Ransomware attacks will continue as long criminals find them profitable — but cutting off this revenue stream is easier said than done, according to experts speaking during an Aug 25 Institute for Security and Technology (IST) panel.
Policymakers need to work to reduce the frequency with which ransomware sufferers give in to extortion demands, but should avoid jumping straight to banning payments, panellists suggested.
Lawmakers instead may need to start by putting in place a variety of progressive steps that can discourage many payments and blunt the pain victims, and those who depend on them, are likely to experience as they try to resist giving in to cyber criminals.
During the discussion, panellists examined factors that make certain victims most likely to pay and the measures that gradually reduce ransomware's appeal to attackers.
Need versus caution
Victims may know that paying ransom means rewarding criminals and funding their future exploits, but those who — accurately or not — see it as the quickest or most affordable way to get up and running again may still feel compelled to hand over the money.
Disruptions to health-care providers and utilities' operations can put lives at risk, prompting these firms to pay up in hopes of more quickly restoring their systems. Small family businesses, too, are likely to feel pressure to give in because they rarely have the finances to survive temporary closures without shutting down for good, said Jen Ellis, IST Ransomware Task Force working group co-chair.
"For them, a ransom incident can mean an end-of-business event. If you don't pay, you have no recourse," Ellis said. "If they can't recover their business and do so quickly, they're done, they're sunk."
On the flip side are better resourced companies that hand over ransom without fully exploring other options. Josephine Wolff, associate professor of cybersecurity policy at Tufts University's Fletcher School, viewed Colonial Pipeline as one of these, stating that its choice to shut down systems following a ransomware attack seemed to be driven from "an excess of caution" rather than true necessity.
CEO Joseph Blount told the House in June that Colonial entered payment negotiations within hours of being hit. The company chose to pay out of fear that the pipeline would face a long shutdown if attempts to restore the system from backups failed, Charles Carmakal, CTO and senior vice president of FireEye's Mandiant division, said at the time. Those concerns later proved unfounded and Colonial ultimately relied on the backups instead of the decryption tool it purchased when it discovered the latter worked too slowly.
Wolff said anti-ransomware policies must particularly target these kinds of optional payments, so that the choice to pay is always a painful one taken as a last resort.
"This should not be something you do lightly as the cost of doing business," Wolff said.
Rules preventing tax deductions or insurance coverage for ransom payments are good first steps that could make firms think twice and try other options before paying, Wolff suggested. She cautioned that it remains unclear how effective such an approach will ultimately be, however, and that any policies meant to combat ransomware need to be tried out and tweaked until it becomes clear which work.
Ari Schwartz, Ransomware Task Force member and managing director of cybersecurity services and policy at legal and regulatory advisory firm Venable, also suggested that requiring victims to report ransom payments could end practices in which organisations give in to avoid bad publicity and keep the incidents quiet.
Of course, policies don't guarantee compliance, and California's attorney general issued a statement this week reminding health-care providers to follow state law obligating them to report significant data breaches.
Such efforts could help shift thinking for organisations that are assessing the costs and benefits of paying. But panellists also acknowledged the complexity of trying to deter ransomware without being too punitive on small businesses or risking widespread damage from critical infrastructure disruption.
Governments can ease some strain of resisting ransom demands by proactively pushing alternative options. The public-private No More Ransom project offers an extensive library of decryption tools for free, for example, Ellis noted. Victims who are aware of such resources may avoid needing to pay, and Wolff suggested the US get involved in similar efforts.
IST had also recommended in a report that governments provide funds to help victims hold out against demands — a move which Ellis said is useful but only goes so far.
Ransomware is a global issue, and the US and other countries are likely to find they can't financially support all victims. Nor will such a support fund solve the problem for organisations where business interruption — not revenue loss — is the greatest motivator for capitulating to attackers, Ellis said.
"I really love the idea, but my one question is, what do you do about everybody who doesn't qualify for the fund?" Ellis said. "(And) what do you do about a hospital? How do you get the doors open as quickly as possible?"
Victims in highly regulated sectors like health care may also be inclined to pay to prevent hackers leaking sensitive, protected information, even if the impacted organisation is able to bring its systems back online.
Such challenges are not a reason to give up fighting ransomware payments, but simply are areas that need further attention, Ellis reminded.
The exemption debate
Banning all, or nearly all, ransomware payments would cut out criminals' profit motive, especially if it could be tightly enforced, and panellists said it is a good end-goal for policymakers to aim at. But such a sweeping move is unlikely to be feasible at present, and panellists discussed whether some types of victims should be exempted in the short-term.
Critical infrastructure providers are likely to need such reprieves, for example, Schwartz said. Criteria can be tightened over time until a more complete payment ban is reached, panellists said.
But policymakers must be aware that even though exempting critical infrastructure providers may get them back online faster, it could also lead to attackers tightly targeting those organisations, knowing they'll pay out, Ellis said.
This may speak to a need to bring additional measures that address other parts of the ransomware ecosystem, such as by upping efforts to prevent cyber criminals from using cryptocurrency exchanges to collect the funds and reducing the number of safe haven nations from which they can operate.
Many hanging questions remain regarding how to best craft policies that will truly cut down on ransomware and handle the unintended side effects. But Wolff said that unless there's a strong push for advancing toward a payment ban and addressing those questions, "then we keep doing what we're doing — which is basically nothing... Just reacting and waiting for the next thing to hit." – Government Technology/Tribune News Service