Cybersec chiefs team up with insurers to say 'no' to ransomware bullies

Guidebook aims to undermine the criminal business model

The latest effort to reduce the number of ransom payments sent to cybercriminals in the UK involves the country's National Cyber Security Centre (NCSC) locking arms with insurance associations.

Announced today by NCSC CEO Felicity Oswald at the annual CYBERUK conference, a new guidance book aims to prevent organizations from reacting in a knee-jerk fashion to ransomware incidents.

The coalition consists of the NCSC, the Association of British Insurers (ABI), the British Insurance Brokers' Association (BIBA), and the International Underwriting Association (IUA). Their guidance book, released today, provides detailed advice on how organizations can avoid paying ransoms, addressing recommendations from parliament [PDF].

Insurers can't use 'act of war' excuse to avoid Merck's $1.4B NotPetya payout


For people who live and breathe cybersecurity, the information in the guidebook isn't novel. However, the NCSC and insurers see it as a useful reference for organizations that lack the necessary infosec understanding to manage a highly stressful situation effectively.

It does not provide a step-by-step guide on remediating ransomware attacks – that's a job for incident responders – but rather offers a collection of approaches to consider before making a payment.

The advice includes recommendations to consult experts where possible, involve the right people across the organization, investigate the root cause, and, of course, "Don't panic."

As was evidenced by the LockBit leaks earlier this year, something that was long suspected to be true but never proven until then, ransomware gangs don't always deliver on their promise to delete a victim's data after they pay. It's another consideration that may be useful to organizations in a frenzied state trying to resolve the matter as quickly and quietly as possible. 

"The NCSC does not encourage, endorse, or condone paying ransoms, and it's a dangerous misconception that doing so will make an incident go away or free victims of any future headaches," said Oswald. "In fact, every ransom that is paid signals to criminals that these attacks bear fruit and are worth doing.

"This cross-sector initiative is an excellent next step in foiling the ransom business model: We're proud to support work that will see cybercriminals' wallets emptier and UK organizations more resilient."

It's not lost on the NCSC that this won't be as effective as an outright legal ban on ransom payments, which has long been discussed among industry and international governments.

Those discussions are happening at the highest levels of government, and the matter is a Home Office priority, it's understood, but implementing a ban, in whatever form it may take, will require a substantial amount of time.

During that time, there will be many ransomware attacks, so this guidebook is seen as a stop-gap measure while the government works on a more permanent solution to the ransom payment problem.

Despite widespread dissemination of advice on handling ransomware, experts believe there is still a significant problem with organizations believing they will never be the target of an attack. Too many are blind to their risk and adopt the "it will never happen to me" mindset.

The prevailing view at the NCSC and among insurers is that any measures undermining the ransomware business model are a step forward, regardless of their permanence.

In Oswald's opening speech at CYBERUK today, she likened the act of a trusted organization paying a ransom to a cybercriminal gang to "leaving a carrier bag full of used bank notes in a dark alley."

"That's why today's agreement with the insurance sector is so important," she added.

Unhappy about excluding nation-state attacks from cyberinsurance? Get ready to pay


Insurance associations such as the ABI already have interactive online tools offering advice similar to the coalition's guidebook. Its online Cyber Safety tool walks organizations through their security posture to get a tailored action plan for building better cyber resilience.

The ABI's director of general insurance policy, Mervyn Skeet, said: "We're pleased to be working with NCSC, BIBA, and the IUA on strengthening cyber resilience and supporting customers affected by ransomware attacks.

"Following the launch of our Cyber Safety Tool for SMEs last year, this collaborative guidance is another positive step towards tackling cybercrime across the UK, and we look forward to continuing to work with NCSC on this shared goal."

Sarah Pearce, Partner at Hunton Andrews Kurth said: "Without a doubt, ransomware attacks have been on the rise in recent months and this initiative is welcome news.

"Helping guide clients through the handling in the event of such an attack including the strategic considerations that go into assessing whether or not to pay ransom demands is always an intense period and the C-suite/senior management are under extreme pressure to make critical decisions in a time-pressured environment."

Pearce added that the strategic considerations vary, but giving into ransom demands only incentivizes "cybercriminals to expand their activities." ®

Send us news

US senator claims UnitedHealth's CEO, board appointed 'unqualified' CISO

Similar cases have resulted in serious sanctions, and they were on a far smaller scale

Christie's stolen data sold to highest bidder rather than leaked, RansomHub claims

Experts say auctioning the auctioneer’s data is unlikely to have been genuinely successful

Frontier Communications: 750k people's data stolen in April attack on systems

Company says just names and SSNs affected, watering down RansomHub’s claims

What is RansomHub? Looks like a Knight ransomware reboot

Malware code potentially sold off, tweaked, back at it infecting victims

White House report dishes deets on all 11 major government breaches from 2023

The MOVEit breach and ransomware weren’t kind to the Feds last year

Ukrainian cops collar Kyiv programmer believed to be Conti, LockBit linchpin

28-year-old accused of major ransomware attacks across Europe

FBI encourages LockBit victims to step right up for free decryption keys

The bad news? Gang wasn't deleting victim data after payments

China's FortiGate attacks more extensive than first thought

Dutch intelligence says at least 20,000 firewalls pwned in just a few months

London hospitals left in critical condition after ransomware attack

Pathology lab provider targeted, affecting blood transfusions and surgeries

Akira: Perhaps the next big thing in ransomware, says Tidal threat intelligence chief

Scott Small tells us gang's 'intent and capability' should get the attention of CSOs

Auction house Christie’s confirms criminals stole some client data

Centuries-old institution dodges questions on how it happened as ransomware gang claims credit

With ransomware whales becoming so dominant, would-be challengers ask 'what's the point?'

Fewer rivals on the scene as big-gang success soars