Ransomware: Should Governments Hack Cybercrime Cartels?Banning Ransom Payments and Unleashing Offensive Hacking Teams Being Mooted
Crime doesn't pay - except perhaps when it comes to ransomware, which continues to fuel a massive surge in illicit proceeds. With such profits appearing to be at an all-time high, clearly something needs to be done to blunt ransomware-wielding extortionists' force - but what?
See Also: The Ultimate Guide to Malware
Ransomware victims range from environmental regulators and construction firms to manufacturers and healthcare facilities - including those helping respond to the COVID-19 pandemic. Beyond disrupting businesses, such attacks also pose a public health risk; they potentially can compromise patient safety as hospitals continue to get hit.
As a result, many governments are seeking better law enforcement and policy solutions, says Robert Hannigan, chairman of cybersecurity services firm BlueVoyant International.
Last October, for example, the U.S. Treasury Department warned that any banks, insurers and others that negotiate or facilitate any actions involving a ransom payment being made to a sanctioned organization could find themselves on the receiving end of federal sanctions.
Given the difficulty of disrupting ransomware operators who work from countries such as Russia, however, "making ransomware attacks less lucrative for cybercriminals is the objective," says Hannigan, who from 2014 to 2017 served as director of Britain's GCHQ intelligence agency.
"There is also pressure from the insurance industry to encourage government action," he says. "Insurers feel uncomfortable about paying huge sums to cybercriminals, which, while not illegal, is an ethical gray area. Insurers are adjusting coverage and increasing premiums to reflect ransomware attacks."
Proposal: Ban All Ransom Payments
One proposal has been to ban all ransom payments. Whether such bans could be enforced is not clear. Also, organizations that did their best to safeguard themselves, but still saw their systems get crypto-locked, could go out of business or suffer devastating interruptions due to a ban.
Short of a ban, Ciaran Martin, an Oxford University professor of practice in the management of public organizations who until last August served as the British government's cybersecurity chief, says governments should at least crack down on insurers being able to help victims funnel payoffs to attackers.
“I see this as so avoidable. At the moment, companies have incentives to pay ransoms to make sure this all goes away,” Martin tells The Guardian, expanding on suggestions he's previously made. "You have to look seriously [at] changing the law on insurance and banning these payments, or at the very least, having a major consultation with the industry."
Responding to suggestions that ransom payments be banned, a spokesman for the Association of British Insurers tells Information Security Media Group: “Insurance is not an alternative to managing the cyber ransomware risk; it is part of a toolkit to combat this crime." The spokesman also notes that policyholders must have all "reasonable precautions" in place. And he adds that "as part of cyber insurance coverage, insurers will work with customers to help them manage the risk to reduce the chance of a damaging attack."
Even well-prepared organizations can fall victim to unexpected hack attacks. "These attacks can cause severe disruption and financial strain for any business, whatever their size," he says. "If this insurance was not available, then firms who do the right things to protect themselves and are still hit could face financial ruin or possibly go out of business."
Expert: Insurers 'Subtly Endorsing' Payoffs
Numerous cybersecurity experts report nonstop fallout from so many ransomware victims continuing to send bitcoins to their attackers. "Paying ransoms provides criminals with more funds to further develop their tactics," says Brian Honan, who heads Dublin-based cybersecurity consultancy BH Consulting, via Twitter. "It also further motivates criminals to target more victims and to become more bold in their attacks."
Honan, who's also a cybersecurity adviser to the EU's law enforcement agency, Europol, says that "insurance companies shouldn't by their actions in paying ransoms be subtly endorsing them," nor should "security companies that negotiate payments on behalf of victims."
The insurance market could help correct the problem. Some cyber insurers have been suggesting that their ransom coverage might soon be curtailed because the continuing rise in ransomware-triggered payoffs by the insurance industry cannot be sustained. And some insurance experts have predicted that extortion and social engineering attacks will be excluded from more policies.
Time to Unleash Government Hackers?
Western governments could also do more to directly disrupt the flow of cryptocurrency from victims to criminals, says Martin, the former CEO of the U.K.'s National Cyber Security Center, which is the public-facing arm of intelligence agency GCHQ.
Writing in Lawfare, Martin notes that government intelligence agencies could hack ransomware-wielding attackers and their infrastructure, along the lines of what the U.S. Cyber Command did to Russia's Internet Research Agency troll farm ahead of the 2018 U.S. midterm elections.
"It has been used against transnational cybercriminals in the past and should, in my view, be deployed where possible against the scourge of ransomware," Martin says.