One of the most common suggestions to deal with the ransomware scourge – also one of the most controversial – is to ban the payment of ransoms. If no one paid ransom, the argument goes, there would be no market for ransomware. But for that to work, companies would need to abide by regulations and not pay – there is new evidence that many businesses would not buy in to such a move.
In a broad survey of security management and executives, the results of which were released Friday, the Neustar International Security Council and Harris Poll found that 44% of firms would consider paying at least 10% of yearly revenue to resolve a ransom, while 20% of firms are willing to pay 20% of their revenue or more. If that is the current value that companies place on paying ransom, a penalty might have to be extraordinary to fully disincentivize the practice.
"It's easy to say 'You shouldn't pay' until it's you sitting in that chair, " said Riley Stauffer, security and incident response analyst for MDR firm Pondurance.
Ransomware is a complex policy issue. There are multiple threads lawmakers can pull at the same time. Policy levers can include direct federal investment in baseline cybersecurity, regulations to improve baseline cybersecurity, more aggressive law enforcement and intelligence community takedowns of criminal infrastructure, and regulating cryptocurrencies. Ransomware prevention starts with the smallest businesses developing a password policy and ends with complex geopolitical negotiations with countries that harbor ransomware criminals.
One of the most pervasive suggestions has been banning ransom payments altogether. It is a suggestion that is often preferred by politicians rather than crime or cybersecurity experts. Just last week, Senator Mark Warner, D-Virg., said during a live-streamed Washington Post live interview, "We need to start a debate about whether ransomware should even be allowed to be paid."
However, the Neustar poll may indicate that companies strongly value the option to pay. Only 40% of firms said they would not consider paying a ransom.
"I think that should really bring pause to corporations and to the government and legislators – not just here, but around the world in terms of how we work on dealing with this, which I think is the beginnings of becoming an epidemic," said Rodney Joffe, chair of the Neustar International Security Council.
Joffe said that the 40% of organizations who believe they would decline paying ransom may actually be less in practice, because companies tend to overestimate their abilities to defend against ransomware. Backups often fail as a solution because of multiple extortion vectors or technological issues. Joffe said companies and lawmakers don't always grasp how they can do everything right from a security standpoint and still end up being a victim.
"I don't know how say to a company of five, 10 or 20,000 employees that you have this threat, and if you don't pay for whatever reason, you very well may be out of business, but the government is telling you not to pay," he said.
Critics of banning ransomware payments note that such policies create new incentives for worse outcomes. Companies that choose to pay rather bankrupt their business may open themselves up for a lifetime of blackmail, as the criminals now hold evidence that they committed a crime. Criminals may also be more likely to seek ransom payments from critical infrastructure operators because CI that impacts national security is unlikely to tolerate significant downtime.
Companies are willing to pay substantial amounts in ransom because the potential damages of interrupting company operations can be even more costly. For instance, downtime at a commercial plant can rack up many millions of dollars in damages very quickly.
“The damage that can be done can be significant,” said Dave Burg, leader of EY Americas' cybersecurity practice. “The bad guys are very good at getting in. They're also very good at surveying the victim company, to find the kinds of data that they're interested in, and to ultimately find critical systems [and] critical applications, and then they're very good at bringing those systems down.”
Noting that EY deals mostly with Fortune 500 companies, Burg said the notion of his clients paying 10 to 20% of revenue would not track. But such a scenario would be more reasonable for small- and medium-sized businesses.
For the broader ecosystem of organizations that can be affected by ransomware, the problem can be “existential,” said Joshua Motta, CEO of cyber insurer Coalition.
“There are 24 million businesses in this country that have less than a million or two in annual revenue and an unforeseen $10,000 cost, much less [a] $100,000 cost, can be the difference between making payroll or not,” said Motta. “So for many businesses, it is truly existential.”
Trying to recover without paying a ransom is simply not an option for many businesses, he said. Closing down an office or industrial facility to recover may not be survivable cost.
“We handle ransomware claims every week. I have yet to meet a single business owner that wants to pay a ransom. The alternative is considerably more costly than paying the ransom,” he said. “From an expected value perspective, it would be bad for society to ban ransom. It would increase the cost to society by many orders of magnitude.”
Motta noted that from a business cost standpoint, encouraging companies to invest in better cybersecurity that covers common ransomware vectors would be a much cheaper way to limit ransomware payments. It is a move he believes the insurance industry could spearhead by making it a requirement of policies, saving both the insurer and the client money in the long run.
Without paying a ransom, said Burg, a company would be relying on the government to create lightning-quick resolutions to ransomware incidents to prevent massive damages.
“The concern about banning the ransom payment is, if the government is not able to respond with extreme speed and scale to that particular to that situation, then the business has to make a decision:Do I go out of business or do I make the payment and stay in business?” he said.
Burg does believe there is a role for the government to play in stopping ransomware: leveraging law enforcement and cyberwarfare capabilities to dismantle cybercriminal operations, using "assets and capabilities akin to the war on terror to target infrastructure of individuals who undertake” ransomware attacks, he said.
Addressing the root causes of ransomware would not only be more palatable for potential victims, said Motta, but potentially better optics for the government as well.
“Is the Justice Department truly going to prosecute the victim when they don't even prosecute the actual perpetrator?” he asked.