Cybersec chiefs team up with insurers to say 'no' to ransomware bullies
Guidebook aims to undermine the criminal business model
The latest effort to reduce the number of ransom payments sent to cybercriminals in the UK involves the country's National Cyber Security Centre (NCSC) locking arms with insurance associations.
Announced today by NCSC CEO Felicity Oswald at the annual CYBERUK conference, a new guidance book aims to prevent organizations from reacting in a knee-jerk fashion to ransomware incidents.
The coalition consists of the NCSC, the Association of British Insurers (ABI), the British Insurance Brokers' Association (BIBA), and the International Underwriting Association (IUA). Their guidance book, released today, provides detailed advice on how organizations can avoid paying ransoms, addressing recommendations from parliament [PDF].
Insurers can't use 'act of war' excuse to avoid Merck's $1.4B NotPetya payout
READ MOREFor people who live and breathe cybersecurity, the information in the guidebook isn't novel. However, the NCSC and insurers see it as a useful reference for organizations that lack the necessary infosec understanding to manage a highly stressful situation effectively.
It does not provide a step-by-step guide on remediating ransomware attacks – that's a job for incident responders – but rather offers a collection of approaches to consider before making a payment.
The advice includes recommendations to consult experts where possible, involve the right people across the organization, investigate the root cause, and, of course, "Don't panic."
As was evidenced by the LockBit leaks earlier this year, something that was long suspected to be true but never proven until then, ransomware gangs don't always deliver on their promise to delete a victim's data after they pay. It's another consideration that may be useful to organizations in a frenzied state trying to resolve the matter as quickly and quietly as possible.
"The NCSC does not encourage, endorse, or condone paying ransoms, and it's a dangerous misconception that doing so will make an incident go away or free victims of any future headaches," said Oswald. "In fact, every ransom that is paid signals to criminals that these attacks bear fruit and are worth doing.
"This cross-sector initiative is an excellent next step in foiling the ransom business model: We're proud to support work that will see cybercriminals' wallets emptier and UK organizations more resilient."
It's not lost on the NCSC that this won't be as effective as an outright legal ban on ransom payments, which has long been discussed among industry and international governments.
- NHS Digital hints at exploit sightings of Arcserve UDP vulnerabilities
- 'Cyberattack' shutters Christie's website days before $840M art mega-auction
- Uncle Sam urges action after Black Basta ransomware infects Ascension
- Encrypted mail service Proton hands suspect's personal info to cops again
Those discussions are happening at the highest levels of government, and the matter is a Home Office priority, it's understood, but implementing a ban, in whatever form it may take, will require a substantial amount of time.
During that time, there will be many ransomware attacks, so this guidebook is seen as a stop-gap measure while the government works on a more permanent solution to the ransom payment problem.
Despite widespread dissemination of advice on handling ransomware, experts believe there is still a significant problem with organizations believing they will never be the target of an attack. Too many are blind to their risk and adopt the "it will never happen to me" mindset.
The prevailing view at the NCSC and among insurers is that any measures undermining the ransomware business model are a step forward, regardless of their permanence.
In Oswald's opening speech at CYBERUK today, she likened the act of a trusted organization paying a ransom to a cybercriminal gang to "leaving a carrier bag full of used bank notes in a dark alley."
"That's why today's agreement with the insurance sector is so important," she added.
Unhappy about excluding nation-state attacks from cyberinsurance? Get ready to pay
READ MOREInsurance associations such as the ABI already have interactive online tools offering advice similar to the coalition's guidebook. Its online Cyber Safety tool walks organizations through their security posture to get a tailored action plan for building better cyber resilience.
The ABI's director of general insurance policy, Mervyn Skeet, said: "We're pleased to be working with NCSC, BIBA, and the IUA on strengthening cyber resilience and supporting customers affected by ransomware attacks.
"Following the launch of our Cyber Safety Tool for SMEs last year, this collaborative guidance is another positive step towards tackling cybercrime across the UK, and we look forward to continuing to work with NCSC on this shared goal."
Sarah Pearce, Partner at Hunton Andrews Kurth said: "Without a doubt, ransomware attacks have been on the rise in recent months and this initiative is welcome news.
"Helping guide clients through the handling in the event of such an attack including the strategic considerations that go into assessing whether or not to pay ransom demands is always an intense period and the C-suite/senior management are under extreme pressure to make critical decisions in a time-pressured environment."
Pearce added that the strategic considerations vary, but giving into ransom demands only incentivizes "cybercriminals to expand their activities." ®