IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

There’s No Easy Fix to the Worsening Ransomware Epidemic

Criminals will keep using ransomware as long as its profitable, but outright banning all payments could be deeply painful for critical sectors and small businesses. The road ahead is full of policy hurdles.

IST.png
Top, left to right: Josephine Wolff, Jen Ellis. Bottom, left to right: Michael Daniel and Ari Schwartz
Ransomware attacks will continue as long criminals find them profitable — but cutting off this revenue stream is easier said than done, according to experts speaking during an Aug. 25 Institute for Security and Technology (IST) panel.

Policymakers need to work to reduce the frequency with which ransomware sufferers give in to extortion demands, but should avoid jumping straight to banning payments, panelists suggested.

Lawmakers instead may need to start by putting in place a variety of progressive steps that can discourage many payments and blunt the pain victims, and those who depend on them, are likely to experience as they try to resist giving in to cyber criminals.

During the discussion, panelists examined factors that make certain victims most likely to pay and the measures that gradually reduce ransomware’s appeal to attackers.

NEED VS. CAUTION


Victims may know that paying ransom means rewarding criminals and funding their future exploits, but those who — accurately or not — see it as the quickest or most affordable way to get up and running again may still feel compelled to hand over the money.

Disruptions to health-care providers and utilities’ operations can put lives at risk, prompting these firms to pay up in hopes of more quickly restoring their systems. Small family businesses, too, are likely to feel pressure to give in because they rarely have the finances to survive temporary closures without shutting down for good, said Jen Ellis, IST Ransomware Task Force working group co-chair.

“For them, a ransom incident can mean an end-of-business event. If you don’t pay, you have no recourse,” Ellis said. “If they can’t recover their business and do so quickly, they’re done, they’re sunk.

On the flip side are better resourced companies that hand over ransom without fully exploring other options. Josephine Wolff, associate professor of cybersecurity policy at Tufts University’s Fletcher School, viewed Colonial Pipeline as one of these, stating that its choice to shut down systems following a ransomware attack seemed to be driven from “an excess of caution” rather than true necessity.

CEO Joseph Blount told the House in June that Colonial entered payment negotiations within hours of being hit. The company chose to pay out of fear that the pipeline would face a long shutdown if attempts to restore the system from backups failed, Charles Carmakal, CTO and senior vice president of FireEye’s Mandiant division, said at the time. Those concerns later proved unfounded and Colonial ultimately relied on the backups instead of the decryption tool it purchased when it discovered the latter worked too slowly.

Wolff said anti-ransomware policies must particularly target these kinds of optional payments, so that the choice to pay is always a painful one taken as a last resort.

“This should not be something you do lightly as the cost of doing business,” Wolff said.

CREATING FRICTION


Rules preventing tax deductions or insurance coverage for ransom payments are good first steps that could make firms think twice and try other options before paying, Wolff suggested. She cautioned that it remains unclear how effective such an approach will ultimately be, however, and that any policies meant to combat ransomware need to be tried out and tweaked until it becomes clear which work.

Ari Schwartz, Ransomware Task Force member and managing director of cybersecurity services and policy at legal and regulatory advisory firm Venable, also suggested that requiring victims to report ransom payments could end practices in which organizations give in to avoid bad publicity and keep the incidents quiet.

Of course, policies don’t guarantee compliance, and California’s attorney general issued astatement this week reminding health-care providers to follow state law obligating them to report significant data breaches.

Such efforts could help shift thinking for organizations that are assessing the costs and benefits of paying. But panelists also acknowledged the complexity of trying to deter ransomware without being too punitive on small businesses or risking widespread damage from critical infrastructure disruption.

EASING RESISTANCE


Governments can ease some strain of resisting ransom demands by proactively pushing alternative options. The public-private No More Ransom project offers an extensive library of decryption tools for free, for example, Ellis noted. Victims who are aware of such resources may avoid needing to pay, and Wolff suggested the U.S. get involved in similar efforts.

IST had also recommended in a report that governments provide funds to help victims hold out against demands — a move which Ellis said is useful but only goes so far.

Ransomware is a global issue, and the U.S. and other countries are likely to find they can’t financially support all victims. Nor will such a support fund solve the problem for organizations where business interruption — not revenue loss — is the greatest motivator for capitulating to attackers, Ellis said.

“I really love the idea, but my one question is, what do you do about everybody who doesn’t qualify for the fund?” Ellis said. “[And] what do you do about a hospital? How do you get the doors open as quickly as possible?”

Victims in highly regulated sectors like health care may also be inclined to pay to prevent hackers leaking sensitive, protected information, even if the impacted organization is able to bring its systems back online.

Such challenges are not a reason to give up fighting ransomware payments, but simply are areas that need further attention, Ellis reminded.

THE EXEMPTION DEBATE


Banning all, or nearly all, ransomware payments would cut out criminals’ profit motive, especially if it could be tightly enforced, and panelists said it is a good end-goal for policymakers to aim at. But such a sweeping move is unlikely to be feasible at present, and panelists discussed whether some types of victims should be exempted in the short-term.

Critical infrastructure providers are likely to need such reprieves, for example, Schwartz said. Criteria can be tightened over time until a more complete payment ban is reached, panelists said.

But policymakers must be aware that even though exempting critical infrastructure providers may get them back online faster, it could also lead to attackers tightly targeting those organizations, knowing they’ll pay out, Ellis said.

This may speak to a need to bring additional measures that address other parts of the ransomware ecosystem, such as by upping efforts to prevent cyber criminals from using cryptocurrency exchanges to collect the funds and reducing the number of safe haven nations from which they can operate.

Many hanging questions remain regarding how to best craft policies that will truly cut down on ransomware and handle the unintended side effects. But Wolff said that unless there’s a strong push for advancing toward a payment ban and addressing those questions, “then we keep doing what we’re doing – which is basically nothing ... Just reacting and waiting for the next thing to hit.”
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.