Another week, another series of high-profile ransomware victims as Germany’s Software AG and the UK’s Hackney Council join a long and growing list of businesses and public sector organisations crippled by cybercriminals in what is becoming a bête noire of IT teams globally.
IBM Security X-Force says ransomware has accounted for one in four of the incidents it has dealt with so far in 2020, and research suggests the annual ransomware bill could run to $20bn by the end of 2021. (To those lucky enough to remain unfamiliar with this type of incident, it entails attackers breaching a network, encrypting crucial files and demanding a payment to restore them. Typically, pressure is added by a drip-drip leak of sensitive data).
With cybercriminals raking in ransom payments with little sign of consequence, the US Treasury this month waded into the enforcement debate, saying it may impose sanctions on those who pay ransoms.
Ransomware sanctions: what’s the US Treasury proposing?
The advisory from the US Treasury says anyone who makes or facilitates a payment to offenders could be liable to sanctions from the Office of Foreign Assets Control (OFAC). It notes “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
It goes on to say authorities are concerned the proceeds of ransomware payments may be used to fund further terrorist attacks on the US.
“Ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States,” it states.
Ciaran Martin is managing director of Paladin Capital, a fund that invests in cybersecurity start-ups, and until last month was head of the UK’s National Cyber Security Centre (NCSC). He has publicly called for a ban on ransomware payments in the UK and says the US Government’s move is a welcome first step.
“It’s time to do something because we’re getting cleaned out left, right and centre,” he says. “Services are being disrupted and millions of pounds are being lost.
“It was a high priority for us [at the NCSC] and I wanted it to be even higher. We need to do something to catapult ransomware up the priority ladder for cybersecurity agencies, governments and industry people who care about cybersecurity.”
Paying is not the way to go
Security experts offered mixed opinions as to whether a ban on ransomware payments is a positive step. Chief scientist and fellow at McAfee Raj Samani says it has long been a widely-held industry view that “paying is not the way to go”.
“Ransoms will simply encourage further attacks and demands for higher payments,” he says. “Understandably, businesses may question whether this is the appropriate position to take in the event of a significant outage, but they should consider the broader implications of payment. The only way to stop criminals from launching ransomware attacks is to impact their ROI and ensure it stops being a lucrative tactic for them.”
McAfee is one of the founding partners of the No More Ransomware project, a joint task force set up by vendors and law enforcement agencies to provide guidance and tools to tackle criminals. The portal claims to have saved more than $600m in ransom demands since its launch. Another of the founding partners is Kaspersky Labs.
Ivan Kwiatkowski, cybersecurity researcher at Kaspersky’s global research and analysis team, says a clamp-down on ransomware must be led by authorities.
“If no one paid, the problem would be solved immediately, but paying remains the economically rational choice for each victim,” he says.
“It should not be denied that the pressure exerted on managers during these incidents is very significant: in addition to the legal risk that the leakage of internal documents may pose to them, there may be hundreds or even thousands of jobs at stake if the company does not quickly regain control of its production tool. For this reason, we cannot hope that the problem can be solved by a collectively ethical behaviour: the overall strategy must be steered by the national authorities.”
A partial ban on ransomware payments: counter-productive?
The severity of ransomware attacks was put in the spotlight last month when a woman in Germany died after cybercriminals struck at a hospital.
The systems at Duesseldorf University Clinic were taken offline, meaning the woman, who was due to arrive as an emergency admission, had to be taken to another clinic 20 miles away, resulting in an hour-long delay to what could have been life-saving treatment. The woman’s death could be the first to be directly linked to a cyber attack.
This attack led to security firm Emsisoft to call for a ban on ransomware payments. Brett Callow, a cybersecurity expert with the company, adds that the measures the US Treasury is talking about do not go far enough: “The advisory is simply a reminder as to already existing provisions, and was possibly prompted by a recent case in which a US company is said to have paid a ransom to a sanctioned group,” he says.
(This summer Garmin reportedly paid $10m to a ransomware group that captured its data, though this has not been confirmed by the US-based business)
Callow adds: “At present, the sanctions apply to only a very limited number of threat actors and so will have no real impact on the profitability of ransomware or the frequency of attacks, which are, of course, directly related.
“In our opinion, the only solution to the worsening ransomware problem is a complete prohibition on the payment of ransoms.”
Cyber analyst The Grugq told Tech Monitor: “I find the whole prohibition thing very disturbing. It’s such a bad knee-jerk reaction that seems really obvious, until you look at the perverse incentives it creates.
