WASHINGTON, DC – JUNE 07: Deputy U.S. Attorney General Lisa Monaco speaks at a press conference with … [+]
Last Sunday— a day before the U.S. announced it had recovered millions of dollars of ransomware payments that Colonial Pipeline recently paid to cyber attackers—U.S. Energy Secretary Jennifer Granholm said she supported banning ransom payments altogether.
ADVERTISEMENT
“I don’t know whether Congress or the president is at that point,” she told NBC’s “Meet the Press” moderator Chuck Todd, “but I think we need to send this strong message that paying a ransomware only exacerbates and accelerates the problem. You are encouraging the bad actors.”
Unintended Consequences
While prohibiting ransomware payments might stop one crisis, it could create others for business leaders.
Lawsuits
Bryan Hornung is the founder of Xact IT Solutions, a cybersecurity firm. He said if companies did not have an option to pay the ransom, “… you would see many businesses close their doors, and lawsuits would burden the legal system due to companies going out of business and not honoring their commitments.
“There would be many unintended consequences if we implemented a ransomware ban too quickly. Imagine what could happen if a law firm or police unit was hit with ransomware and evidence or case data from important cases were gone forever. That’s what we are up against,” he observed.
More Lethal Attacks
Ed Cabrera, chief cybersecurity officer at Trend Micro, said “Banning or effectively criminalizing ransom payments sounds great but are we ready to rip off the bandage? Once a ban takes place we will see more lethal attacks take shape as cyber criminal groups will be forced to increase the pain. Organizations who are ill prepared in the short term will find themselves in a desperate place without options.”
MORE FOR YOU
Extortion
Hornung cautioned that, “You also have to consider double extortion. When you don’t pay the ransom, the cyber criminals threaten to release the data to the public or contact the people in the stolen dataset directly and try to extort them. Just as we saw with the D.C. police department hack, once they have your data, they expect to get paid and will figure out many ways to use what they have as leverage to get paid.
Between A Rock And A Hard Place
Mantas Sasnauskas, a researcher at CyberNews, noted that, “A ban on ransomware payments [would place] businesses in a very difficult position. If they succumb to the cyber criminals, and pay the ransom fee, they could be in breach of U.S. law.
“In respecting the ban, businesses from all sectors [would] run the risk of their intellectual property leaking, customer records being exposed, and IT systems failing. However, there is no guarantee that paying the ransom to cyber criminals will deliver the stolen data, or prevent it from leaking—and the payment could be fueling further ransom attacks.”
ADVERTISEMENT
Enforcement Issues
Greg Young, vice president of cybersecurity at Trend Micro predicted that, “… banning [ransom] payments could cause more crime and be a difficult measure to enforce. Payments would likely still occur, but with 3rd parties involved.
“These 3rd parties could be unreliable. Detecting bitcoin transfers is difficult, and would ultimately end up re-victimizing targets and discourage them from reporting as the communication is driven underground. It is stressed that paying ransoms is not Plan A but if lives or economic ruin would resul, it is ethically difficult to criminalize,” Young said.
A Better Approach
Jon Toor, the chief marketing officer of Cloudian, said that rather than banning ransomware payments, “A better approach is to ensure that companies can restore operations without paying ransom.
ADVERTISEMENT
“The technology to do this exists today. If the company can recover quickly, there is no need to pay ransom. And when the scammers no longer get paid, the attacks will stop.”
Advice For Business Leaders
Ed Amoroso, founder and CEO of TAG Cyber, a cybersecurity research analyst firm said, “I don’t agree with a ban. I think all avenues for negotiation must be included. The best approach is to prevent ransomware in the first place. No one should ever have to pay a ransom. But if you are a victim and have no other options—then pay the fee. Yes, you can call law enforcement and they might help, but I would advise getting your stuff back and then taking steps to never let it happen again.
“To reduce the risk of ransomware and related destructive attacks, security teams need to focus on the following four non-trivial business initiatives, none of which can be outsourced, and all of which will require daily attention,” he counseled.
The initiatives include:
- An information architecture, which is a collective understanding of the minimum information needed for an organization to function.
- A resilience methodology that involves the people, processes, and technology required to keep the organizational mission moving forward.
- Prevention programs that include anti-malware software, patching processes, and security protection tools for email, web, and other services.
- Response planning to reduce the risk of ransomware and destructive malware. It involves a comprehensive understanding and set of procedures to detect, respond, and recover from a destructive attack.
ADVERTISEMENT
Read More…