Banning Ransom Payments and Unleashing Offensive Hacking Teams Being Mooted
Crime doesn’t pay – except perhaps when it comes to ransomware, which continues to fuel a massive surge in illicit proceeds. With such profits appearing to be at an all-time high, clearly something needs to be done to blunt ransomware-wielding extortionists’ force – but what?
Ransomware victims continue to hail from every sector, from environmental regulators and construction firms, to manufacturersand healthcare facilities, including ones helping respond to the COVID-19 pandemic. Hence beyond disrupting businesses, such attacks also pose a public health risk, to say nothing of potentially compromising patient safety as hospitals continue to get hit.
Accordingly, many governments are seeking better “law enforcement and policy solutions,” says Robert Hannigan, chairman of cybersecurity services firm BlueVoyant International.
Last October, for example, the U.S. Treasury Department warned that any banks, insurers and others that negotiate or facilitate any actions involving a ransomware payment being made to a sanctioned organization could find itself on the receiving end of federal sanctions.
Given the difficulty of disrupting ransomware operators who work from countries such as Russia, however, “making ransomware attacks less lucrative for cybercriminals is the objective,” says Hannigan, who from 2014 to 2017 served as director of Britain’s GCHQ intelligence agency.
“There is also pressure from the insurance industry to encourage government action,” he says. “Insurers feel uncomfortable about paying huge sums to cybercriminals, which, while not illegal, is an ethical grey area. Insurers are adjusting coverage and increasing premiums to reflect ransomware attacks.”
Proposal: Ban All Ransom Payments
One proposal has been to ban all ransom payments. Whether such bans would be legal, or could be enforced, remains unknown. Also, organizations that did their best to safeguard themselves, but which still saw their systems get crypto-locked, could well go out of business or suffer devastating interruptions due to a ban.
Or, short of a ban, Ciaran Martin, an Oxford University professor of practice in the management of public organizations who until last August served as the British government’s cybersecurity chief, says governments should at least crack down on insurers being able to help victims funnel payoffs to attackers.
“I see this as so avoidable. At the moment, companies have incentives to pay ransoms to make sure this all goes away,” Martin tells the Guardian, expanding on suggestions he’s previously made. “You have to look seriously about changing the law on insurance and banning these payments, or at the very least, having a major consultation with the industry.”
Responding to suggestions that ransom payments be banned, a spokesman for the Association of British Insurers tells Information Security Media Group that “insurance is not an alternative to managing the cyber ransomware risk; it is part of a toolkit to combat this crime.” He also notes that policyholders must have all “reasonable precautions” in place, and that “as part of cyber insurance cover, insurers will work with customers to help them manage the risk to reduce the chance of a damaging attack.”
Even well-prepared organizations can fall victim to unexpected hack attacks. “These attacks can cause severe disruption and financial strain for any business, whatever their size,” he says. “If this insurance was not available, then firms who do the right things to protect themselves and are still hit could face financial ruin or possibly go out of business.”
Expert: Insurers ‘Subtly Endorsing’ Payoffs
Numerous cybersecurity experts report nonstop fallout from so many ransomware victims continuing to send bitcoins to their attackers. “Paying ransoms provides criminals with more funds to further develop their tactics,” says Brian Honan, who heads Dublin-based cybersecurity consultancy BH Consulting, via Twitter. “It also further motivates criminals to target more victims and to become more bold in their attacks.”
Honan, who’s also a cybersecurity adviser to the EU’s law enforcement international agency, Europol, says that “insurance companies shouldn’t by their actions in paying ransoms be subtly endorsing them,” nor should “security companies that negotiate payments on behalf of victims.”
The insurance market could help correct the problem. Specifically, multiple cyber insurers have been suggesting that their ransom coverage might soon be curtailed, because the continuing rise in ransomware-triggered payoffs by the for-profit insurance industry cannot be sustained. Specifically, some insurance experts have predicted that extortion and social engineering attacks will be excluded from more policies.
Time to Unleash Government Hackers?
Western governments could also do more to directly disrupt the flow of cryptocurrency from victims to criminals, says Martin, the former CEO of the U.K.’s National Cyber Security Center, which is the public-facing arm of intelligence agency GCHQ.
Writing in Lawfare, Martin notes that government intelligence agencies could hack ransomware-wielding attackers and their infrastructure, along the lines of what the U.S. Cyber Command did to the Internet Research Agency troll farm in Russa ahead of the 2018 U.S. mid-term elections.
“It has been used against transnational cyber criminals in the past and should, in my view, be deployed where possible against the scourge of ransomware,” Martin says.
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/
UK +44 20 8089 9944