Tackling ransomware without banning ransom payments

Date:
Wed, 13 Nov 2024 07:38:47 +0000

Description:
The funding of cybercrime through the payment of ransomware demands by
insurers needs to stop.

FULL STORY ======================================================================
Just before the 2024 general election was announced, the UK government was looking to bring in tougher rules on ransomware payments, including the potential to ban ransom payments entirely. The justification? A decisive
action to cut off the business model of cyber extortionists.

But the message around ransom payments is contradictory to say the least. In the UK, the NCSC has made it abundantly clear that businesses should not pay ransoms. Yet, insurance policies recommended by the government's Cyber Essentials scheme clearly state that they provide cover for extortion
payments. Ultimately though, this directly funds cybercriminal activity and enables it to gain momentum.

So, what are the benefits and drawbacks of banning ransomware payments, what alternatives can be considered and what role does the cyber insurance
industry play in tackling this threat?

To pay or not to pay

Earlier this year, French hospital, CHCSV, refused to pay a ransomware
demand, despite suffering severe operational disruption. Meanwhile, other organizations that have fallen victim, such as Change Healthcare in the US, have gone in a different direction, with this particular private healthcare firm paying $22m to attackers.

The difference here is that one victim falls within the public sector, while the other doesnt, and when public sector organizations pay ransom demands, it ultimately comes out of tax payers money. Its for this reason, among others, that several states in the US have already made it illegal for public sector organizations to pay extortion payments.

However, there appears to be less public transparency in the UK on whether companies pay ransomware demands. While the US has official government data specific to ransomware payments, the UK lacks official reporting as most of
the data available comes from industry reports. For instance, a report from Censornet revealed 85% of SMEs report paying a ransomware demand, while research from Cohesity found that 69% had paid a ransom in the last year.

But not paying can cost businesses more in the long run. For example, last year, MGM Resorts didnt pay its attackers but has since revealed costs of up
to $110m. Similarly, the WannaCry incident, which affected thousands of NHS hospitals and surgeries in 2017, is reported to have cost 92 million in recovery.

While ransomware victims continue to play this game of will they, wont they, according to Mordor Intelligence and Fortune Business Insights the cyber insurance market in the UK is estimated to be $1.35bn in 2024 and $20.88 billion globally, with new policies continually being established as
businesses scramble to insure themselves against the inevitable.

Insurers, unsurprisingly, will usually look for the lowest cost option when dealing with the fallout of a ransomware attack: paying the ransom demands.
But doing so funds this global cybercrime pandemic. Its therefore little surprise that ransomware payments, according to Chainalysis, broke the $1bn mark in 2023.

So, while some believe ransomware is becoming more prevalent due to better targeting by cyber criminals, its perhaps worth considering whether its any coincidence that as the insurance industry grows, so too does the cybercrime landscape. What other choice do we have?

Despite these somewhat muddied waters, the correct response to ransomware attacks is clear: paying demands should almost always be a last resort. The only exception should be where there is a risk to life. Paying because its easy, costs less and causes less disruption to the business is not a good enough reason to pay, regardless of whether its the business handing cashing out or an insurer.

However, while a step in the right direction, totally banning ransom payments addresses only one form of attack and feels a bit like a whack-a-mole
strategy. It may ease the rise in attacks for a short while, but attackers
will inevitably switch tactics, to compromising business email perhaps, or something weve not even heard of yet.

So, what else can be done to slow the rise in ransomware attacks? Well, we
can consider a few options, such as closing vulnerability trading brokers and regulating cryptocurrency transactions. To pick on the latter as an example, most cybercrime monetizes through cryptocurrency, so rather than simply
banning payments, it could be a better option to regulate the crypto industry and flow of money.

Alongside this kind of regulatory change, governments could also consider moving the decision of whether to pay or not to an independent body. This
would ensure the decision is made regardless of cost and instead based on
risk to life and disruption to critical services. Though whether a court, or other independent body, could make these decisions quick enough is up for debate.

Insurance and cyber security can go hand in hand

Digital transformation was expedited during the pandemic and on top of that, extortion based cyber-attacks have been spurred on by cryptocurrency, all within a short time frame.

Meanwhile, the biggest challenge for insurers in todays digital environment
is their lack of data . This perfect storm explains why the insurers are continually adapting requirements and increasing premiums at an escalated
pace.

But its important to remember that being insured can make the business more
of a target because cyber criminals know they may get their ransom payment, fueling this never-ending cycle. Its therefore essential that businesses
adopt a cybersecurity posture that provides them with the best possible protection, insured or not. In fact, opting for an insurer who understands
risk based on data can help make a business cyber strategy more secure.

For example, insurers who understand risk based on data often require businesses to adopt many different technologies and processes to reduce said risk, for example the use of cloud backup systems,
multi-factor-authentication and advanced endpoint detection and response solutions.

In fact, the full list of recommendations these insurers require are
typically a subset of those that cybersecurity professionals and
cybersecurity frameworks also recommend. And while insurers are focused on reducing the potential of a financial claim, the cybersecurity industry is focused on reducing the risk of any cyberattack, so following these recommendations will inevitably be a positive step for the business. A match made in cyber heaven?

The relationship between cyber insurance and cybersecurity is inseparable,
and these two industries are fast becoming a marriage of convenience.
However, there remains one significant obstacle in this becoming a happy and truly fulfilling marriage. The funding of cybercrime through the payment of ransomware demands by insurers needs to stop (unless in exceptional circumstances!).

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry
today. The views expressed here are those of the author and are not
necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

======================================================================
Link to news story: https://www.techradar.com/pro/tackling-ransomware-without-banning-ransom-payme nts

$$
--- SBBSecho 3.20-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)