Huge Image

Experts Weigh In on Refusing or Paying After a Ransomware Attack

Ransomware incidents have slightly declined recently, but they still compel organizations to weigh the pros and cons of paying ransoms to prevent the release of compromised data. The NCC Group's Threat Pulse Report from May indicates that while there's a dip in reported cases, the sectors most frequently hit remain Industrials at 34% and Consumer Cyclicals at 18%.
The ransomware ecosystem has seen shifts, with Hunters escalating from the eighth to the second most prolific ransomware group, with a 61% surge in attacks from March to April. RansomHub, overtaking RA Group, also saw a 42% increase in attacks during the same period.
The debate over the "no concessions" policy, traditionally applied in counterterrorism, now extends to ransomware, where the decision not to pay might deter future attacks but poses practical challenges for affected entities.
While there's no U.S. federal law explicitly prohibiting ransomware payments, the legal and financial implications are significant, as noted by the U.S. Department of the Treasury. This stance is supported by cybersecurity experts like Anne Cutler from Keeper Security, who argue that not paying could reduce the profitability of cybercrime, yet this strategy faces real-world implementation hurdles for businesses.

While there's no U.S. federal law explicitly prohibiting ransomware payments, the legal and financial implications are significant, as noted by the U.S. Department of the Treasury.

No-Pay Ransomware Strategy is Gaining Support

Cybersecurity experts and government figures have consistently advocated against paying ransoms, as Cutler points out, due to the belief that this approach could diminish the frequency of cybercrimes. The risk associated with ransom payments is high, with no assurance that data will be restored or access regained.
"Insurance policies for cybersecurity are now frequently amended to exclude coverage for ransom payments, pushing companies towards enhancing their defense mechanisms," Cutler elaborated.
She highlighted Japan's approach as an illustrative case. According to Nikkei Cross Tech and Japan Proofpoint, Japanese entities have one of the lowest ransom payment rates globally. Despite an uptick in ransomware attacks into 2023, there's been a modest reduction in the first half of 2024, as per the Metropolitan Police Department's report on cyber threats.
"Although it's uncertain whether Japan's reluctance to pay directly correlates with fewer attacks, it hints that a policy of minimal ransom payments might impact the ransomware landscape," Cutler observed.

AI Safety
AI Safety

Challenges Enforcing Ransomware Payment Bans

Craig Jones, Vice President of Security Operations at Ontinue, acknowledged that within the cybersecurity community, there's ongoing debate about the merits of prohibiting ransom payments as a strategy against ransomware. However, he emphasized that implementing such a ban is complex. "While it might discourage attackers by removing their profit motive, the practical enforcement of this, particularly given the anonymity of cryptocurrencies, poses significant challenges," Jones explained to TechNewsWorld. He noted that in dire circumstances, companies might still opt for secret ransom payments to retrieve essential data or resume operations, which could weaken the impact of any ban. Jones advocates for a comprehensive strategy instead. He supports bolstering cybersecurity measures, fostering global collaboration to pursue and bring cybercriminals to justice, and overseeing the cyber insurance sector. "This holistic approach tackles both the origins and outcomes of ransomware, sidestepping the enforcement issues and unintended side effects of outright bans," he argued.

"Such a strategy recognizes the intricate and international aspects of cyber threats, providing a balanced response to reduce ransomware vulnerabilities," Jones concluded.

‘No Concessions’ Ransomware Policy Risks and Realities

Theoretically, clauses that prohibit payments aim to undercut the financial incentive for cybercriminals by thwarting their ransom demands. Yet, implementing such a policy on a global scale presents significant hurdles, according to Jason Soroko, Senior Vice President of Product at Sectigo, a firm specializing in certificate lifecycle management (CLM).
"Although a ban on ransom payments could eventually reduce the frequency of attacks, it might leave victims, particularly those in critical infrastructure, vulnerable to substantial operational setbacks," Soroko explained to TechNewsWorld.

Stylish Smart Glasses

He further noted that any legal prohibition on ransom payments must be meticulously designed to prevent unforeseen issues, such as compelling entities to conduct transactions covertly or worsening the impact during an ongoing cyber assault.

"The challenge lies in striking the right balance between discouraging criminal activity and ensuring the safety of vital services," Soroko remarked.

it might leave victims vulnerable to substantial operational setbacks

Strengthening Cybersecurity Through Employee Training

Patrick Tiquet, Vice President for Security and Architecture at Keeper Security, emphasized the critical role of employee training in cybersecurity.
"Employees serve as the initial barrier against cyber threats. Ongoing education should highlight the need for caution with unsolicited multi-factor authentication (MFA) requests," he stated.
He recommended that training programs should teach staff to scrutinize any unexpected alerts promptly and report any anomalies swiftly. Conducting mock phishing campaigns and MFA push notification drills can significantly enhance employees' ability to identify and react to potential threats, Tiquet added.
"Creating an environment where employees are encouraged to report security concerns without hesitation is key to rapid threat detection and mitigation," he concluded.

Tips to Avoid Ransomware Payment Dilemmas

Ngoc Bui from Menlo Security contends that criminalizing ransom payments globally might not be advisable. While it could motivate cybercriminals, the refusal to pay might lead to greater harm, particularly for entities in vital sectors.
"Ransomware disruptions can be devastating, and the focus should be on safeguarding operations and stakeholders. Additionally, such incidents should serve as educational moments for enhancing security protocols with actionable insights," Bui explained.
The best defense against the dilemma of whether to pay or not is to prevent ransomware attacks in the first place. Patrick Tiquet suggests that managing third-party contractor security is key. This involves detailed background checks and security evaluations to confirm that contractors adhere to high security standards before they're given access to critical systems.
"After contractors are integrated, it's vital to adhere to the principle of least privilege," Tiquet advised. This principle involves limiting contractor access strictly to what's required for their job functions. Ongoing reviews of third-party permissions are also essential to quickly identify and address any suspicious activities, thereby reducing the risk of security incidents.