Blocking the source of income for cybercriminals can trigger a cyber war.
A blanket ban on paying ransom to ransomware, which has been the subject of discussion this week, seems like a good idea. By eliminating extortion as a source of criminal income, the number of attacks will certainly decrease.
Need exceptions to the rules
Unfortunately, the ban will not work either now or in the foreseeable future, for a number of reasons. Moreover, the ban will inevitably lead to an increase in attacks on critical infrastructure, such as hospitals, power grids, water supply systems, etc., which, of course, is not very good. The payment ban will have to include an exception for incidents where failure to pay the ransom poses a serious risk to life, health, or the threat of a terrorist attack. In other words, there should be an exception for critical infrastructure objects.
Such exceptions are included in the new rules of the US Securities and Exchange Commission (SEC) on the disclosure of information about cyber incidents. The Commission allows a delay in reporting an attack if its disclosure "poses a significant risk to national security or public safety."
An exception for critical infrastructure items makes sense. No one will blame the hospital or advocate letting patients die instead of paying the ransom. A similar argument can be made for gas and electricity supply companies: they cannot ignore the need for heating residential premises in winter. But it also means that attackers will simply switch to these sectors, where failure to comply with ransomware requirements can be a matter of life and death.
Increased attention to medical institutions
We are already seeing that criminals are increasingly focusing on hospitals and medical facilities. In 2023, hacker groups broke into 141 hospitals in the United States alone (46 medical systems), and in 32 of the 46 cases, patient data, including protected medical information, was stolen.
The attacks caused outages that lasted for weeks, diverted ambulances, and delayed the delivery of medical care to patients. While all of this should be a wake-up call for any critical infrastructure organization, preventing further ransomware chaos requires a solution that has more to do with emergency preparedness than just banning payments to criminals.
Possibility of international regulation
There is also the issue of enforcement. Such a ban must be universal, otherwise ransomware groups will simply focus on victims in other geographical regions where payments are not prohibited. This level of cooperation between Governments is highly unlikely, and if it does occur, obstacles to coordinated enforcement and funding will immediately disrupt cooperation.
Presumably, any kind of international legislation should be adopted by the UN, which does not always guarantee a global mandate with real powers. Moreover, the UN decision could turn into an attempt to rewrite international law by countries that already provide safe havens for extortionists and use illicit proceeds to finance state terrorism and weapons programs.
A good example is the UN treaty on Cybercrime under discussion. A global approach to combating cybercrime is necessary, and in theory it is a good idea. The main goal of the treaty is to develop international standards related to the problem of transnational Internet crimes. However, experts fear that the treaty could give governments too much power to monitor the Internet and become a tool of repression.
Weak cyber defense as an incentive for ransomware
Another obstacle is the lack of maturity of security systems in different sectors. This is particularly worrying given that two sectors known for their underfunding and lack of information security personnel – local governments and schools-are increasingly being targeted by ransomware.
Some of the 2023 ransomware victims in these sectors include the cities of Oakland, California, which declared a state of emergency, and Dallas, Texas, whose IT systems were paralyzed by a cyberattack.
Emsisoft estimates that at least 108 school districts and 72 universities will be targeted by ransomware groups in 2023, up from 45 and 44 in 2022, respectively. And about 95 government agencies experienced ransomware attacks in 2023, up from 106 in 2022. At the same time, 55 out of 106 institutions used the same IT service provider.
State and local governments, as well as schools, collect a huge amount of confidential information that can be financially beneficial to criminals, and these organizations do not have the resources to protect themselves from ransomware. Just making it illegal for them to pay a ransom seems especially cruel if they don't get the necessary professional and financial support to strengthen the networks in the first place.
Grants can help
It is worth noting that in this direction there are almost $375 million grants available to state, local and territorial governments across the United States to solve cybersecurity problems. In addition, a special program of the Federal Communications Commission (FCC) aims to provide up to $200 million to schools and libraries in rural and low-income areas and collect information about "cybersecurity and firewall services" to protect these institutions from cyber attacks.
Can there be a law at the moment?
However, the ban on paying ransomware ransomware is becoming more acceptable than even a couple of years ago, and the current international summit of the Counter Ransomware Initiative (CRI), held in the White House, is one of such signs. At the event, the US persuaded all 50 participating countries to sign a collective statement, according to which they agreed not to pay ransom to extortionists. The countries also pledged to better track cryptocurrency payments to cybercriminals and improve information sharing capabilities.
CRI was launched in 2021 with 31 members and has since expanded to 47 members. Attention to the problem grew after the Costa Rican government refused to pay a $ 10 million ransom to the group in April 2022 after a cyberattack that paralyzed the country's operations.
Although the no-pay pledge applies only to national governments, not private companies, it could not have received the necessary support even a year ago.
How do I avoid becoming a victim of ransomware?
Secure your networks now. Don't be easy prey. Implement all the basic cyber hygiene measures that cybersecurity experts have been talking about for many years: use strong passwords and data encryption, implement a Zero Trust policy, network segmentation and multi-factor authentication, install software updates and make regular backups.
