Paying strengthens ransomware gangs but little support for bans
If your business is a victim of ransomware and you want straightforward advice on whether to pay the criminals, don’t expect a lot of help from the US government. The answer is likely to be: it depends.
BOSTON (AP) – If your business is a victim of ransomware and you want straightforward advice on whether to pay the criminals, don’t expect a lot of help from the US government. The answer is likely to be: it depends.
“It is the position of the US government that we strongly discourage the payment of ransoms,” Eric Goldstein, a senior cybersecurity official at the Department of Homeland Security, said in a congressional hearing last week.
But paying carries no penalty and refusing would be almost suicidal for many businesses, especially small and medium-sized businesses. Too many people are unprepared. The consequences could also be disastrous for the nation itself. The recent high-profile extortion attacks have led to leaks at gas stations on the east coast and threatened the meat supply.
The dilemma has left officials fumbling over how to respond. As a first step, bipartisan legislation in the works would require immediate federal reporting of ransomware attacks to help respond, help identify perpetrators, and even recover ransoms, as the FBI did with most of the 4.4 million. dollars that Colonial Pipeline recently paid.
With no further action anytime soon, however, experts say the ransoms will continue to skyrocket, funding better criminal intelligence gathering and tools that only worsen the global wave of crime.
President Joe Biden did not get any assurances from Russian President Vladimir Putin in Geneva last week that the cybercriminals behind the attacks would not continue to enjoy safe haven in Russia. At the very least, Putin’s security services tolerate them. At worst, they work together.
Energy Secretary Jennifer Granholm said this month that she supported the ban on payments. “But I don’t know if Congress or the president is” in favor, she said.
And as Goldstein reminded lawmakers, paying doesn’t guarantee that you’ll get your data back or that sensitive stolen files won’t end up for sale in darknet crime forums. Even if the ransomware crooks keep their word, you will fund their next round of attacks. And you could be hit again.
In April, Justice Department senior national security official John Demers was lukewarm about the payment ban, saying it could put us “in a more confrontational posture vis-à-vis victims, which is not where we want to be. “
Perhaps the most vehement about a payment ban are those who know ransomware criminals best – the responders to cybersecurity threats.
Lior Div, CEO of Boston-based Cybereason, sees them as terrorists of the digital age. “It’s terrorism in a different, very modern form.”
A 2015 UK law prohibits UK-based insurance companies from reimbursing businesses for the payment of terrorism-related ransoms, a model that some believe should be universally applied to ransomware payments.
“In the end, the terrorists stopped kidnapping people because they realized they weren’t going to get paid,” said Adrian Nish, chief threat intelligence at BAE Systems.
U.S. law prohibits material support to terrorists, but the Justice Department in 2015 waived the threat of criminal prosecution for citizens who pay ransoms to terrorists.
“There is a reason this is a policy in the affairs of terrorism: you give too much power to the adversary,” said Brandon Valeriano, researcher at the University of the Marine Corps and senior adviser. of the Cyberspace Solarium Commission, a bipartisan body created by Congress.
Some ransomware victims have taken principled positions against payments, damn the human costs. One is the University of Vermont Health Network, where the bill for recovery and services lost after an attack in October was over $ 63 million.
Ireland also refused to negotiate when its National Health Service was hit last month.
Five weeks later, healthcare information technology in the country of 5 million people remains severely hampered. Cancer treatments are only partially restored, e-mail service is spotty, digital patient records largely inaccessible. People clutter emergency rooms for lab and diagnostic tests because their primary care doctors can’t order them. As of Thursday, 42% of the system’s 4,000 computer servers had still not been decrypted.
Criminals handed over the software’s decryption key a week after the attack – following an unusual offer from the Russian Embassy to “assist with the investigation” – but recovery was a painful task.
“A decryption key is not a magic wand or a switch that can suddenly reverse the damage,” said Brian Honan, one of Ireland’s top cybersecurity consultants. Each recovered machine should be tested to ensure it is free from infection.
The data shows that most ransomware victims pay. Insurer Hiscox says just over 58% of its affected customers pay, while leading cyber insurance broker Marsh McLennan puts the figure at around 60% for its affected US and Canadian customers.
But paying doesn’t guarantee anything close to a full recovery. On average, ransom payers only recovered 65% of the data encrypted, leaving more than a third inaccessible, while 29% said they only recovered half of the data, cybersecurity firm Sophos found in a survey of 5,400 IT decision-makers. from 30 countries.
In a survey of nearly 1,300 security professionals, Cybereason found that 4 out of 5 companies that chose to pay ransoms suffered a second ransomware attack.
This calculation notwithstanding, companies with deep pockets with insurance protection tend to pay.
Colonial Pipeline almost immediately paid last month to send fuel back to the US east coast – before determining if its data backups were robust enough to avoid payment. Meat processing goliath JBS later paid $ 11 million to avoid potentially disrupting the U.S. meat supply, though its data backups were also found to be enough to bring its factories back online. before serious damage.
It is not clear whether concern about the online stolen data dump influenced either company’s decision to pay.
Colonial wouldn’t say if fears that the 100 gigabytes of stolen data could end up in the public eye were factored into CEO Joseph Blount’s decision to pay. JBS spokesman Cameron Bruett said that “our analysis showed that no company data had been leaked.” He wouldn’t say if the criminals claimed in their ransom note to have stolen data.
The Irish authorities were fully aware of the risks. The criminals claim to have stolen 700 gigabytes of data. As of yet, he has not surfaced online.
Public exposure of this data can lead to lawsuits or loss of investor confidence, making it a windfall for criminals. A ransomware gang seeking to extort a large U.S. corporation posted a nude photo of the CEO’s adult son on their leak site last week.
Representative Carolyn Maloney, chair of the House Committee on Oversight and Reform, asked in written requests to learn more about the JBS and Colonial cases as well as CNA Insurance. Bloomberg News reported that CNA Insurance handed over $ 40 million to ransomware criminals in March. The New York Democrat said that “Congress needs to seriously consider how to break this vicious cycle. “
Acknowledging a lack of support for a ransom ban, Senate Intelligence Committee Chairman Mark Warner, D-Va., And other lawmakers want to at least force ransomware victims into greater transparency, which often does not not report attacks.
They are preparing a bill to make the reporting of offenses and the payment of ransoms mandatory. They should be reported within 24 hours of detection, with the executive making a case-by-case decision to make the information public.
But it won’t protect unprepared victims from potential bankruptcy if they don’t pay. For this, various proposals have been put forward to provide financial assistance.
The Senate this month approved legislation that would establish a special cybersecurity response and recovery fund to provide direct support to the most vulnerable private and public organizations affected by cyber attacks and major breaches.
Copyright © 2021 The Associated Press. All rights reserved. This material may not be published, broadcast, written or redistributed.