Let’s Talk Ransomware Payments

Ransomware payments are a problem. A big one at that - and we need to talk about it. In some cases, they’re a ‘dirty secret’ that often allows organisations to brush big problems, like cyberattacks, under the carpet, without proper disclosure, reporting or remediation. Something has to change, but what? And how?

At the beginning of the year, the UK government considered a ban on all UK public bodies making ransomware payments. Private companies, on the other hand, will legally have to report their intention to make a ransomware payment before paying out and these payments could be blocked if they are made to sanctioned groups or foreign states. Either way, reporting will be mandatory, if the proposed law is passed, which can only be a good thing.

Ransomware payments are an age-old problem that governments from across the world have tried to deal with in their own ways. With this proposed law, the UK government is doing its best to set standards and make public sector (including critical national infrastructure) uninteresting targets. Ransomware gangs often run like a business and businesses aim to make money. Being unable to make money from such exploits makes these targets less exciting.?

However, it may take some criminals some time to get the memo - and that can be messy. In the process, it is likely that some public sector orgs may take a hit, so it is paramount that the government provides incident response that reduces damage. This intelligence must be shared, so that others can learn from it.?

Of course, the approach to not pay ransoms has always been best practice. What the government is doing is taking that best practice and writing it into law. Ransomware has always provided security and business leaders with a headache. In some organisations, a ransomware payment presents a ‘get out of jail free’ card. It is not unheard of for an organisation to put aside an operating fund for potential ransoms and cybercrime. However, it’s not a guarantee that paying any ransom will actually get your data back. These are dealing with criminals after all, who are not necessarily known for their decorum and honest dealings.?

On the other hand, the ‘brushing under the carpet’ of payments (i.e. non-disclosure) doesn’t guarantee effective remediation and, ultimately, others cannot learn from it. There’s a lack of transparency on the subject, with shame still shrouding ransomware as a whole. We need to understand these proposed rules more, but more transparency is always welcomed.?

Security leaders often find themselves in a catch 22, as I discussed in the last Hacker Headspace. Teams are under-resourced and overworked, but litigation looms large if failings are made. Sometimes the best efforts of the greatest security teams aren’t enough if there aren’t the resources to support it. Investment in security is critical, but organisations must balance proactive with reactive cybersecurity measures.?

Ideally, risk reduction strategies (proactive measures) are the best investment, but they can be harder to get board buy in for. Whereas incident response after something happens proves a very worthwhile investment (putting out fires), the risk of such an event occurring could have been reduced by proactive measures (like attack surface mapping and vulnerability scanning). It has always been hard to quantify risk and understand how investment relates to risk reduction, especially conveying it in a way the board understands. Cybersecurity is, after all, like selling tornado insurance in a place that hasn’t had a tornado in 200 years.?

Standardised reporting should make it easier for boards to understand risk, especially as it’s hard to show consistency as is. There are not enough ways to communicate and condense risk, however there are a diverse set of ways to protect from it. An organisation’s nest egg (its ‘just in case’ fund) could be better spent to secure proactively, if it’s invested well. Standards like the EPSS scoring system, which we are proud to support, are a step in the right direction for real-time, relevancy-based standardised risk reporting.?

Litigation, like that proposed by the government, can sometimes force boards into action, especially if non-compliance could have legal or monetary consequences. Sometimes the right kinds of pressures help the C-suite understand. Ultimately, risk acceptance needs to be at CEO and COO level, as they make the decisions.?

Whilst it’s not yet perfect, the proposed ban on ransomware payments in the public sector by the UK government is a big step in the right direction and I look forward to seeing what happens next.?