An anti-malware firm is calling on governments to forbid organizations from paying ransoms to recover stolen data after suspicions that a ransomware attack on a German hospital last week contributed to the death of a woman who couldn’t be admitted to the stricken institution.
“Enough is enough. Governments need to ban ransom payments,” the New Zealand-based company said in a blog Monday.
“Organizations are currently providing cybercriminals with a multi-billion dollar revenue stream – which is entirely funded by the public, albeit indirectly – and it makes absolutely no sense to permit this situation to continue,” the company argued. “The best way to protect organizations from ransomware attacks and to protect individuals from the consequences of those attacks is to make it illegal for organizations to pay ransoms. This would stop the attacks, and stop them quickly.”
“While some may feel a ban is unnecessarily extreme, the reality is that no other practical solution exists.”
The company estimates that this year organizations and individuals will pay $25 billion to meet various ransom demands, and 33 per cent of them think it’s worth paying up. Emsisoft also estimated there have been more than 170,000 successful ransomware attacks so far this year.
The debate over paying ransoms for data has been going on for some time. Police departments around the world urge organizations not to give in to any kind of blackmail. At the same time, they recognize that in some circumstances it may be necessary to pay up.
In the case of the attack on the hospital in Germany, a woman in transit to the institution had to be diverted to another hospital about 20 minutes away because the Dusseldorf hospital she was being taken to couldn’t admit patients when its IT systems had to be shut. It isn’t clear if the time lost contributed to her death.
Meanwhile, ransomware attacks continue to spread across Canada. Not all of them are publicly reported. Neither federal nor provincial privacy laws require organizations to publicly report data breaches. Some ransomware gangs — notably Maze, REvil/Sodinokibi, Netwalker and DoppelPaymer — have recently started to publicly list the companies or government departments they have stolen data from. These gangs not only encrypt data but also, to increase pressure, threaten to embarrass victim organizations by also releasing stolen data unless they are paid.
Canadian firms recently claimed by these gangs to have been successfully breached include a restaurant chain, a U.S.based provider of cloud services to Canadian and U.S. government departments, a software document automation provider, a Western Canadian theatre centre and several transport companies. IT World Canada isn’t identifying these organizations because they haven’t confirmed the hacks.
Meanwhile, on Monday, CBC News revealed that a ransomware attack in March at Vancouver’s Simon Fraser University included the theft of personal information such as the names and birthdates of 250,000 students, faculty and alumni — everyone who was at the school before June 2019. The university didn’t pay the ransom because it had another copy of the data.
Still, the information stolen is enough to be be used for identity theft. That incident alone could be enough to argue governments should mandate encrypting any personal information an organization holds.
There’s no consensus among security experts on how to tackle the issue. Some experts think organizations should pay in the hopes of getting decryption keys to unscramble locked away data.
“I don’t think it will work,” David Swan, an Alberta-based director of the Centre for Strategic Cyberspace and International Studies, said in an email. ‘The problem is it puts the emphasis on the victims to try and force the criminals to change their behaviour.”
Many organizations don’t report hacks, security breaches or ransomware attacks, he argued. Businesses are fearful of the impact on their brand, the stigma of being hacked. If victim businesses are already hiding the effects of hacks, making payment of ransoms will not change anything.
Governments can do two things, he explained: Create legislation that makes hacking a serious offence. The second is governments get serious about tracking down and prosecuting hackers. In the case of the Dusseldorf incident, if the evidence justifies it, charge the ransomware attackers with manslaughter. If governments such as Russia and China want to protect their hackers, enact tariffs equivalent to what hackers are stealing, he added.
“Emsisoft is right about one thing: It is past time to get serious about taking on the criminals who hide behind the description ‘hackers.’”
Robert Wong, executive vice-president and CIO of Toronto Hydro said victims of ransomware are in the difficult position of having to decide whether they can continue running their business without regaining access to their data. Not paying could mean closing up.
“Governments can obviously create internal policies that prohibit public sector organizations from paying ransomware, but I think it would be a difficult thing for them to impose on private businesses,” he said in an email. “Even having these restrictions on public sector organizations can create risks to the public that these agencies serve if the data that they depend upon to provide services are not available.
“I believe the government’s role should be to impose stricter requirements on cybersecurity standards and practices on government entities and require regulators of private sectors to do the same for those businesses, including fines and penalties to the businesses and board of directors for non-compliance. Unfortunately, many businesses have not given cybersecurity the kind of attention it deserves and are laggards in devoting effort and resources to enhance their respective practices.
“Until companies are in a position where their critical data is well protected and backed up securely that they can withstand a successful ransomware attack and can readily recover their data from secured backups and maintain business continuity, they will continue to pay the ransoms if it is the most cost-effective option for them. And unfortunately, these types of attacks will continue because perpetrators will continue to profit from these actions.”
Halifax privacy lawyer David Fraser of the McInness Cooper law firm said governments could forbid ransomware payments. But that won’t be useful, he argued in an interview. “In my experience dealing with companies that have been affected by ransomware, if you pay a ransom generally you get the data back. And if you don’t have a good backup that you can restore almost immediately in most cases paying the ransom costs less than paying the downtime associated with trying to reconstruct your data.
“I think that governments could probably do more to reduce the likelihood of ransomware,” he said. For example, they could offer more tax incentives to organizations for buying hardware and software to make their networks and data more secure.
Making organizations buy cyber insurance might be also effective because insurers will lean on customers to have tough data protection to reduce the risk of a successful attack, he added.
