Formal ban on ransomware payments? Asking orgs nicely to not cough up ain't working
With the average demand hitting $1.5 million, something's gotta change
Emsisoft has called for a complete ban on ransom payments following another record-breaking year of digital extortion.
Ransomware gangs breached the IT networks of at least 2,207 US hospitals, schools, and government organizations in addition to "thousands" of private-sector businesses last year, the security shop said on Tuesday. On average, these attacks cost targets about $1.5 million to rectify.
"In 2023, the US was once again battered by a barrage of financially motivated ransomware attacks that denied Americans access to critical services, compromised their personal information, and probably killed some of them," the New Zealand-based infosec firm noted.
This included 46 American hospital systems, 108 K-12 school districts, 72 colleges and universities, and 95 government bodies. For comparison: 2022 saw 25 attacks against hospitals, 45 against K-12 schools, 44 targeting post-secondary education, and 106 against government organizations.
The only reason that US government saw a year-over-year decline is because 2022 numbers included 55 local governments in Arkansas affected by a single intrusion into the agencies' shared IT services provider.
If it weren't for this one digital break-in, the number of 2023 incidents would have seen more than a 50 percent increase compared to 2022 ransomware infections.
There's also the high-profile private-sector entities that fell victim to extortionists last year – including Boeing, MGM Resorts, Caesars Entertainment, and Dish Network. Now that it's mandatory for listed companies to disclose ransomware attacks, per the US Securities and Exchange Commission's rules that took effect at the end of last year, we'd expect the number of reported infections to increase in 2024.
We should also note that Emsisoft does not include the MOVEit attacks, during which ransomware gang Clop exploited a zero-day to steal a ton of data from more than 2,600 public- and private-sector victims via the popular file-transfer software, in its 2023 numbers.
This is because no data was encrypted and not every organization received a ransomware demand. Still, this breach cost upwards of $15 billion in clean-up fees.
The only solution to this problem, according to Emsisoft, is to ban ransom payments completely.
"Ransomware is estimated to have killed about one American per month between 2016 and 2021, and it likely continues to do so," the report observes, citing the University of Minnesota School of Public Health's statistics.
"The longer the ransomware problem remains unfixed, the more people will be killed by it," the authors add. "And, of course, the economic harm and myriad of societal harms that ransomware causes will also continue for as long as the problem remains unfixed."
According to Emsisoft threat analyst Brett Callow, opposition to a total ban on ransom payments is lessening. "I think more people are coming to accept that a ban, while problematic, may ultimately be the only solution to the ransomware problem," he told The Register.
'Not a silver bullet'
However, this agreement only governs "institutions under … national government authority." So most of the victim organizations in the report, as well as all private-sector companies, are still free to pay.
"The intention is well grounded, I think we can eventually get to a ban, but at this point in time it is not a silver bullet and will result in more harm than good," argued Megan Stifel, chief strategy officer for the Institute for Security and Technology and the executive director of the IST's Ransomware Task Force.
So, for example, the Biden administration deciding to make ransom payments illegal as of February 1 would be "problematic, given the lack of overall resilience and maturity across the economy, particularly when you think about all those soft targets the report identifies," Stifel told The Register, echoing the conclusion [PDF] reached by the Ransomware Task Force.
Eventually, a ban will be "an important part of the solution to reduce and hopefully eliminate ransomware, but it has to be coupled with number of other tools that the government has at its disposal," she added.
- US officials close to persuading allies to not pay off ransomware crooks
- A tale of 2 casino ransomware attacks: One paid out, one did not
- Cyber sleuths reveal how they infiltrate the biggest ransomware gangs
- Court hearings become ransomware concern after justice system breach
While the US government advises organizations not to pay ransom demands – "paying ransom will not ensure your data is decrypted, that your systems or data will no longer be compromised, or that your data will not be leaked," according to the official guidance – it can and should do more to support resilience, Stifel argued.
Most insurance providers are already requiring policy holders to meet some basic IT security standards to qualify for coverage, and the US government could enact similar measures, according to Stifel and the task force.
"We can require organizations to demonstrate some degree of due diligence before they make a payment," she noted.
"Did they actually see whether their backups are viable? Did they see if there was a decryption key available? Plus, there needs to be a full-throated, robust awareness campaign around ransomware prevention, ransomware response, societal harms that come from ransomware. And we haven't really tried that."
Mandiant's Jeremy Kennelly, a senior analyst in the Google-owned threat intel firm's Financial Crime Analysis division, believes banning payments isn't as simple as it sounds.
While a "global and universally enforced" ransomware payment ban could lead to a decline in these types of extortion attacks, this type of solution would be nearly impossible to enforce," he argued.
"Beyond issues related to the viability of enacting and enforcing uniform international standards around ransom payments, another challenge is the simple fact that ransomware is only one tool being used to collect extortion payments. We continue to see diversification across this ecosystem, with criminals sometimes only stealing data before demanding payment," Kennelly told The Register.
"Extortion cases without ransomware deployment may not cause the same type of immediate disruption," he added. "However, in this new world, data encryption may simply become the consequence for non-payment rather than the issue an organization is paying to help remediate." ®