Nobody intends to become a hostage. Rather than facing a masked gunman or mafioso hinting at misfortune, these days trouble begins with an email. The link may not work, or there may be a cryptic ransom note demanding an exorbitant payment in cryptocurrency. A frantic phone call from the IT department will follow. It is the call every business leader fears: your computer system has been breached and data has been stolen or locked up with encryption that cannot be broken. Whether it was an employee clicking a link or the computer system not having the latest security patches installed, it doesn’t matter, it is too late. The business cannot function and its reputation with clients, peers, and maybe even regulators is at risk.
This scenario is not far-fetched. It is not even uncommon. In September, the U.S. Department of the Treasury sanctioned the North Korean hacking groups known to cyber-security researchers as “Lazarus Group,” “Bluenoroff,” and “Andariel.” The move confirmed North Korea’s industrial-scale use of ransomware and cyber-enabled theft to generate massive revenues. Although Pyongyang has pioneered hacking as an income generator, criminal hacking groups are quietly threatening governments and private-sector targets. Nearly two dozen counties in Texas and the cities of Baltimore and Atlanta have been extorted in the last year.
The industry of so-called ransomware attacks — the theft or hostile encryption of data by hackers combined with a ransom demand to reverse the attack — is booming. Rogue states like North Korea and criminal hacking groups are making money off the practice, undermining U.S. interests and the integrity of the global financial system. The growth of ransomware attacks is being driven by complacent cybersecurity measures, easily-available hacking software, and those called on to respond to such attacks — a coterie of lawyers, consultants, and insurers incentivized to quickly and quietly pay ransoms.
In addition to the efforts underway to encourage better cybersecurity preparedness, Congress, the executive branch, and regulators need to spell out what a proper response to a ransomware attack should look like for both the public and private sector. The response should take into account the liabilities and incentives of victims, responders, and insurers. Every business that values its data needs to, at a minimum, keep their software up to date, back up critical data, practice restoring it, and have a response plan in place. Many businesses will need to do much more.
Current Responses to a Ransomware Attack
It’s never been easier to carry out a ransomware attack. The barriers have lowered significantly thanks to the availability of commoditized, automated hacking software. Very little technical knowledge is required to configure and deploy such software, which can find, infiltrate, and encrypt or steal data. It also increasingly incorporates hacking tools derived or obtained from a variety of state-backed hackers, confounding attempts to attribute the hacks.
Victims of ransomware attack have few options to respond, and none of them are good. Specialist attorneys will generally encourage victims to pay a modest ransom when confronted with the alternative of reputational harm or closing their businesses. The cybersecurity consultants that then help the victim secure their systems, negotiate and pay the ransom, and decrypt or retrieve the victim’s data are retained by the lawyers and not by the victim directly. Under this arrangement, stakeholders attempt to shield all information about the incident and ransom under attorney-client privilege. While this attorney-client privilege protects the interests of individual firms, it also unintentionally prevents researchers and authorities from developing a systematic understanding of the ransomware industry.
These lawyers often have consultants they work with regularly, but many business executives will want to shop around to see if there is a consultancy that is better or cheaper. What they find is that there are dozens of firms specializing in cleaning up cyber incidents and that they are utterly indistinguishable. Some consultants will be associated with large, brand-name firms and others will portray themselves as specialist boutiques. All will promise results, discretion, and unique competence, often hinting toward previous careers in government. Since they are all expensive and it is impossible to objectively determine which firm is most capable, victims typically go with the lawyers’ recommendation.
To deal with the rising risk of cyber attacks and the high price of lawyers and consultants needed to respond, businesses are increasingly turning to cyber risk insurance. But, with information on most responses kept confidential, there is little data to help insurers estimate the costs of offering such policies. This lack of data has not stopped them from selling the policies, however, because the insurers want to retain market share and meet the demand. With insurers increasingly footing the bill for the consultants, lawyers, and ransoms, the victims are incentivized to pay ransoms quickly with little negotiation so that they can get their businesses operating again.
In effect, insurance covering the cost of the ransom — with no data to estimate a reasonable payout — drives the growth in ransoms overall. Only the hackers and consultants have a sense of what the going rate is but both want to resolve the situation quickly, not cheaply, since the insurers are footing the bill. The hackers will usually ask for a significant, but not absurd, sum of cryptocurrency to minimize negotiation so that they can move swiftly on to the next victim.
With ransoms routinely valued in the hundreds of thousands of dollars and occasionally in the millions, it can be impossible to quickly obtain enough of any major cryptocurrency to make the payment. Noticing this gap, companies have sprung up to fund ransom payments by providing large pools of cryptocurrency. After the payment is made, there is always a small risk that the hackers may be unwilling or unable to decrypt or return the victim’s data. Such instances are unusual, however, because good consultants can usually sniff out a scammer and organized criminal groups want to continue to get ransom payments, which won’t happen if scamming becomes commonplace.
