Ransom Payments are Fueling the Ransomware Scourge

When it comes to choosing their victims, ransomware attackers have become brutally adept at finding pain points.

Their targets range from hospitals, schools, and local government to key infrastructure, such as water treatment and fuel pipelines – and they’re succeeding. Ransomware gangs have aggressively honed their tactics over time while ransomware creators franchise their tools to affiliates in exchange for a cut of the loot. Hardly a day goes by without news of another organization being hit by one of these groups.

No longer just a criminal menace, the ransomware scourge now affects society as a whole, reaching a point where it has drawn comparisons to the challenge the nation faced following the September 11, 2001, terrorist attacks.

The time has come to change the dynamic that has developed around ransomware. While ransom payments may be sometimes unavoidable, ransom payment should be a measure of last resort, not the first response. Cyber insurance should be there to compensate victims, not reward attackers. Governments should recognize the key role they can play in assisting victims, both technically and financially.

Calculated disruption

The Conti ransomware attack against Ireland’s national health service, the Health Service Executive (HSE), starkly illustrates the gravity of the threat we now face. In the middle of a global pandemic, attackers crippled its network, causing massive disruption to vital services and forcing it to cancel medical appointments. While the attackers subsequently released a decryption key, they are still attempting to hold the HSE to ransom by threatening to release sensitive patient records stolen during the attack.

It would be a mistake to assume that the HSE was an unintentional victim of an indiscriminate campaign. We have no doubt that the attackers knew who they were infecting. It’s hardly a coincidence that the Irish government’s Department of Health was also targeted, albeit less successfully. Crippling the country’s health system appeared to be the end goal. And, as the FBI highlighted last month, attackers using Conti have previously targeted at least 16 healthcare and first responder organizations in the U.S. alone.

Attacks such as these can require a high degree of interaction from malware operators, both to successfully deploy the ransomware across the victim’s network and, at the same time, to profile the victim to better estimate the amount of ransom they’re likely to pay based on the success of the attacker’s activity and the quality of the data available for exfiltration. The group behind the HSE attack proceeded with their attack because they knew the disruption it would cause at this key point in the Irish response to the COVID-19 pandemic could lead to a major payoff.

Too often, the commentary following a major ransomware attack such as this focuses on the victim, asking whether they had done enough to secure their network. While there is an obvious duty on the part of the victim to make every effort to protect the IT systems and data on which it depends, to solely blame the victim for the attack is overly simplistic and distorts an understanding of the wider issue of why ransomware has become such a stunningly successful criminal enterprise. Aside from the fact that over-zealous public criticism of victims only encourages more victims to quietly capitulate and pay, it also draws attention away from the true perpetrators.

The criminals behind targeted ransomware are now among the most technically proficient and well-resourced threat groups operating today. Blockchain analysis company Chainalysis estimated that ransomware gangs netted just under $350 million in 2020, a massive 311% increase over 2019.

The scale of ransom payouts now means that the most successful groups will have a bigger operating budget than the victim’s network defenders in all but the largest of organizations. This allows them to operate both at a massive scale and also to persist in their attacks until they’re successful.

Unhealthy ecosystem

The Irish government is to be commended for not bowing to pressure and paying a ransom. This is a stance that may be put under increasing pressure in the weeks and months ahead, particularly if the restoration of services proves slow or if sensitive medical data is leaked online. Nevertheless, it is the right decision.

It is an unfortunate fact that there will be occasions when some victims will find themselves with no choice other than to pay the ransom. However, we are deeply concerned about how regularly the response to a ransomware attack has begun to resemble a professional transaction—a simple business cost. All too often, ransoms appear to be paid because the cost of the ransom is calculated as being lower than the short-term cost of restoring the victim’s IT systems from backups or because the ransom payment is covered by cyber insurance. These decisions are based on a short-term calculus, ignoring the long-term consequences of continuing to invest in an unhealthy ecosystem where ransomware attackers thrive and multiply.

Over the long term, it’s going to do far more good for insurance payouts to go exclusively to the victims to reestablish their operations. This may cost more in the short term and raise costs for insurers and the premiums they charge, but taking a broader view, it’s the only way of cutting off ransomware criminals from the proceeds of their crimes and deterring future ransomware criminality.

Governments have become alert to the role they need to play in tackling what is increasingly a societal problem. Much of the focus so far has been on the more obvious role government can play in providing IT security guidance and where necessary, defining security and reporting regulation for critical organizations. However, we suggest a more strategic way of tackling the ransomware threat specifically also needs to be considered. Many organizations, especially small businesses and local government, don’t have the technical resources to quickly recover their operations. To make it easier for ransomware victims to refuse to pay the extortion demands, government should also consider the role it can play in providing not only technical guidance but also supplying direct technical and financial support to these ransomware victims with the aim of getting them back on their feet as soon as possible.

The threat of cyber criminals selling or publicizing stolen data is also forcing organizations into paying ransoms and this is increasingly as potent a tool in extorting a ransom as the outright crippling of IT systems, especially for public bodies that have a legal obligation regarding the protection of customer or user data. More can be done to reduce the impact of this type of crime. The Irish Health Service Executive’s response to its ransomware breach suggests a way forward. The HSE secured a legal injunction from the Irish High Court, restraining any sharing, processing, selling, or publishing of the stolen data. While a legal response rarely deters cyber criminals, it does have real value in reducing the likelihood of personal information being shared online or via social media, lessening the pressure on victims to pay extortion money to the ransomware criminals.

Tough decisions

We can’t pretend that fixing the toxic dynamic around ransomware is going to be easy. It is also clear that things are continuing to get worse and will only get better by combining effective detection and defense against ransomware with an increased focus on reducing the financial attraction of this activity to cyber criminals. As we saw with the addition of stolen data blackmail being added to ransoming IT systems, ransomware gangs have shown themselves adept at finding new techniques to pressure their victims and will certainly redouble their efforts if they encounter resistance. Whatever approach they take can only be defeated by further improving our ability make it harder for ransomware attacks to be successful, while at the same time equal effort needs to be made to reduce or remove entirely the money that feeds the criminals at the center of the ransomware ecosystem. 

We can put the odds back in our favor by making it harder for ransomware attackers to get away with it. That means more effective detection and defense. At the same time, equal effort needs to be made to reduce – or remove entirely – the money that feeds the criminals at the center of the global ransomware ecosystem.