Fraser also argued that governments should increase efforts to make sure small and mid-sized businesses know the publicly-available cybersecurity resources. “Most small and medium-sized businesses have no idea what their legal obligations are,” he said. “Nor do they have the resources to protect their infrastructure.”
Well-known American security technologist Bruce Schneier backs the idea of making payments for all kinds of ransom demands (including kidnapping) illegal — there’s nothing special about computer ransomware, he added. “I would like it if no one would pay,” he said in an interview. Forbidding ransom payments would kill the incentive for criminals. However, he added, organizations will find a way around the prohibition because they want their data back. In fact, he said, companies do that now by hiring third parties to negotiate and pay ransoms.
Better, he said, is for organizations to toughen their cyber defences so ransomware gangs target companies or government departments that are less protected.
For a full discussion of the pros and cons of paying ransoms Schneier suggested people read this email thread between a consultant who deals in ransom negotiations and several cybersecurity experts. One point made: Since Bitcoin and other digital currencies are favoured by ransomware gangs for payments due to their anonymity, hit them in their digital wallets.
Ed Dubrovsky, managing partner of Toronto-based incident response specialist Cytelligence (recently bought by insurer Aon), noted that many governments and insurance agencies already refuse to pay ransoms. Indiscriminate and highly-publicized acts such as the attack on the Dusseldorf hospital may make governments act, he said.
“Will it make a difference? In the short term, no. Companies will continue to get hit and in the absence of making a payment option, they might go out of business. But in the long term, it will impact this industry quite significantly in my opinion, and will serve to protect small/medium organizations more than large ones.”
Asked for comment, a spokesperson for Public Safety Minister Bill Blair turned down a request for an interview. “We live in a highly interconnected world,” the spokesperson said in an email, “and more than ever, information technology plays an important role in all of our lives. Ensuring Canadians and Canadian businesses are safe online is an important piece of Minister Blair’s mandate and a critical part of the work that Public Safety Canada oversees. Cybercrime is a significant issue in Canada that no one organization can resolve alone, and preventing these types of crime is a shared responsibility between business, industry and all levels of government.
“We continue to work in close collaboration with agencies and leaders in the technology sector to ensure Canadians follow best practices to be safe online and that our systems are secure. Canadians can be confident in the work performed by our security agencies, who will not hesitate to act in order to keep our country safe.”
The spokesperson noted the government has updated its National Cyber Security Strategy and funded the RCMP’s new National Cybercrime Co-ordination Unit (NC3 Unit), which co-ordinates Canadian police operations against cybercriminals and establish a national mechanism to report cybercrimes to police. That unit won’t be fully operational for another two years.
The last federal budget also included $144.9 million over five years to protecting Canada ’s critical cyber systems.
Roger Grimes, the defence evangelist for the cyber awareness training firm KnowBe4, flatly declared that banning ransomware payments won’t work. “Even when governments claim they don’t pay a ransom, oftentimes the ransom is paid secretly by third parties. But the biggest reason why it won’t work with ransomware is that it is a simply usually far cheaper and faster to full business recovery if the ransom is paid.
“It’s a business decision. These days most victims are paying the ransom, even victims that have good backups. Why? It can take days to weeks to restore the complexity of systems that we all have today. Recovering from a ransomware attack isn’t restoring one or a few servers. It’s often restoring dozens of inter-reliant servers to a particular point in time and then testing. Worse, oftentimes the holes that allowed the attacker in are not all found and if the victim doesn’t pay the ransom, the attacker just attacks them successfully again.
“On the other side, I’ve yet to learn of a victim being attacked again by the same ransomware gang when they paid the ransom. But today, more and more ransomware is taking confidential information and emails and threatening to release the contents publicly if not paid. Oftentimes that information is not only priceless to the company, but could permanently damage the company’s reputation with existing customers, employees, and the world at large. Paying two per cent of net annual revenues (the figure I hear is often charged for ransom) doesn’t seem to be that bad as compared to all the potential long-term damage a company could suffer if they didn’t pay. I could even see shareholders possibly suing if a public company spent more money and had more downtime if they didn’t pay.
“I’ve had good, respected IT leaders bragging to me about how they did not pay the ransom, and would never pay the ransom. How long were they down on average until they got back fully operational? Multiple months. I think if you told most business leaders that they could pay the ransom and be back up in 1/10th the time most would pay the ransom, even those who claim they would never pay the ransom. Many times the ransom is paid by intermediaries who either do or don’t let the victims know they are paying the ransom. Which of those victims really knew the ransom was actually being paid when they publicly said it was not, I don’t know.
“But the most important point is that until the root causes of the initial exploit are identified and closed, attackers can do anything any time. The primary problem isn’t ransomware. Ransomware is a single type of outcome resulting from the real existing problem (e.g. social engineering, unpatched software, re-used passwords, etc.). If defenders don’t close the cause of root exploits, they will never get rid of all hacking attacks.
“Let me put it another way, ransomware could disappear tomorrow, and if the holes that allowed ransomware to get in aren’t closed, the victims can be attacked by something else (e.g. remote access trojan, pass-the-hash attacks, etc.). Any company worrying the most about ransomware is worrying about the wrong issue. It’s like worrying about your brakes when someone has stolen your car. Everyone should be worrying about the ‘how’ more than the ‘what’ if they want to be more successful long-term.”
(This story has been updated from the original to include comments from Bruce Schneier.)