The September 2023 ransomware attacks against Las Vegas casinos are a great opportunity to examine the challenges enterprises face when they are attacked by ransomware.
In a sort of “Choose Your Own Adventure” version of addressing the problem, while Caesars reportedly paid a $15 milllion ransom to the perpetrators (Scattered Spider) and quickly returned to normal operations, MGM chose not to pay the same group when they were attacked. MGM’s choice, while aligned with the U.S. Government’s stance on ransomware payments, resulted in 10-plus days of impact to MGM that generated a reported loss of $100 millon.
It doesn’t take a math wiz to realize that the choice Caesar’s made was $85 million less expensive than the route MGM took, and that’s before accounting for whatever losses were covered by their cyber insurance policy.
With that in mind, why does the federal government still strongly advise against paying the ransom? Answer: The government (FBI) focuses on the big picture, not any single event. Paying ransom addresses an immediate problem, while not paying ransom exponentially increases the immediate pain. The former focuses on one’s own needs as a company or security practitioner, while the latter requires accepting the consequences of upholding a policy that’s in everyone’s best interest.
The divergent responses to the casino attacks demonstrated that not everyone will accept a bigger loss to uphold a greater good. We can’t expect to address that through volunteerism, particularly when quarterly profits are the most important metric for profit-making companies. The leaders get paid for meeting that metric. When our eyes are focused on short-term goals, long-term needs are subordinated, and business leaders don’t willingly make decisions that require them to suffer for the benefit of others.
Since cybercriminals are motivated almost exclusively by money, if they know organizations are willing to pay ransom to regain access to their systems and data – even without guarantees the criminals will deliver on those promises – they have a perpetually strong business model. When we also consider that there are at least 100 active ransomware gangs ranging from professional criminal organizations to groups of teenagers, that booming business will surely attract more criminal entrepreneurs as long as payments are flowing.
What if it was illegal to pay the ransom?
A law won’t immediately halt ransomware attacks, because cybercriminals would certainly test the resolve of victims. But if cybercriminals learned that no matter what they did there would be no payday, they would abandon ransomware as a tactic that no longer yielded results.
Changing the laws to force companies to stop paying ransom may sound fantastical, but steps in that direction have already been taken. In November 2023, 40 countries attending the second annual meeting of the International Counter Ransomware Initiative vowed to stop paying cybercrime ransoms. While not having the weight of enforceable laws, a large coalition of nations signaling a willingness to work together on this issue could be the first step towards an enforceable international treaty.
Closer to home, several states have passed or are considering passing laws that would make ransomware payments illegal. In April 2023, North Carolina became the first U.S. state to make it illegal for state agencies and local government entities to communicate with ransomware groups or pay a ransom demand. Florida passed a similar law in July 2023, and more laws of this type are being considered in Arizona, Pennsylvania, New York, and Texas.
Beyond deterring criminals from launching ransomware attacks, making ransomware payments illegal would encourage enterprises to invest more in prevention. Far too many organizations underspend on technologies and capabilities that could prevent or reduce the impact of ransomware attacks. That’s because teams opting for prevention struggle to produce metrics needed to justify budget requests and it’s more expensive over time to do defense-in-depth than pay an occasional ransom. Additionally, the real victims of these attacks are consumers – not companies – whose personal information and identities are stolen. While one might think companies would prioritize prevention because of fears of financial harm or lost stock value, financial losses are passed on to consumers and successful cyberattacks do not have the long-term negative impacts to stock prices and revenue that were previously assumed.
Since we can’t reasonably expect organizations to voluntarily assume additional risk or absorb larger costs for the greater good, and it’s incredibly hard to prioritize prevention when the metrics of security are subordinate to quarterly profit targets, reversing the growing trend of ransomware attacks may require clear, enforceable laws with stiff fines. It looks like we’re soon going to find out if these new laws work.
A.J. Nash, vice president and distinguished fellow of threat intelligence, ZeroFox