Sunday, August 4, 2024

Should Ransomware Payments Be Made 100% Illegal? The Debate Rages On

 


Over the last week or so, I have had a number of podcasts, with guests speaking about differing areas of their expertise.  But one common question kept coming up (which I have to admit I prodded for) was about Ransomware.  For instance, I asked them what they thought about it, and the big question:  Should the ransom actually be paid?  Astonishingly enough, the answers were mixed on this.

In my opinion, a ransom should never be paid.  First, it shows to the Cyberattacker that you will bend, even though you may not want to.  As a result, the chances are much greater that they will come around the next time for you, and even demand a higher ransom payment. 

Second, if you are good at maintaining backups on a prescribed schedule, then restoring mission critical operations should not be a problem.  But this is largely dependent upon what kind of environment your IT/Network Infrastructure is hosted in.

If you are in the Cloud, like using Microsoft Azure, then this will not be a problem.  You could be up and running even within just a few hours.  But if you have some part of it that is On Prem, it could take much longer, and the restoration process could take much longer, assuming that you have to resort to tape backups. 

Third, if you do make a ransom payment, many insurance companies are now refusing to make payments on filed claims in these cases.  I think this all started with a French insurance company called Axa, when they all of a sudden said that they would stop making payments. 

As a result, other carriers followed suit.  Fourth, it can even be considered illegal if you make a ransom payment, especially if it is done  a nation state actor,  such as Russia, China, Iran, and North Korea.

So now, this begs a new question:  Should all Ransomware payments be made illegal?  In other words, even if you paid just a few thousand dollars to a Cyberattacker, should you still face the legal consequences for it?  Here are some considerations:

1)     Ransomware is getting uglier:

Gone are the days when a Cyberattacker would simply deploy a piece of malicious payload, lock up your computer, and encrypt your files.  It has become far worse now, with extortion-like attacks now taking place, which could even threaten the lives of the victims that are involved.  If this were to happen, the first instinct is to pay up.  But if it is made completely illegal, would you still do it???

2)     Not all businesses are equal:

This is where you would compare an SMB to a Fortune 500 company.  With the latter, if ransom payments were made illegal, these entities have a far better chance of surviving than the former.  It would totally wipe them in a matter of hours.  Also, keep in mind that many Cyberattackers are now targeting SMBs given just how vulnerable they are.

3)     Payments can still be made:

Even if they were made completely illegal, businesses will still try to find a way to make a payment to the Cyberattacker, that is covertly.  But given all of the audit trails that financial institutions have to now implement, the payor would eventually be caught.  But bringing him or her to justice would take an enormous amount of time and expense not only to collect the forensics evidence, but from the standpoint of litigation as well.  Again, if this all worth it, if the ransom payment was only just a few thousand dollars?  Probably not.

4)     More participation from law enforcement:

While the Federal Government agencies, such as the FBI, are doing a great job of tracking down those Cyberattackers that have launched Ransomware attacks, their resources are obviously limited.  Because of this, their priority is to first go after those attacks that have caused a large amount of damage, or if there is an extortion plot going on.  They obviously don’t have the resources to chase down after those people that make the small ransom payments.

5)     The Cyberattacker will find another way:

If ransom payments are made 100% illegal, no matter what the circumstance is, the Cyberattacker will find another way to be compensated.  But this time, the consequences of this could be far deadlier and even more extreme.

My Thoughts On This:

So given the considerations I just listed (and there are probably many more of them), is it worth it to make ransom payments totally illegal?  While it may have short-term advantages, the long run will not be served.  In the end, businesses should have the option if they want to pay up or not, even though I still think they should not. 

There are calls now for the Federal Government to enact more best practices and standards for businesses to follow, but in the end, it will be up to the business owner to implement them.  The only thing they would be obligated to do is if it becomes actual law.  But, by the time this actually happens, the newly enacted legislation will be far too outdated for the latest Cyber threat variants.

So, you may be asking what can be  done?  Simple, keep a proactive mindset within you and your IT Security team.  Always create backups!!!  The costs  of taking the steps to mitigate the risks of your business from being hit by a Ransomware attack pales in comparison to what the actual damage will be in the end.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...