25 Ways to Stop Ransomware
Introduction
What if a single policy could destroy ransomware gangs overnight?
The UK government will propose strong counter-ransomware measures, including mandatory reporting, a licensing regime for payments, and a ransom payment ban for critical national infrastructure organizations, according to a report by The Record.
These proposals will be open to public consultation, potentially leading to new laws, though not immediately.
Today, I will talk about the proposal and share additional ideas on how to pull the plug on ransomware for good.
Here is what you can expect.
My discussion primarily centers around policies to counteract this ransomware crisis, less on criminal investigations and technical measures to unmask members of ransomware gangs. Don’t worry, it will be super exciting.
Some of my ideas in this article are presented in a very polarizing way. I am doing this on purpose because I believe that presenting ideas in their purest form encourages healthy discussions and out-of-the-box thinking.
All I want is for you to play with these ideas and then join me in the comments to discuss – in a more nuanced way – how to find a balanced approach.
And yes, this is a very comprehensive article, so if you don’t have time, it might be a good idea to bookmark it now for future use.
What is Ransomware?
Ransomware is a type of malware that infects computers and encrypts valuable files.
On your personal computer, ransomware focuses on your Documents folder and things with sentimental value, like a family photo album.
On company devices, the priority shifts towards customer data, financial statements, research data, emails, or the source code of an application that you are selling.
On an unprotected company network, it might infect hundreds of computers before it starts the encryption routing for maximum damage.
Ransomware gangs rarely have moral value, and most don’t care if they cripple the NHS or the British Library. It’s all about that sweet, sweet money! ??
Once everything is encrypted, the user is asked to buy a decryption key with Bitcoin. Tutorials on how to do this, including 24/7 tech support and customer service via live chat, are provided for your convenience.
Damage of Ransomware?
Ransomware is big business. In 2023 alone, ransom payments exceed $1.1 billion in 2023, and the trend only goes up.
Ransomware causes significant damage in multiple ways:
Worst of all, many companies never get their data back, even after paying the ransom. Who would have guessed that criminals can not be trusted…
Who is Behind Ransomware?
Ransomware groups, often based in countries like Russia, North Korea, China, and Iran, consist of both cybercriminals and nation-state actors.
These groups heavily rely on ransomware payments as a significant portion of their annual revenue.
Ransomware has become so accessible that nearly anyone can get involved and profit from it.
Even you ?? can join in on the fun and make a quick buck along the way with ransomware-as-a-service.
Here's how it works: The platform gives you a personalized version of the ransomware with a unique ID tied to you.
Any money made from that specific version gets split between you and the gang.
People use this in a couple of sneaky ways.
A company insider might deliberately infect their employer's network.
Others might take their ransomware installer and bundle it with the cracked version of a popular app or game and upload it as a torrent.
The possibilities are endless.
Obviously, this is not a world anyone wants to live in, so let’s see how we can fix this.
UK Government Proposals on Ransomware
The Record reports that the UK government is taking action against ransomware gangs with three policy proposals.
Mandatory Reporting of Ransomware Attacks
The first proposal addresses the problem that many companies never report ransomware attacks.
Many perceive cyber attacks as a loss of face or worry about their future revenue.
The problem is that this plays into the criminal's hands by making it more difficult for organizations like the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) to effectively prevent future attacks.
This is not just a UK phenomenon. Jen Easterly, the head of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), criticized the typical way businesses handle incidents in an article for Foreign Affairs.
“When most companies detect a cyber-intrusion, too often their default response is: call the lawyers, bring in an incident response firm, and share information only to the minimum extent required. They often neglect to report cyber-intrusions to the government for fear of regulatory liability and reputational damage. In today’s highly connected world, this is a race to the bottom.”
To address this, the UK government wants to make reporting of any cyber incidents or ransomware attacks mandatory.
Ransomware Payments Only With Government Permission
The second proposal would create a licensing system for ransomware payments.
Companies would need to obtain government approval before being allowed to pay a ransom.
This would give authorities a chance to explore alternative solutions with the victim company.
It could also give firms more leverage in negotiations with attackers, i.e., “The government said no” or “We are only allowed to pay up to £500”.
Ban Ransomware Payments for Critical Infrastructure
In the third proposal, the government considers an outright ban on ransom payments for organizations involved in critical national infrastructure.
The aim is to remove the financial incentive for targeting these vital services.
My thoughts
The UK’s plans to fight ransomware sound great on paper, but will they actually work? It all depends on the details.
How far is the government willing to go in imposing severe penalties to enforce compliance with these new regulations?
