that ransomware payments will surpass $1 billion by 2023, according to Chainalysis.
So while some believe that ransomware is becoming more common due to better targeting by cybercriminals, it may be worth considering whether it is a coincidence that as the insurance industry grows, so does the cybercrime landscape.
What other choice do we have?
Despite these somewhat muddy waters, the appropriate response to ransomware attacks is clear: paying demands should almost always be a last resort. The only exception should be if there is a danger to life. Paying because it is convenient, costs less and causes less disruption to the business is not a good reason to pay, regardless of whether it is the company paying out or an insurer.
While it’s a step in the right direction, banning ransom payments entirely only targets one form of attack and feels a bit like a ‘whack-a-mole’ strategy. It may mitigate the increase in attacks for a short time, but attackers will inevitably change tactics, perhaps to compromising corporate email, or to something we haven’t even heard of yet.
What else can be done to slow the increase in ransomware attacks? Well, we can consider a few options such as shutting down vulnerability trading brokers and regulating cryptocurrency transactions. To take the latter as an example, most cybercrime generates money through cryptocurrency, so instead of simply banning payments, a better option might be to regulate the crypto industry and the flow of money.
In addition to these types of regulatory changes, governments could also consider leaving the decision whether or not to pay to an independent body. This would ensure that the decision is made regardless of cost and instead based on risk to life and disruption to critical services. However, whether a court or other independent body can make these decisions quickly enough is open to debate.
Insurance and cybersecurity can go hand in hand
Digital transformation accelerated during the pandemic and extortion-based cyber attacks have been spurred by cryptocurrency, all within a short time frame.
Meanwhile, the biggest challenge for insurers in today’s digital environment is their lack of data. This perfect storm explains why insurers are constantly adjusting requirements and increasing premiums at an ever-increasing pace.
But it’s important to remember that being insured can make the company a bigger target because cybercriminals know they may be paid a ransom, fueling this endless cycle. It is therefore essential that companies adopt a cyber security posture that gives them the best possible protection, insured or not. Choosing an insurer that understands risks based on data can even make a company’s cyber strategy more secure.
For example, insurers that understand data-driven risk often require companies to use many different technologies and processes to reduce this risk, for example the use of cloud backup systems, multi-factor authentication and advanced endpoint detection and response solutions.
In fact, the full list of recommendations that these insurers require is typically a subset of the recommendations that cybersecurity professionals and cybersecurity frameworks also recommend. And while insurers focus on reducing the potential of a financial claim, the cybersecurity industry is focused on reducing the risk of a cyberattack. So, following these recommendations will inevitably be a positive step for the company.
A match made in cyber heaven?
The relationship between cyber insurance and cybersecurity is inextricably linked, and these two sectors are quickly becoming a marriage of convenience. However, one major obstacle remains to achieving a happy and truly fulfilling marriage. The financing of cybercrime by paying ransomware demands by insurers must stop (unless in exceptional circumstances!).
We have recommended the best malware removal tools.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, you can read more here:
