Policymakers, security professionals, and cyber (re)insurers are divided on whether or not banning ransomware payments would be a good idea. On the one hand, banning payments would (in theory) erode the ransomware attacker’s primary motivation, which is largely about making money. On the other hand, making it illegal to pay a ransom to decrypt or secure critical data could make the problem worse and result in the forced closure of thousands of businesses around the world.
For cyber (re)insurers the question of banning ransomware payments is top of mind. Ransomware accounts for the lion’s share of all cyber (re)insurance claims and ransomware operators are showing no signs of slowing down. One of the most prolific ransomware operators of all time known as REvil, has publicly stated that the group will ramp up efforts to target US entities. This announcement came in the wake of recent ransomware attacks that impacted US energy and food supplies, which has led to increased focus from the US Government to combat ransomware.
Banning ransomware payments would have a direct effect on cyber insurance policies that cover cyber-related business interruption (BI). Eliminating payments as an avenue for recovery could result in companies hit with ransomware turning to (re)insurers to cover extended BI losses. Insurable losses could also emanate from the bricking of systems that can not be recovered, as well as third-party liability in the event that data is exposed as a result of not paying a ransom, and reputational loss in the event that an unrecoverable event results in loss of customers and revenue.
(Re)insurers are also increasingly in the cross hairs when it comes to the debate around whether or not cyber insurance policies incentivize ransomware. The reality is in fact far from being that simple. Still, several large insurance carriers have declared that they will no longer support customers making ransomware payments. Amid this chaotic environment, understanding all sides of the ransomware payments debate has never been more important for cyber (re)insurers.
Below, we provide a breakdown of the problem as it stands today, the cases for and against banning ransomware payments, and look into what’s next in the fight against ransomware in the absence of a payment ban.
In 2020, nearly 2,400 U.S.-based government entities, healthcare facilities, and schools disclosed that they were victims of ransomware, according to the security firm Emsisoft. The actual number of victims is far higher as many cyber incidents including ransomware are often unreported. In tandem, firms across the board are reporting that the average value of the attacker’s demands are also rising.
In a recent CyberCube report on Enterprise Ransomware, we show that criminal ransomware operators have proliferated to the point where dozens of threat actor groups now engage in “big game hunting” or targeting corporate members of the Fortune 500. The impact of big game ransomware attacks are often unpredictable. For example, recent attacks against oil giant Colonial Pipeline and meat supplier JBS Foods were not meant to take down US critical infrastructure but nevertheless did just that, albeit briefly.
Today, the most successful ransomware operators work in jurisdictions that either tacitly or directly support their activities. Emerging financial instruments such as cryptocurrency enable attackers to receive virtually untraceable ransom payments. In tandem, ransomware operators are increasingly utilizing “as-a-service” models, whereby their brand of ransomware is licensed to affiliates which in turn increases the number of potential threat actors that are capable of launching these attacks.
In a perfect world, banning ransomware payments would result in the eradication of ransomware. However, while AXA in France has stated it will no longer pay ransoms, the insurer has stopped short of calling a nation-wide ban. To date, no country has a federal ban on payments.
The theory behind a ban is based on the concept that cyber criminals would not be able to make money, and would be far less incentivized to spend the time and resources needed to conduct a successful ransomware attack. A study by CyberReason supports that, as 80% of organizations that paid a ransom were attacked a second time, with almost half of those being hit by the same attacker. It is also worth noting the US Government has set a precedent with its long-standing policy to never negotiate with terrorists, and in June 2021, the U.S. Department of Justice elevated investigations of ransomware attacks to a similar priority as terrorism.
There is no doubt that paying ransomware operators and their affiliates only exacerbates the issue. According to the Institute for Security and Technology’s Ransomware Task Force: “The immediate physical and business risks posed by ransomware are compounded by the broader societal impact of the billions of dollars steered into criminal enterprises, funds that may be used for the proliferation of weapons of mass destruction, human trafficking, and other virulent global criminal activity.”
Prohibiting ransomware payments would not only cut off funding for cyber criminals, but could also motivate companies to practice better cybersecurity. In theory, without a cyber insurance policy that covers ransomware payments to fall back on, organizations would be highly incentivized to prioritize cybersecurity hygiene and controls.
However, while an outright ban of ransomware payments is an interesting concept, the reality is far more complicated. Cyber security professionals warn that banning payments would do more harm than good. For starters, without the ability to pay, some organizations (including critical infrastructure operators) would not be able to recover from ransomware attacks.
Furthermore, organizations that recover from ransomware often use a combination of data backups and recovery solutions while also paying to obtain a decryption key. Therefore banning payments would remove a core component of recovery in an already dire situation.
Prohibiting ransomware payments could also result in organizations paying ransom demands in secret. Consequently, even fewer organizations would disclose attacks which would further limit our understanding of these attacks and hinder the security community’s ability to provide common means of protection and recovery. In some cases, without the ability to pay a ransom, companies may hack back against attackers in dangerous games of cat and mouse that would see no end.
The US Critical Infrastructure Security Agency (CISA) defines ransomware as “an ever-evolving form of malware”. Even with a payment ban, attackers are not likely to give up. They will instead continue to pivot to hit organizations that can least afford the downtime that comes with a ransomware attack. For example, hospitals that cannot recover from ransomware could quickly see a loss of life. Clearly, ransomware payment bans would at least have to be phased in to include critical infrastructure.
In lieu of a silver bullet solution, there are practical steps we can take today to help stop ransomware.
Right now, the best weapon we have to fight ransomware is to make it harder for criminals to break into corporate networks. Cybersecurity professionals and especially critical infrastructure operators should focus their attention on ransomware specific security controls. Activities to focus on include:
To fight ransomware regulators should more closely monitor and control the cryptocurrency sector. Regulating cryptocurrencies would make it more difficult for ransomware attackers to hide their tracks and launder ransom payments. Specifically, so called “privacy coins”, cryptocurrency exchanges, crypto kiosks, and over-the-counter (OTC) trading “desks” need to be under more pressure to comply with existing laws, including Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) laws.
Governments can set up public funds to help victims recover from ransomware attacks and to further incentivize ransomware prevention and recovery best practices. Access to relief from a government-funded cyber response and recovery fund would require that organizations are licensed to pay a ransom, comply with sanctions, report all payments made, and consider alternatives before paying.
As long as there is no ransomware payment ban, (re)insurers will continue to play an increasingly important role in combating ransomware. In particular, leading insurance carriers and cyber insurance underwriters are adopting data and analytics software and services that can help them identify both the inherent exposure and ransomware specific security risks on insureds’ networks. Cyber insurance leaders are leveraging CyberCube’s cyber risk data, analytics, and access to our team’s technical experts to take a more proactive approach to combating the threat of ransomware, including assisting insureds with controlling ransomware risks, and in turn underwriting profitably.
As the ransomware payments debate rages onward, (re)insurers can focus their attention on calling for better ransomware specific cyber security controls in their policies, and supporting stricter cryptocurrency regulation as well as the creation of public cyber response and recovery funds to incentivize collective action against ransomware.
Undoubtedly, we can't continue with business as usual. But in the absence of a ransomware payments ban, a multi-pronged approach involving cyber security professionals, regulators, financiers, and (re)insurers is needed to stem the tide of inadvertent corporate financing for criminal enterprises.
For more support about ransomware and how you can help your clients tackle this increasing threat, CyberCube, the leading cyber risk analytics solution, can provide expert support and advice across many sectors, including insurance, technology and cybersecurity. Contact us today to find out more.