Would banning ransomware insurance stop the scourge?
White House official makes case for ending extortion reimbursements
Ransomware attacks are costing businesses and governments billions of dollars and putting people's lives at risk – in some cases, reportedly causing their deaths.
No one disputes that this particularly heinous brand of cybercrime is a scourge across societies. But eliminating the problem, or even putting a dent in it, has proven to be a huge challenge that, so far, has seemingly evaded everyone.
As soon as law enforcement disrupts one menace, three or four new ransomware groups spring up in its place because it's still a very lucrative business. Last year alone, the FBI received 2,825 reports of ransomware infections accounting for more than $59.6 million in losses.
One solution suggested by White House cyber boss Anne Neuberger involves eliminating insurance reimbursements for extortion payments.
Neuberger, the US Deputy National Security Adviser for Cyber and Emerging Technology, also called on the industry to require organizations to implement strong cybersecurity measures as a condition for underwriting policies, "akin to the way fire alarm systems are required for home insurance," in an opinion piece for the Financial Times.
Fueling cybercrime ecosystems
Then she blasted practices that make the problem even worse. "Some insurance company policies – for example covering reimbursement of ransomware payments – incentivize payment of ransoms that fuel cybercrime ecosystems," Neuberger wrote. "This is a troubling practice that must end."
As the victim count and monetary losses worldwide continue to grow, an increasing number of cybersecurity experts and law enforcement officers have called for a complete ban on ransom payments.
I'm not convinced that banning the ransom from being paid by cyber insurance policies will remediate the issue
A ban on insurance payouts to cover ransom payments may be a way to achieve that objective – at least for the larger corporations that can afford a premium cyber-insurance policy in the first place.
Still, in addition to the extortion payment itself, there's still the costs associated with remediation, business interruption, and other financial impact. In its most recent filing with US regulators, UnitedHealth said it had spent $776 million on network restoration and $1.4 billion on increased medical care expenditures as a result of the Change Healthcare ransomware attack in February.
Previously, the company's CEO admitted to paying the criminals a $22 million ransom demand.
"I'm not convinced that banning the ransom from being paid by cyber insurance policies will remediate the issue," Monica Shokrai, Google Cloud's head of business risk and insurance, told The Register.
"In the case of large companies, cyber insurance will still cover the cost of the incident and the ransom itself often isn't material, particularly compared to the cost of business interruption that a large corporation may face," she added. "So, if larger companies continue to pay the ransom despite insurance not covering it, the impact of a ban on the insurance coverage becomes less meaningful."
And, as with most things, smaller companies would likely face disproportionately higher costs should an insurance payout ban be put in place.
"With SMBs, the ransom payment may also be a bigger proportion of the total loss and certainly a more significant percentage of their overall annual revenue," Shokrai said. "The impact of a cyber insurance ban on ransomware payments may mean they go out of business if they can't pay the ransom without insurance coverage."
Still, other experts argue that the only way to eliminate attacks is to cut off the financial incentive for the criminals.
"I agree that insurers should be banned from reimbursing corporations from paying for ransomware," said Tom Kellermann, SVP of Cyber Strategy at Contrast Security. "I also think corporations themselves really need to improve their cybersecurity and their backups and their relationships with the cyber-fraud task forces in the Secret Service or the FBI."
Ransom payments as sanctions evasion
Kellerman has been working to find a fix for this global problem since 2020, when he was appointed to the Cyber Investigations Advisory Board for the US Secret Service.
During a recent discussion with The Register about ransom payments and insurance policies, he echoed US Deputy Attorney General Lisa Monaco's previous statements that ransomware payments should be considered a type of sanctions evasion, "particularly given the fact that 80 percent of those ransomware payments are being funneled to cybercrime cartels who enjoy a protection racket from the Russian regime."
In many ransomware attacks, criminals also deploy a remote-access Trojan along with the file-encrypting malware, which gives the gangs persistent access to victims' networks.
- Ransomware negotiator weighs in on the extortion payment debate with El Reg
- Ransomware ban backers insist thugs must be cut off from payday
- Ransomware gang Trinity joins pile of scumbags targeting healthcare
- Ransomware crew infects 100+ orgs monthly with new MedusaLocker variant
"And that allows these cartels to basically teleport themselves into any system that some affiliate has compromised, or share that backdoor access with the FSB and GRU," Kellermann said. "Ransomware is out there creating a free-fire zone for a multiplicity of actors that allows for the larger, more significant campaigns of infiltration by Russia and her allies to be conducted."
The insurance payment ban should come from government regulators, he added – not the industry itself.
The US government has long had a policy, we don't negotiate with terrorists
Insurers don't want to cover ransom reimbursements. "They're losing so much money on cybersecurity coverage," Kellermann noted. "This would basically give them an out. It's high time the regulators stepped in and banned ransomware payments from either financial institutions or insurers, and considered it sanctions evasion."
Ransomware protection firm BullWall's US executive VP, Steve Hahn, suggested taking this policy one step further, and banning ransom payments from insurers and corporations altogether.
"The US government has long had a policy, we don't negotiate with terrorists," Hahn told The Register. "The money we pay for insurance and recovery could be better spent on cybersecurity and the threat actors' coffers would run dry while our security posture increased."
This calculus may involve human lives being lost, as have similar decisions not to pay ransoms for hostages held by terrorist organizations and rogue governments, he added. But in the long run, it would "all but eliminate ransomware," Hahn suggested.
Of course, this is easier said than done and Hanh acknowledges it would be a very tough policy decision to make.
It's one thing to make a blanket statement that we will not give into ransom demands under any circumstances, but it's much more difficult to hold fast to that when hospital patients are dying because they don't have access to life-saving drugs or surgeries because of a ransomware infection.
No one wants to finance criminal activity in theory, but it becomes much easier to find acceptable exceptions to that when, say, paying a ransom means that water will again flow from people's faucets or heat will turn back on in the dead of winter.
'Payment ban will backfire'
"Complex problems are rarely solved with binary solutions, and ransomware is no different," Sezaneh Seymour, VP and head of regulatory risk and policy at Coalition, told The Register. "A payment ban will backfire because it doesn't address the root cause of our national problem: widespread digital insecurity."
Any type of payment ban isn't actually a ban, and there will always be exceptions for exigency – just as with the Treasury's Office of Foreign Assets Control, which also has expectations of sanctions, she argued.
"Beyond concerns that a ban will re-victimize ransomware victims, a ban is more likely to paint a target on our critical infrastructure – potentially resulting, ironically, in increased attacks on the very infrastructure we seek to protect," Seymour said.
"Nobody wants to pay a ransom: not a victim, not an insurer," she added. But any type of long-term fix needs to address the underlying security problem of which ransomware is a symptom.
"The more effective approach is to first advance policies that meaningfully improve our nation's digital resilience." Seymour said. "For example, by shifting incentives so that the technology sold is more secure and by compelling good cyber hygiene practices across the infrastructure that provides our critical services." ®