How do we stamp out the ransomware business model? Ban insurance payouts for one, says ex-GCHQ director
New laws needed to cut off incentive to crooks, argues Marcus Willett
Increasing numbers of senior ex-GCHQ people have called for laws preventing businesses using cyber insurance to buy off ransomware attackers – with the money merely perpetuating the criminals' business model.
Yet, even as industry gets used to waking up to find the entire corporate network is scrambled while user endpoints display nothing but ransom demand notes, former government hackers (and cybersecurity folk) are speaking out about the trend for meekly meeting the crooks' demands and moving on.
Ciaran Martin, former chief of the UK's National Cyber Security Centre, made headlines earlier this year after telling Parliament that insurance companies were "funding organised crime" by paying ransoms on behalf of their customers.
"In this country," Martin told the Science and Technology Committee, "it is... increasingly routine practice to pay out to cover the costs of paying criminals. So if you've paid the criminals in Bitcoin, you can claim on your insurance policy."
It seems Martin's trenchant view is shared by at least some of his fellow former government security bods, who have a good few years' experience of this sort of thing.
Ban buying off ransomware crooks
Marcus Willett, a senior cyber adviser with the International Institute for Strategic Studies and former GCHQ director of cyber (pre-NCSC), wrote at the end of March that the world needs "new laws establishing disincentives to pay ransoms to cyber criminals."
While dissecting the SolarWinds hack's international policy implications, Willett observed that "it is currently too convenient for companies simply to use their insurance to pay up" to avoid the disruption of a ransomware attack. Doing so, he argued, made a mockery of initiatives designed to raise wider awareness of basic cyber hygiene.
Partially agreeing with him, a former NCSC deputy director opined that a total ban might not be practical. Writing for the Society for Computers and Law website, Peter Yapp said previous never-pay policies have failed.
In the real world, people just want their data back
"I know from the crisis management work we do in the kidnap, ransom and extortion arena, that when people rather than data are involved, [a total ban] does not work in practice," wrote Yapp, now a cyber partner of law firm Schillings. "Total bans and non-concession policies have not worked in the past and have not attracted countries to sign up."
In this, the ex-GCHQ/NCSC people seem to be admitting that a 2014 government policy aimed at increasing the takeup of cyber insurance may have flopped; as we said at the time, increasing cyber insurance with the intention of improving cyber hygiene was like encouraging car insurance as a way to reduce road accidents.
Official attitudes towards cyber insurance have varied. In 2019 the US FBI law enforcement agency said it was easing its previously hard-line stance against paying off criminals, something echoed by the NCSC in 2020. New NCSC chief Lindy Cameron said in March that insurance "cannot be a substitute for better basic cybersecurity", which seems to reflect current governmental thinking of "you shouldn't pay ransoms but we won't be annoyed if you do."
Cyber-insurance shock: Zurich refuses to foot NotPetya ransomware clean-up bill – and claims it's 'an act of war'READ MORE
Last year a gathering of cyber-insurance professionals resulted in much gnashing of teeth from insurers who realised their customers were increasingly suspicious of policies claiming to cover cyber incidents, perhaps fuelled by the infamous Zurich lawsuit against Mondelez in the wake of a NotPetya ransomware infection.
As exclusively reported absolutely everywhere over the last year, ransomware attacks are on the rise. The business model for crooks using this as a get-rich-quick scheme is simple: deploy malware onto a victim's network that encrypts all files it can get its digital mitts on. The perps then email their victim demanding a large payout in exchange for the decryptor.
In the increasingly popular double-extortion model, the criminals also extract sensitive (or embarrassing) data and separately ransom that back to the victim, on pain of it being published for anyone to download.
It doesn't always go the way of the insurers or the criminals, however, as an unusual High Court case showed last January. An unnamed Canadian insurance company filed suit to recover a 109-Bitcoin ransom its reinsurers paid on its behalf. ®