Fighting back against ransomware

Ransomware is again in the headlines. This year alone, we’ve seen attacks on:

  • Colonial Pipeline, the ‘jugular’ or the U.S. fuel pipeline
  • JBS, the largest meat processing company in the world
  • CD Projekt Red, the Cyberpunk 2077 developer
  • Kaseya, the IT Management Software for MSPs

Ransomware’s explosion has been made possible by the anonymity of cryptocurrency and fuelled by the vicious cycle of payment funding its growth.

Without action, it will continue to grow, so what can be done to break the cycle?

The fight-back begins

The good news is that this year, the fight-back has begun on several fronts:

  • The Ransomware Task Force (RTF) has been created by Microsoft, Amazon, the FBI and the UK's National Crime Agency.
  • International defence and security think tank The Royal United Services Institute (RUSI) published a paper investigating solutions including legislation to prevent payment.
  • Ciaran Martin, former head of the UK’s National Cyber Security Centre suggested changing the law on insurance.
  • Insurance companies are stopping payment of ransomware due to concerns of officials.

Recommendations from The Ransomware Task Force

Ransomware is such a difficult problem because it is an international issue with attackers and victims usually in different territories and because payment in crypto-currency are difficult to trace. 

The RTF has made recommendations on how to address both issues. Governments need to: “exert pressure on nations which are complicit, or refuse to take action against domestic ransomware groups”. The RTF is also recommending increased regulation of crypto-currency services.

Ransomware will not be curbed if attackers can operate and thrive in countries that do not apprehend attackers.

It appears that this approach is already bearing fruit. The ransomware group REvil’s websites have been taken down following reported action from both the US and Russia.

 

Legislation & cyber insurance

Amongst other solutions investigated by RUSI in its paper on ransomware, it queries if we could make payment of ransomware illegal:

“Is a complete outlawing of ransom payment possible?

If  not,  could  measures  be  put  in  place  to  ensure  that  payments  are  only  made  when  all  other  options  have  been  exhausted  and  where  the alternatives are deemed to be less desirable than a payment?

Are  there  regulatory  steps  that  can  be  taken  in  the  area  of  cyber  insurance and ‘ransomware recovery’ that could have a positive effect on the situation?”

We do not think completely outlawing ransomware payment is possible.

From the outside, it is very easy to pass judgement on companies paying ransom. Paying the ransom feeds the vicious cycle, leading to more ransomware. It seems that there is a clear ‘right’ and ‘wrong’ and it is wrong to pay.

But it is a very different situation if you are on the receiving-end of an attack. If there aren’t good backups to recover from, you may need to choose between the ‘wrong’ option of paying out or going out of business.

This is why it isn’t reasonable to completely outlaw payment in ransomware attacks. It would criminalise those just trying to keep their staff employed and their business a going concern.

Our view is that paying out should be the last resort after all other options have been exhausted. This would however be very hard to legislate. Who would make this judgement? Would the police need to give the organisation approval that options have been exhausted allow them to pay?

Ransomware attacks require a rapid response. Criminals will deliberately set short deadlines on payment under the threat of deleting the encryption key to force an action. Attacks are so prevalent that police wouldn’t have the resources to assess each attack. For every high-profile case we hear about in the press, there are tens of other cases that go unreported.

Cyber insurance

The right place to address the issue is cyber insurance policies.

AXA has taken the unprecedented step in stopping ransomware payments in France in response to concerns from officials. We don’t think payment for ransomware should be removed from cyber insurance altogether.

We think cyber insurance must continue, and can be a positive-force in addressing ransomware. Insurers can make good cyber hygiene and backups a pre-requisite for cover. Insurers can also address payment from a wider perspective.

When an individual business pays a ransom, they are not concerned about the impact it has fuelling future attacks. Insurers however will find themselves paying out more frequently unless this trend is reversed.

What next?

The fight-back has started, but these solutions won’t have an immediate impact. Regulating cryptocurrencies, international diplomacy and changing cyber insurance will take time.

In the short term, the more pressing concern is protecting yourself from these prevalent attacks.

That means shoring up your defences and educating your users. It means having reliable backups to recover from and a Cyber Incident Response Plan of how you would identify, isolate, contain, rectify and communicate.