Maksim Kabakou - Fotolia

Security Think Tank: How to tackle the scourge of ransomware?

In the wake of renewed calls for lawmakers to consider enacting legal bans on ransomware payments, the Computer Weekly Security Think Tank weighs in to share their thoughts on how to tackle the scourge for good.

Ransomware has developed to be both a lucrative and low-risk criminal activity.  It is also a threat to the economic health of developed nations as well as negatively impacting critical national infrastructure. A recent National Cyber Security Centre (NCSC) report on the near-term implications of artificial intellligence (AI) highlights that criminal gangs are already making embryonic use of this technology to enable cyber attacks, concluding that this trend will only grow in future. It is therefore little wonder that according to NCSC, “ransomware continues to be the most acute cyber threat facing UK organisations and businesses”. 

To tackle this pernicious problem, ex-NCSC chief Ciaran Martin has called for a complete ban on ransomware payments. This is based on the premise that attacks will cease when criminals no longer get paid. While we support the intention of eradicating ransomware and recognise it is a grave threat, we are not convinced that this approach would be workable in practice.

Ransomware is a new incarnation of the extortion racket. Legal systems have never criminalised the victims of extortion and it is unclear how payments can be banned without legal penalties being applied to those paying the ransoms. Payments to ransomware gangs are typically made via cryptocurrencies such as Bitcoin and given the anonymity features of cryptocurrencies, UK authorities may struggle to identify ransomware payments made in secret. Firms may also bypass UK regulations by paying in jurisdictions that don’t ban payments. 

To complicate matters further, firms operating in secret won’t engage with law enforcement so masking the problem. Some organisations also take the view that paying ransomware is no different than tolerating minor thefts, for example low levels of credit card fraud. They may therefore view ransom payments as just the cost of doing business. Collectively, these factors and attitudes will be difficult to change, meaning that (regrettably) banning ransomware payments is unlikely to work.

If banning payments is not the answer, then how can the UK tackle the issue of ransomware?

A ‘whole of society’ approach is required to tackle ransomware

Rather than risking alienating organisations through the banning of ransomware payments, the UK needs to build relationships between government organisations and business in line with its ‘whole of society’ approach set out in the UK’s National Cyber Strategy.

Businesses must understand their place in combating ransomware and feel supported by government and law enforcement agencies.  Recognising the long-term benefits to all if cyber-crime can be successfully reduced, businesses can play their part by:

  • Continuing to strengthen organisational protections to prevent ransomware incidents.  Though it can feel like a never-ending cyber race, businesses must keep investing in cyber security programmes so they are not seen as an easy target by criminals. Layered security measures will reduce the reliance on training and awareness, the failure of which is often the primary entry point of successful attacks.
  • Building up detection and response capabilities alongside well-practised recovery processes. Paying a ransom may not be the cheapest or easiest option for an organisation that has been unfortunate enough to suffer a successful ransomware attack, if they have effective, tried and tested recovery processes. Paying a ransom does not always guarantee regaining access to data and systems so recovery can become crucial regardless in reducing the impact felt.
  • Improving transparency with government/law enforcement agencies. By sharing knowledge of ransomware attacks with those actively seeking to deter and prosecute criminals, valuable intelligence and evidence can be gathered to prosecute criminals and prevent other organisations from becoming future victims.  Supporting the protection of all will reduce the viability of the ransomware industry.

The Security Think Tank on ransomware payment bans

Banning ransom payments is a good and right step forward, but must be done at the same time as providing additional resources to law enforcement and intelligence agencies, writes Rob Dartnall of SecAlliance.

Make IT suppliers legally liable for delivering secure-by-design solutions that are easy to maintain in a secure fashion

NCSC have long promoted the virtues of IT suppliers delivering secure-by-design and secure-by-default solutions. While IT suppliers are placing more importance on security there are still insecure products entering the market. Ransomware is (in part) benefiting from firms struggling to implement and maintain IT that was never designed with proper consideration of security needs. Making IT suppliers responsible for the liabilities related to faulty and insecure IT will focus the attentions of vendors. This is common practice in a number of industries such as car manufacturing or food production yet is not adopted at all in the IT industry.  Shifting the liability from the consumer to the producer of IT solutions will incentivise the creation of secure and resilient products.  This will dramatically reduce the vulnerabilities that ransomware relies on, making the work of cyber criminals much more difficult. 

Stop insurers paying out for ransomware payments

Cyber insurance also plays a role in the decision to pay ransomware demands. Insurers can offer reimbursement for ransom payments and often provide breach coaches and negotiators, who try to reduce the amounts that organisations then pay. While insurers should be mindful of the provisions of the Terrorism Act 2000 and the EU financial sanctions regime (which forbid the payment of funds if there are links to terrorism and/or certain entities or individuals) they still often pay out. Currently the payment of a ransom is not itself illegal in UK or international law.  Many pay not just to avoid business interruption losses, but also potential third-party claims where personal data has been compromised. If there could be more international co-operation to limit the payments from insurance firms, which are subject to regulation, then this would, in part, have a role to play in a ‘whole of society’ approach.

Criminalising payments may do little other than mask the problem and make it harder for law enforcement to engage with firms suffering ransomware attacks. Taking the steps outlined above offers a better approach to tackling ransomware than simply banning payments.

Toby Sibley and Louise Barber are cyber security experts at PA Consulting.

Read more on Hackers and cybercrime prevention

Data Center
Data Management