For example, what happens if a company doesn’t report a ransomware attack? Will it be a slap on the wrist with a £100 fine?
Or are we talking about a percentage of annual revenue fines, in combination with holding the decision maker personally liable for these fines in case of non-compliance?
Will there be a whistleblower system where an employee can earn a reward for reporting their company and manager for non-compliance?
It’s the same for the licensing scheme. What happens if a company pays without a license?
If we had similarly strict enforcement mechanisms, it could certainly work. If not, it would probably be a toothless paper tiger.
Banning ransomware payments for companies in critical infrastructure is a great idea, but does it go far enough?
Maybe banning ransomware payments for all businesses would be even better; more about this later in the article.
If executed the right way, these are three great proposals that I fully support.
I would propose even stronger measures.
My Anti-Ransomware Approach
My main idea can be broken down into four categories:
Prevent Ransomware Attacks
Educate People
Most scams, frauds, and ransomware attacks could be prevented if people knew how each of them worked, how to spot them, and how to keep themselves safe online.
I recommend making fraud prevention part of every school, college, and university curriculum.
We should also offer similar in-person and online classes for people of all ages who want to keep themselves safe online.
Hold Email Providers Accountable
I recommend holding email providers accountable to implement better spam folders.
A large language model like Gemini or ChatGPT could easily identify common scam emails and offer users valuable explanations about how each of these scams works.
For example, it could say, "Warning: Do not reply! This is a scam email. They are trying to recruit you as a money mule. They will send stolen money to you and then ask you to forward it to them. This is called illegal money laundering, and you will be arrested if you participate in it."
This is not directly related to ransomware, but it still helps prevent ransomware attacks, for example, by reducing the number of possible money mules to limit the ways criminals are able to launder money.
Enforce Mandatory Cyber Security Standards
Most companies know little about cybersecurity. It’s often seen as an inconvenient nuisance that nobody wants to talk about.
Ahhhh… Ignorance is bliss… ??
Even when its importance is seen, cybersecurity initiatives are often limited by budget or strategic priorities.
How can we solve this?
Maybe cars are a good analogy. In the past, there were no seat belts, airbags, or crumple zones. Today, most safety features are a legal requirement.
There are many amazing cybersecurity frameworks
What if we made the implementation of a cybersecurity framework mandatory? Like a seatbelt for your IT.
Now, I am not talking about getting a small one-person business ISO 27001 certified. That can be limited to larger organizations.
We should use the right tool for the right job; for smaller companies, this could be the NCSC Cyber Essentials standard or the NIST Cybersecurity Framework.
Minimize Damage
Compulsory Immutable Backups
The number one reason why companies are forced to pay ransom in the first place is because they don’t have backups of their data.
Or if they had backups, they probably set them up in a way that allowed the ransomware to encrypt their backups, too.
That’s why you must always detach the backup drive once the backup is complete. As long as it stays connected, the ransomware can mess with it, defeating the entire purpose of backups.
I recommend having at least two backups.
One immutable cloud backup
And one offline backup that is physically detached at all times and stored in a different location in case of disasters such as fire or flooding. Have a look at tape backups. They are surprisingly good and affordable today.
Having backups of everything guarantees that your business will be able to completely recover from a ransomware attack and makes it unnecessary to even consider making ransomware payments.
Mandatory Cyber Insurance
Insurance companies are often overlooked when it comes to making the world a better and safer place. ??
That’s a shame because they have the knowledge and motivation to make your company as safe as possible when it comes to cybersecurity if you sign up for one of their cyber insurance with ransomware protection policies.
You see, if they keep you safe, they never have to pay you any money. ??
Insurance companies can offer you better rates if your business is fully certified and audited in a well-known cybersecurity framework.
By making cyber insurance with ransomware protection mandatory for every business, there is a huge incentive for companies to lower their ongoing fees by investing in their cybersecurity posture.
Report all Cyberattacks within 24 Hours
Building onto the UK’s proposal, I believe that having an accurate, up-to-date list of all cyber incidents is super important for the government.
All incidents should be reported within 24 hours.
There should also be continuous communication through the remediation process, and the final report should be shared after the Lessons Learned phase.
The more data the government has, the easier it is to identify patterns to identify and unmask threat actors.
Mandatory reporting should be combined with significant fees for both the company and decision-makers in case of non-compliance.
I also recommend offering rewards for whistleblowers who report their company for covering up incidents.
Stricter Privacy Laws
This point is not strictly about ransomware alone but about cases where ransomware gangs threaten the publication of stolen and encrypted data, which could include sensitive customer information.
