Punishing the victim won't stop ransomware
Imagine, for a moment, that you own a small business -- say, a regional dairy farm producing milk, ice cream, yogurt, and other products. And, like so many companies in the food manufacturing sector, you get hit by ransomware. You can’t access any of the data you need to run your business -- so you don’t know which products to ship, where to ship them, what prices you’ve negotiated, who’s paid and who hasn’t… everything is locked up. And, the clock is ticking -- you can’t tolerate extended downtime or products will spoil and customers will defect to other vendors.
The ransomware threat actor wants $50,000 to give you the decryption keys for your data. Your cyber insurance company tells you to just pay the ransom and they’ll cover most of it, as long as it doesn’t violate the rules set up by the US Treasury Department’s Office of Foreign Assets Control (OFAC) against paying ransom to gangs or nation states that are under economic sanctions. But, they do some research and determine the ransomware threat actor would fall under these rules, so they rescind the recommendation and will only partially offset what would be an enormously expensive IT consulting engagement to restore the systems in an acceptable period of time.
As the owner of this business, you’re in a no-win situation: pay the ransom and risk big fines, or don’t pay the ransom and risk big losses that could irreparably damage the business. Or, to put it another way, you can choose whose punishment you’d prefer: the threat actor’s or the US government’s.
The company in this scenario is actually in a better position than most smaller businesses I encounter through our ransomware services. For one, they have cyber insurance -- most SMBs don’t. For another, the ransom is only $50,000 and, finally, they have enough resources to make self-remediation a viable option. Many smaller businesses aren’t this lucky -- for them, the choice is "pay ransom or die."
Welcome to the Wild West
Unfortunately, ransomware threat actors aren’t the only adversaries these smaller businesses face. There is also a growing cottage industry of ransomware profiteers selling bogus services and "expertise" that further victimizes these companies. For example, we’ve encountered US-based companies claiming they can decrypt data for ransomware victims. But what they’re really doing is engaging the threat actor on the back-end, negotiating down the ransom and getting the decryption keys from the threat actor, and then charging the victim a much higher amount for "decrypting" the data.
There are also many consultants out there positioning themselves as "ransomware experts," but they don’t have the foggiest idea what they’re doing. It’s relatively common for us to inherit cases where someone fitting this description has screwed up the negotiation for the victim and ticked off the threat actor to the point where they threaten to launch additional attacks against the company.
So when you put it all together, we have a "wild west" where ransomware victims are actually victimized over and over again -- by threat actors, bogus consultants, conflicted insurance companies, and, perhaps most notably, the US government.
Government Fans the Flames
Initial attempts by federal and state authorities to remedy ransomware bear a striking similarity to the approach used in the failed war on drugs: cut off the bad guys’ revenue stream by imposing punishment on the victims. This is why we see things like the OFAC rules and the recent state of New York’s Cyber Insurance Risk Framework, which recommends that underwriters not pay ransoms. Out in the real world, these types of policies are effectively telling businesses to be sacrificial lambs in the interest of cutting off revenue for ransomware threat actors.
The government should be in the business of helping victims deal with ransomware, rather than putting them in a "break the law or go out of business" bind. If the government really wants people to stop paying ransoms, it should provide assistance to companies dealing with ransomware attacks, rather than just threatening them with fines. Some good steps toward achieving this goal could include:
- Emergency low-interest loans to small businesses impacted by ransomware.
- Grants to help businesses that otherwise would be unable to repay loans for ransomware remediation.
- Education programs advising small businesses on how to avoid ransomware, and what they should do if they become victimized by it.
- Creating the equivalent of a corps of "ransomware public defenders" -- vetted private sector experts who can advise smaller businesses on how to respond and recover from ransomware at little or no cost to the victim.
- Focusing legislation and law enforcement on domestic operators committing fraud or otherwise profiteering off the ransomware epidemic.
To truly attack the ransomware epidemic, federal and state governments need to take a holistic approach that helps businesses understand how to prevent and deal with ransomware. This can give them a practical alternative to paying ransoms, and only then will this lucrative revenue channel for cyber criminals begin to dry up. Unfortunately, the current approach -- punishing the victims -- will only increase the damage ransomware does to US businesses and the greater economy.
Kurtis Minder is the co-founder and CEO of GroupSense.