Criminal hacking organizations are growing rich off ransomware attacks. With steady streams of revenue, the groups are acting like proper businesses and reinvesting profits into better infrastructure, franchises, tools, and talent. These investments, in turn, enable them to target better-defended victims. In April, federal chief information security officer Grant Schneider told a cyber security blog that cybercriminals had upended conventional wisdom that they lagged five years behind nation-state hackers and were actively closing the gap. Their growing capabilities may even begin to seriously threaten well-defended targets like banks.
What a Proper Response Looks Like
Under the current legal and regulatory regime, there is not much a ransomware victim can do. But there is plenty that can be done to prepare. Businesses, particularly larger ones, will need to take a risk-based approach that incorporates information about current cybersecurity threats as well as the peculiarities of their particular IT systems. Hiring cybersecurity consultants to harden a system is not cheap, but it’s less costly than paying a ransom to a malevolent hacking group. The vast majority of systems can be secured from all but the most sophisticated and determined hackers fairly easily.
At a bare minimum, business need to ensure that their software is up to date with the latest security patches and that their firewalls, networks, and routers are properly configured. Companies that rely on cloud services will need to make sure that those services are also properly set up since they can be a lucrative source of large amounts of data if misconfigured.
Critical or sensitive data should be backed up on a regular schedule and stored away from a network. The right backup schedule will vary, but ultimately depends on how much data a company can lose and still be able to function. Businesses also need to practice restoring from their backups because the day after a company has been hacked is a bad time to discover that the backed-up data is unreadable, or inaccessible.
Every business that values its data should have a response plan that spells out what happens immediately after a breach of their networks and a relationship with a lawyer or advisor who can guide them during a real or suspected attack. Staff should be trained in basic cybersecurity precautions and tested in realistic ways to prevent complacency. Cyber-risk insurance will only get more expensive, so firms that want it should get it sooner rather than later.
Larger businesses and industries under greater threat like financial services or critical infrastructure will need to do much more, and so these precautions should be seen as the absolute bare minimum, not cybersecurity excellence.
What Washington Should Do About It
In the face of this growing threat, the U.S. government needs to alter the legal and regulatory environment to better align the incentives of those involved with responding to ransomware attacks. Congress should pass legislation that provides a safe harbor for victims to share information on ransoms and attacks with the government and the insurance industry. This will allow the government and insurers to better analyze attacks and price insurance appropriately before the cost of offering such insurance is unfeasible for insurers due to the increasing price of ransom payouts. The legislation should also explicitly outline under what circumstances ransoms can be paid. Right now, the only restriction on ransoms is that they cannot be paid to sanctioned entities but it is easy to imagine other scenarios where payments to non-sanctioned groups are still a threat to national security.
In order to protect victims from receiving unqualified advice, the Cybersecurity and Infrastructure Security Agency (CISA) should establish a licensing or certification program for cybersecurity consultants that tests their knowledge and capabilities and establishes a mechanism for lodging complaints for poor service. In return, licensed consultants should be provided with some liability protection for being involved in legally ambiguous activities like ransom payments. Consultants and lawyers should also be required to declare information on the payments like virtual wallet addresses, means of communication, and size/method of payment to the Financial Crimes Enforcement Network (FinCEN) so that this information can be used to generate intelligence on the criminal groups for law enforcement.
Federal and state regulators should substantially raise the penalties for data exposure and exfiltration, as well as the types of businesses covered by such regulations to drive greater investment in and maintenance of cybersecurity defenses. The majority of ransomware hacks depend on software vulnerabilities that have already been patched, but victims are often too slow in updating their systems. Because insurance cannot be used to pay fines and penalties, greater penalties could help incentivize proactive cybersecurity investments.
The Way Forward
Terrorist groups, rogue states, and hacking groups are profiting from ransomware attacks. This growing illicit industry helps groups evade sanctions and break the law, undermining U.S. national interests. Ransomware attacks are not going to disappear. However, their effectiveness and profitability can be dramatically lowered if the incentives of victims, advisors, insurers, and consultants are better aligned, and information about attacks is shared with those who can use it to develop more effective defenses. With ransoms enabling rogue states and criminal hacking groups alike, it is vital to break this cycle before they are in a position to threaten even the best-defended businesses and governments.
William G. Rich is senior vice president of the research and data analytics firm Kharon. He conducted the research for this piece while an International Affairs Fellow at the Council on Foreign Relations. From 2015–2018, he was the U.S. Treasury Attaché to UAE and Oman and previously served in national security policy, counterterrorism, and intelligence positions in the U.S. government.
This piece reflects the personal views of the author and not those of his current or previous employers.