I recommend the implementation of stricter privacy laws.
One of the biggest mistakes of the GDPR was to focus on unimportant details such as cookie consent banners instead of looking at the elephants in the room.
For example, how Google Chrome uses your entire browser history to determine your interests in Google Ads.
Or how Meta is allowing advertisers to trade email addresses and phone numbers without the users’ knowledge or consent and then upload them as custom audiences for ad targeting.
In the case of ransomware, most companies are too data-greedy and store way more information about customers than necessary.
Why, for example, does someone need to know my date of birth if I sign up for an email newsletter?
Or why is my home address needed if I want to download a free PDF?
Limiting the amount of data that companies are allowed to collect would dramatically limit the potential damage of any cyber breach to third parties.
Motivate Comapnies & Management
I believe in a good mix of carrot and stick when it comes to motivation.
In our case, we want to motivate companies to invest in their cybersecurity posture and to be compliant with laws and regulations.
While the stick is good, I believe the carrot can be even more effective and should always come in a bundle.
Some simple ideas that the government could implement are tax credits for cyber security training, certification of cybersecurity standards, cybersecurity audits, cyber insurance, and backups.
These investments could be valued above market value for extra motivation.
For example, if a company paid £1000 for cyber insurance, the government might give them a 130% tax credit worth £1300. In this case, compliance would actually lower each company's tax bill.
Cyber insurance companies can do their part by offering lower monthly fees for implementing cybersecurity standards and auditing the company's cybersecurity posture.
Non-compliant companies should face significant fines.
Leadership should be personally held responsible for violations.
A whistleblower system would incentivize adherence to rules.
Breaking The Ransomware Business Model
I believe the most effective solution to minimize ransomware is going after their business model.
If we destroy the ways they get paid, we are not only making it almost impossible for them to earn any money, but we are also wrecking the business model of the most common scams, frauds, and money laundering in general.
Ban Ransom Payments
Banning ransomware payments for critical infrastructure is a good start, and it would certainly make attacks on a country that banned these payments less attractive.
For that reason, I would ban ransomware payments altogether.
Sure, some criminals might be lucky enough to convince a company to break the law or to get an owner to pay a ransom from their personal account, but it’s so much more work and hassle.
领英推荐
Going for countries with no such restrictions would make it a lot easier for them to pull off successful ransomware attacks.
If we can incentivize companies to implement proper security measures and compulsatory immutable offsite backups, ransom payments would never be necessary because full recovery is guaranteed.
Ban Crypto
Ever wondered how ransomware gangs get paid $1.1 billion per year?
That’s 1,100,000,000 when written out in its long form.
Or about 18,333 full-time employees with an annual salary of $60,000 per year.
That’s a lot of money!
Shouldn’t we be able to trace the transactions, shut down their bank accounts, and send over a SWAT team to knock down their doors?
No, it’s not that easy.
For one, most ransomware gangs operate from within Russia, North Korea, China, and Iran, which complicates things.
But, more importantly, ransomware gangs usually don’t ask for cash.
They almost exclusively use cryptocurrency transactions that cannot be reversed due to the decentralized nature of the blockchain.
So what?
Give up?
Well, let me ask you a serious question…
Even with all the hype in recent years, it has become clear that all the promises about crypto never came true and likely never will become true.
It turns out the only real utility of cryptocurrencies is paying for illegal goods such as stolen credit cards, drugs, ransomware payments, money laundering, and tricking gullible hobby investors into investing their life savings into buying the URL of an image (NFTs), or one of the so-called Shitcoins in hopes of becoming crazy rich overnight.
With all that in mind, the real question is…
Should we ban all cryptocurrencies?
This would make it super difficult for ransomware gangs to get paid, at least somewhat anonymously.
Ok, granted, the decentralized nature of crypto coins would make it really difficult to physically shut them down, but we don’t even have to shut down everything.
Ban Crypto Exchanges
Instead, we could ban crypto marketplaces such as Binance, Coinbase, or Kraken.
These exchanges allow customers to trade real currencies such as USD, GBP, or EUR for cryptocurrencies.
Instead of banning crypto, we could make these exchanges illegal and prevent any bank from sending money to them.
You don’t even have to ban marketplaces in every country. It would probably be enough to ban it in a coalition of willing nations such as the USA, UK, and EU to wrack crypto for good.
Heck, with enough political will, we could enforce this ban globally by threatening any international bank from being excluded from the SWIFT banking system if they engage in any form of crypto trading.
If people can’t convert crypto to fiat money and vice versa, crypto becomes entirely worthless, and its value drops to zero.
