No products in the cart.
Press the play button to listen to this article
A US pipeline blocked. Irish hospitals stalled. A French insurer’s operations were hacked. A hit from the Toshiba business unit. In two weeks, four high profile incidents alerted the world to the growing threat of ransomware attacks.
But as policymakers try to respond, they find that the problem is bigger than that of cybercriminals blackmailing companies and governments to regain access to their own data.
It extends to a booming home industry linked to such attacks that involve everyone from cyber insurers to security consultants and programmers, where many people can make money and few have an interest in stopping the attacks.
“Right now it’s very easy to pay for organized crime. Is that really right? Shouldn’t we have a serious policy review on it?” said Ciaran Martin, former head of the UK cybersecurity agency who now teaches at Oxford University.
The realization that industry players’ incentives may be skewed stems from the fact that ransomware is the single biggest cybersecurity threat that businesses and public services face.
Most victims begin an attack when their computer is taken over by a worm-like virus. It then spreads over local networks, encrypts data, locks screens and demands a ransom, often in cryptocurrencies like Bitcoin, in exchange for returning control.
In hospitals, this means that doctors cannot access patient files and have to work with pen and paper. In business, it loses access to operational data and critical trading records.
One reason such attacks are more widespread is the greater sophistication of the tools with which they are carried out.
The ransomware used to attack US pipeline operator Colonial called DarkSide is in fact a complete ransomware-as-a-service platform with features like built-in calling to take the pressure off to increase the sacrifices.
Other ransomware threatens to lose victims’ data if they don’t pay, or encrypt it twice to double profits. Some were developed by state-affiliated groups in Russia and North Korea using exploits allegedly developed by US intelligence agencies.
So far, the authorities have a simple but clear message to fight the problem: don’t pay the hackers.
“Our position is clear: don’t pay,” said Philipp Amann, Head of Strategy at the European law enforcement agency Europol. “You are dealing with criminals. If you pay once, you are very likely to become a victim again.”
Officials also emphasize that companies and organizations should always make extensive backups of their IT systems. “If something bad happens, you at least know how to recover from such situations,” said Evangelos Ouzounis, head of the secure infrastructure department at the EU cybersecurity agency ENISA.
However, these messages do not stop the attacks, which, on the contrary, have become more targeted and lucrative in the past 12 months, according to a study by cybersecurity firm Sophos.
They don’t stop victims from paying either: more than half of them pay ransom, although only a quarter of ransomware victims get all of their data back, according to a recent survey by cybersecurity firm Kaspersky. In the case of Colonial, management paid out around $ 5 million to the hackers, according to Bloomberg.
Some victims have turned to outside experts to conduct ransom negotiations and sponsored an industry of consulting firms – “ransomware negotiation services” – that promise to negotiate on behalf of victims and reduce the amount of money they have to pay to get back To get access to their data.
Many victims also reclaim damages from cybersecurity insurance systems, which generally allow businesses to reimburse ransom payments. According to the latest industry estimates, the cybersecurity insurance market is expected to grow to tens of billions of dollars in the coming years.
Insurance associations have defended the practice of reimbursing ransomware payouts, stating that their policies still promote higher standards for cybersecurity protection. (French giant Axa became the first major player to publicly oppose the practice earlier this month when it said it would stop ransom refunds in France – just days before the insurer confirmed it was a victim of ransomware – had been attacked.)
However, critics argue that ransomware insurance creates the wrong incentives for businesses and hackers alike. When companies know that they can be reimbursed after paying a ransom, they may not take other measures that would prevent attackers from doing so in the first place – like securing their IT systems. They are also less likely to investigate the origins of an attack and take legal action against the hackers.
Conversely, hackers could be encouraged to launch more attacks knowing that their victims have “priced in” the damage by purchasing insurance.
According to Martin, governments could consider banning ransom payments, imposing penalties on them, forcing companies to disclose, or regulating insurance or cryptocurrency markets. “Whatever it is, let’s see what is most effective,” he said.
For Bart Groothuis, a legislator in the European Parliament responsible for drafting a new EU law on cybersecurity, the solution is to tackle the criminal networks that have made ransomware a booming industry.
“As a European politician, you have to find a television camera and ask all EU member states to instruct their law enforcement agencies to hunt down these hackers,” he said. “As a society we have to be clear: this is where we draw the line.”
But the Russian government would also have to play ball for this. The attacks often originate from Russia-based infrastructures and Russian groups. Western and Russian diplomats at the United Nations and the Council of Europe have argued over international cybercrime law for years without finding much in common.
“If crimes were committed from the UK, the US or Europe, we could send law enforcement agencies to stop them,” said Martin, the former UK cyber chief. “But we can’t because they’re in Russia.”
America Hernandez contributed to the coverage.
This article is part of POLITICO Pro’s premium cybersecurity and privacy coverage. From the emerging threats of a volatile digital world to legislation to protect businesses and citizens in various sectors. For a free test email [email protected] and mention cyber.