A blanket ban on paying ransom to ransomware, which has been the subject of discussion this week, seems like a good idea. By eliminating extortion as a source of criminal income, the number of attacks will certainly decrease.
Need exceptions to the rules
Unfortunately, the ban will not work either now or in the foreseeable future, for a number of reasons. Moreover, the ban will inevitably lead to an increase in attacks on critical infrastructure, such as hospitals, power grids, water supply systems, etc., which, of course, is not very good. The payment ban will have to include an exception for incidents where failure to pay the ransom poses a serious risk to life, health, or the threat of a terrorist attack. In other words, there should be an exception for critical infrastructure objects.
Such exceptions are included in the new rules of the US Securities and Exchange Commission (SEC) on the disclosure of information about cyber incidents. The Commission allows a delay in reporting an attack if its disclosure "poses a significant risk to national security or public safety."
An exception for critical infrastructure items makes sense. No one will blame the hospital or advocate letting patients die instead of paying the ransom. A similar argument can be made for gas and electricity supply companies: they cannot ignore the need for heating residential premises in winter. But it also means that attackers will simply switch to these sectors, where failure to comply with ransomware requirements can be a matter of life and death.
Increased attention to medical institutions
We are already seeing that criminals are increasingly focusing on hospitals and medical facilities. In 2023, hacker groups broke into 141 hospitals in the United States alone (46 medical systems), and in 32 of the 46 cases, patient data, including protected medical information, was stolen.
The attacks caused outages that lasted for weeks, diverted ambulances, and delayed the delivery of medical care to patients. While all of this should be a wake-up call for any critical infrastructure organization, preventing further ransomware chaos requires a solution that has more to do with emergency preparedness than just banning payments to criminals.
Possibility of international regulation
There is also the issue of enforcement. Such a ban must be universal, otherwise ransomware groups will simply focus on victims in other geographical regions where payments are not prohibited. This level of cooperation between Governments is highly unlikely, and if it does occur, obstacles to coordinated enforcement and funding will immediately disrupt cooperation.
Presumably, any kind of international legislation should be adopted by the UN, which does not always guarantee a global mandate with real powers. Moreover, the UN decision could turn into an attempt to rewrite international law by countries that already provide safe havens for extortionists and use illicit proceeds to finance state terrorism and weapons programs.
A good example is the UN treaty on Cybercrime under discussion. A global approach to combating cybercrime is necessary, and in theory it is a good idea. The main goal of the treaty is to develop international standards related to the problem of transnational Internet crimes. However, experts fear that the treaty could give governments too much power to monitor the Internet and become a tool of repression.
Weak cyber defense as an incentive for ransomware
Another obstacle is the lack of maturity of security systems in different sectors. This is particularly worrying given that two sectors known for their underfunding and lack of information security personnel – local governments and schools-are increasingly being targeted by ransomware.
Some of the 2023 ransomware victims in these sectors include the cities of Oakland, California, which declared a state of emergency, and Dallas, Texas, whose IT systems were paralyzed by a cyberattack.
Emsisoft estimates that at least 108 school districts and 72 universities will be targeted by ransomware groups in 2023, up from 45 and 44 in 2022, respectively. And about 95 government agencies experienced ransomware attacks in 2023, up from 106 in 2022. At the same time, 55 out of 106 institutions used the same IT service provider.
State and local governments, as well as schools, collect a huge amount of confidential information that can be financially beneficial to criminals, and these organizations do not have the resources to protect themselves from ransomware. Just making it illegal for them to pay a ransom seems especially cruel if they don't get the necessary professional and financial support to strengthen the networks in the first place.
Grants can help
It is worth noting that in this direction there are almost $375 million grants available to state, local and territorial governments across the United States to solve cybersecurity problems. In addition, a special program of the Federal Communications Commission (FCC) aims to provide up to $200 million to schools and libraries in rural and low-income areas and collect information about "cybersecurity and firewall services" to protect these institutions from cyber attacks.
Can there be a law at the moment?
However, the ban on paying ransomware ransomware is becoming more acceptable than even a couple of years ago, and the current international summit of the Counter Ransomware Initiative (CRI), held in the White House, is one of such signs. At the event, the US persuaded all 50 participating countries to sign a collective statement, according to which they agreed not to pay ransom to extortionists. The countries also pledged to better track cryptocurrency payments to cybercriminals and improve information sharing capabilities.
CRI was launched in 2021 with 31 members and has since expanded to 47 members. Attention to the problem grew after the Costa Rican government refused to pay a $ 10 million ransom to the group in April 2022 after a cyberattack that paralyzed the country's operations.
Although the no-pay pledge applies only to national governments, not private companies, it could not have received the necessary support even a year ago.
How do I avoid becoming a victim of ransomware?
Secure your networks now. Don't be easy prey. Implement all the basic cyber hygiene measures that cybersecurity experts have been talking about for many years: use strong passwords and data encryption, implement a Zero Trust policy, network segmentation and multi-factor authentication, install software updates and make regular backups.