No crypto = no untraceable ransomware payments.
And, as a welcome byproduct, this would also crack down on money laundering and sanctions evasion.
Remember, I told you that I would share some controversial opinions.
You don’t have to agree with me. You are welcome to think these ideas are too extreme. That’s ok!
All I am asking you is to play with the idea because even if you don’t like it, there is a grain of truth in what I just said.
Remove Anonymity from Crypto
If the previous idea was too drastic for you, let’s think about something less extreme.
How about this…
Let’s find a willing coalition of nations, let’s say the USA, UK, and EU in the beginning.
Then, make the following announcement.
Give every citizen in each of these three regions a deadline of, let’s say, one year into the future.
Within that timeframe, each person who owns crypto is required to register each of their personal wallet addresses that hold any amount of crypto with the government.
After that deadline, only funds within wallet addresses that are officially registered with the government would be allowed to make deposits or withdrawals from crypto exchanges.
Any non-registered funds that are sent into a registered wallet after the deadline will be unusable until they have been properly declared, registered, and approved by the government. And thanks to the Blockchain, keeping track of registered and unregistered funds is super easy.
Any transactions above a certain threshold would also have to be reported to the government with details about the identity of the recipient and the purpose of the funds. Failure to adhere to reporting requirements would result in painful fines or even jail time.
This approach would turn crypto from semi-anonymous to almost entirely traceable.
It would also give the government significant control over any crypto in circulation, simply by being able to blocklist any funds from specific wallets address and thereby preventing crypto exchanges from processing these funds.
The less anonymity, the more difficult it becomes for criminals to use their funds.
Of course, any of these crackdowns on crypto would cause the cybercriminals to move to a less regulated alternative.
So, let’s have a look at how we can wreck these, too. ??
Ban Gift Cards
One of the most common ways for cybercriminals to launder illegal funds is via gift cards that you can buy in supermarkets.
For example, for in-game currencies in Fortnite, a $100 gift card from Amazon, a voucher for 6 months of Spotify Premium, etc.
These gift cards contain redeemable codes that can be traded.
Here is how this normally works:
Let’s say a criminal got you to buy them a $100 Amazon gift card.
They would then ask you to send them the redemption code via email.
This gift card code, worth $100, is then sold for $80 worth on a gift card marketplace in exchange for the equivalent amount in Bitcoin.
The buyer is happy because they got a great deal and saved 25% on their next Amazon purchase.
The scammer is happy because they now have Bitcoins that cannot be invalidated by the gift card company and can be further laundered. Win-Win.
And lose-lose for the victim.
What can we do about it?
1. Ban Gift Card Exchanges
The first step should be to make these gift card exchanges illegal.
There is really no legitimate reason why these should exist in the first place since they are almost exclusively used for money laundering.
2. Register Each Gift Card
The real problem is the gift cards and the fact that the codes can be traded.
One solution would be to force shops to register each card to the specific recipient, for example, the full legal name or a specific email address of the buyer.
This way, the code can only be redeemed on the account with an identical name or email.
Let’s say I’d registered the email address [email protected] for a 6-month Spotify voucher.
If [email protected] tried to redeem the code, Spotify would block it.
Even if it was successfully redeemed, if someone was reporting a specific registered gift card as stolen, the code could retrospectively be invalidated, making it super risky for buyers of gift card exchanges to buy anything for fear of getting their codes revoked later.
3. Limit Gift Cards
Gift Cards should also only be redeemable within the same country (This is already the case for most cards).
At the very minimum, I would require that stores be limited to selling small amounts of gift cards to each customer and not more than $100 per customer per day in total.
4. Ban All Gift Cards
I personally would ban gift cards altogether.
Their existence is not only a paradise for scammers, but if you think about it, it’s also a really lazy and often undesired gift.
If you can’t think of something specific, just gift cash!
As a child, cash was always the preferred option over vouchers and gift cards.
Most gift cards I ever received were for stores I didn’t like in the first place, like The Body Shop… ??
So don’t be shy, just gift cash.
Ban Anonymous Prepaid Credit Cards
What other options do we have?
How about anonymous pre-paid credit cards?
This is not available in all countries. Some countries sell them over the counter just like gift cards, often with the option to upload any specific amount of money onto them at the time of purchase.
These would also be very useful for ransomware gangs, as they could use them to buy expensive items and then resell them later to cover their tracks.
Banning these should be a no-brainer, too.
Ban E-Money
Another category of services that should be banned is called e-money. This includes services like Paysafecard.