“The only entity with power to control the behaviour of ransomware gangs is the one providing protection for them. The gangs need a place to operate and somewhere to convert their cryptocurrency into hard currency. They are cashing out hundreds of thousands of dollars in crypto, and there is no way that isn’t raising ‘know your customer’ alerts for money laundering.
“The only controlling entity is the one that allows the gangs to operate. The gangs are completely at the mercy of the whichever entity provides protection. This is the rule everywhere that kidnapping gangs operate, and ransomware gangs share some similarities in their operational requirements.
The unintended consequences
The Grugq adds that he believes that what the US Treasury proposes amounts to the “worst of all worlds.”
“With a partial ban there are significant unintended consequences,” he says.
“Firstly, the ransomware gangs still make money from ransomware, so they do not cease operations. Then, to encourage payment they become more drastic and extreme in their actions. They have to make a stronger incentive to encourage people who are dissuaded by the ban, but might pay if given sufficient ‘encouragement’
“Then, because the prohibition on payment makes it an underground activity with limited transparency and mechanisms for enforcing compliance — the ransom prices rise. This environment: higher prices, more aggressive ransomware gangs, fewer reputable companies negotiating and handling the ransom payments; it is the worst possible situation for everyone.”
He adds that the current situation where payments are legal has “created a market place” where a handful of companies enable payments to be made by victims.
This solution has its upsides: “[There is] market governance and it keeps the prices down because there is a sort of gentlemen’s agreement between the gangs and the payment companies,” he says.
“Also, the lack of prohibition means these companies operate in the open and they can share information about pricing internally and with each other.
“The status quo is not the ideal world, but it is far better than the nightmare of ineffective partial prohibition.”
Marcus Hutchins, the security researcher who put a stop to the WannaCry attack in 2017, believes a ban would be counter-productive and drive payments further into the shadows.
Here’s how threatening to investigate companies who pay ransoms plays out in the real word: 1. They become less transparent than they already were when it comes to security breaches. 2. They just factor in the potential fines into the total cost, then still decide to pay.
— MalwareTech (@MalwareTechBlog) October 6, 2020
What the US Treasury says
The notice issued by the US Treasury explains that those who make ransomware payments could fall foul of powers granted under the International Emergency Economic Powers Act and the Trading with the Enemy Act (TWEA), which prohibit US citizens from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s specially designated nationals and blocked persons, or SDN, list.
As well as individuals and threat groups, the SDN list contains several countries and regions subject to blanket bans, including Cuba, Iran, North Korea, and Syria.
Facilitating a non-US citizen to break these rules can also land you in hot water, the notice says, while anyone subject to US jurisdiction “may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”
Ignorance, in short, is no defence.
Resulting sanctions will be decided depending on the severity of the breach, and fines for breaching TWEA can range up to $1m.
What measures could be taken apart from a ban on ransomware payments?
Samani says “basic cyber hygiene” can make a difference when it comes to ransomware attacks: “One of the key concepts to consider is that prevention is better than a cure,” he says. “With this in mind, organisations should take steps to recognise what ransomware attackers are targeting and secure them before attacks take place.
“For example, if criminals are targeting remote access points, take steps to secure them – such as implementing MFA, adopting complex RDP passwords to reduce the likelihood of successful brute-force attacks and enhancing RDP security by implementing encryption and server authentication.
“Most importantly, however, businesses should back up their data and patch computer servers if a critical security vulnerability is disclosed. These basic cyber hygiene practices can help to ensure business operations are not crippled by ransomware.
He continues: “Ransomware is not going away anytime soon. The tactic is simply too profitable and effective for cybercriminals. In fact, the evolution of some of the more recent variants has deviated so much that a more appropriate term is digital extortion.
“As a result of current data regulations, such as the GDPR and CCPA, the threat to release data represents not only reputational damage to victims but the threat of regulatory penalties. This evolution, when combined with the danger of disabling critical systems, is done with the sole purpose of encouraging payment.”
Could a ban on ransomware payments come to Europe?
Martin says a joined-up approach to banning ransomware payments across the US, Europe and around the world could be achieved.
“There are much harder things to co-ordinate across the Atlantic and we manage to do it,” he says.
“I believe in evidence-based policy and I think this is an area which is ripe for Government consultation. It’s not immediately obvious whether there’s a compelling case for outlawing ransomware payments, but it’s a problem that has been around for a while and is definitely worth a look.”