Intelligent CISO Issue 43 | Page 33

PREDICTIVE INTELLIGENCE

Would criminalising ransomware payments be a positive move for businesses ?

Preventing and preparing for ransomware attacks can prove extremely challenging for businesses . Zeki Turedi , CTO EMEA , CrowdStrike , analyses the threat of ransomware and its complex capabilities , and discusses the way forward for businesses and society . hen there are difficult

W problems to solve – like the massive surge in ransomware attacks over the last three to four years – people are attracted by swift , simple , decisive solutions which will allegedly make the problem disappear . The idea of criminalising ransomware payments potentially falls into this category .

Unfortunately , what makes problems difficult is that simple solutions don ’ t always end up as simple as initially perceived , and in some ways , might make the situation worse .
The appeal of simple common sense
It ’ s easy to understand the attraction of criminalising ransomware payments , though . First , it has a broad moral and logical appeal . We don ’ t negotiate with terrorists , runs the logic , because doing so empowers them and funds future crime . When ransoms are paid , cybercriminals are encouraged to attack more and more organisations . A ransom payment thus affects the future risk levels of businesses , hospitals and schools everywhere – paying up might be described as socially irresponsible in this context . Legislation would take this further : it would be criminal .
Second , it ’ s easy to imagine that the reverse is true : if criminals can ’ t make money from their attacks , because the victim is unable to pay , then putting time and effort into sophisticated ransomware attacks should surely become significantly less appealing . Current ransomware gangs aren ’ t a couple of teenagers in a basement somewhere , they ’ re part of a complex and mature , multi-layer shadow-business ecosystem . If their tactics aren ’ t making money , they ’ ll change those tactics and shift attention elsewhere .
And finally , paying ransoms is very rarely an effective solution anyway . There ’ s absolutely no guarantee that criminals will honour their side of the bargain when businesses pay up – they ’ re criminals , after all , and there ’ s no honour among thieves . Cybercriminals also return to the scene of the crime – if data has been extradited following a breach , they may well not delete it following a payment , and instead ask for
Zeki Turedi , CTO EMEA , CrowdStrike more money or launch further attacks later down the line . A 2021 survey from the insurer , Hiscox , found that 28 % of the businesses that suffered attacks were targeted on more than five occasions in 2020 . So , given that paying ransoms is such a weak tactic , wouldn ’ t criminalising it rightly discourage businesses from following this route ?
Criminal enterprise and agility
However , while these are reasonable arguments , they ’ re not without flaws .
The key problem is that adversary groups are extremely agile and clever : they ’ re not going to allow their major source of revenue to simply disappear through a new law . As I said , adversary groups ‘ shift tactics ’ when something isn ’ t working . In the last two years , for example , ransomware has moved away from simply encrypting file systems . One reason for this is that , over time , potential victims have become more and more likely to possess reliable , recent backups which can be deployed quickly , and so encrypted file systems are not the disaster they have been historically . Businesses could simply delete the infected systems and restore from backups .
Hence the rise of extortionware – copying information and using the threat of leaking stolen data – and the fines , lawsuits and reputational damage that entails – to extort payments . Ransomware has evolved and grown www . intelligentciso . com
33