These are similar to digital wallets and allow users to pay for microtransactions.
Wallets can be topped up with cash cards available at many physical retail locations across many countries.
They are very similar to gift cards and are very useful for ransomware gangs and other criminals to launder money anonymously.
Ban Peer-To-Peer Payment Platforms
What about digital wallet services like Venmo, Cash App, or Zelle?
These platforms are often used in everyday transactions such as splitting bills, gifting small amounts, or even freelance payments.
Their accessibility and ease of use make them very useful for money laundering, especially if ransomware gangs recruit money mules to move funds between wallets.
Instead of banning these popular services, stricter regulations, better fraud detection, and mandatory, reversible money holds for first-time transfers might be options to consider.
Ban Microtransactions
Next, we should also ban microtransactions of any kind.
This is specifically an issue with many video games, where players can buy and sell digital items for real money, such as weapons, gimmicks, pets, clothing, spaceships, etc.
As unusual as this might sound, it would be wrong to overlook this as an alternative vector for laundering money.
Gamers are often willing to pay huge amounts of money for seemingly silly items. It would certainly be a suitable alternative for ransomware gangs.
“Your computer has been encrypted. Please visit the Star Citizen game shop and send a Polaris spaceship to username spacepirate666.”
Ban Remittance Services
Back to some of the more traditional services that are often abused for money laundering.
I am talking about money remittance services like Western Union, of course.
Here is how they work.
You walk into one of their branches, fill out a form, pay them in cash, or use your credit card.
They then send a notification to one of their partner branches around the world and instruct them to pay out the same amount minus their fees to the person listed on your form.
You just need someone to show up with some form of ID (which might not always be necessary) on the other side of the world to collect the payment, and your money will be gone for good.
I personally believe these services have little to no utility and shouldn’t exist.
Everything they offer can be accomplished with traditional bank accounts with way more safety and accountability.
But Tim, not everybody has a bank account. Some people might have bad credit and can’t get a bank account.
Well, how about this. Create a new law and force every bank to offer a free basic non-overdraft bank account to everyone who wants one, including people with bad credit.
Problem solved.
And one pathway less for ransomware gangs to get their money out of the country.
Limit Bank Accounts
Now we have banned so many things…
What if ransomware gangs go back to basics and use traditional bank accounts?
Can’t people wire money to anyone around the globe?
Yes, you are absolutely right, and that is a big problem. It shouldn’t be that easy!
I really like the idea of having a financial literacy driver’s license for all types of risky transactions, including investing, day trading, trading with leverage, making wire payments above certain amounts, or transferring money abroad.
By default, bank accounts should be locked down to only domestic payments and local withdrawals.
If you want to wire money abroad, you must apply for this at your bank. This would then unlock transfer limits up to a small amount that would be more than enough to cover most people’s vacation expenses.
Anything above that limit would require a higher tier. The bank could tie this tier to a fraud prevention workshop that customers must partake in to unlock higher limits.
There are many alternative ideas, for example, putting time locks of, let’s say, 10 days on any payment above a certain threshold, or all foreign payments in general, that allow customers to reverse the payment within that time frame.
Conclusion.
Let me play Devil’s Advocate.
What if every single one of my ideas was implemented to the max?
Would we see a reduction in ransomware? Absolutely!
Would ransomware go away for good? Unfortunetly no.
The problem is that, despite our best efforts, many systems will remain vulnerable for a variety of reasons. That means ransomware could still make it onto these systems.
They might have difficulties getting paid, but some actors don’t care about that. They want to burn everything down and create maximum damage.
If an attacker is able to breach a system and elevate their privileges to the degree that they are able to encrypt an entire hard drive, they can do all kinds of other things that don’t involve ransomware.
They could use your machine to mine crypto, use it as a proxy server to cover their track, abuse your public IP to send spam email, scrape LinkedIn profiles, add secret SEO backlinks to other websites for their paying customers, engage in espionage and steal your sensitive intellectual protocol, and all sorts of other fun.
Many criminals are also very creative and might come up with new ideas on how to get paid, which can bypass all of my ideas so far. Then, it’s time to go back to the drawing board and come up with plan B.
This will always be a cat-and-mouse game, but if we take this seriously, we can make things get so freaking difficult that most players will not be able to participate in these games anymore.
But enough about what I think…
What do you think? ??
Which of these ideas do you think would work well?
Which do you believe are implausible?
Which should we implement? And which should we put in the bin?
Do you have any other great ideas on how to tackle ransomware that I missed?
Let me know in the comments.
#cybersecurity #informationsecurity #ransomware #crypto