The Government is Getting Fed Up With Ransomware Payments Fueling Endless Cycle of Cyberattacks

With ransomware attacks surging and 2024 on track to be one of the worst years on record, U.S. officials are seeking ways to counter the threat, in some cases, urging a new approach to ransom payments. From a report: Ann Neuberger, U.S. deputy national security adviser for cyber and emerging technologies, wrote in a recent Financial Times opinion piece, that insurance policies -- especially those covering ransomware payment reimbursements -- are fueling the very same criminal ecosystems they seek to mitigate. "This is a troubling practice that must end," she wrote, advocating for stricter cybersecurity requirements as a condition for coverage to discourage ransom payments.

Zeroing in on cyber insurance as a key area for reform comes as the U.S. government scrambles to find ways to disrupt ransomware networks. According to the latest report by the Office of the Director of National Intelligence, by mid-2024 more than 2,300 incidents already had been recorded -- nearly half targeting U.S. organizations -- suggesting that 2024 could exceed the 4,506 attacks recorded globally in 2023. Yet even as policymakers scrutinize insurance practices and explore broader measures to disrupt ransomware operations, businesses are still left to grapple with the immediate question when they are under attack: Pay the ransom and potentially incentivize future attacks or refuse and risk further damage.

For many organizations, deciding whether to pay a ransom is a difficult and urgent decision. "In 2024, I attended a briefing by the FBI where they continued to advise against paying a ransom," said Paul Underwood, vice president of security at IT services company Neovera. "However, after making that statement, they said that they understand that it's a business decision and that when companies make that decision, it is taking into account many more factors than just ethics and good business practices. Even the FBI understood that businesses need to do whatever it takes to get back to operations," Underwood said.

Duh

[dark.nebulae]

The only folks not fed up with it are the criminals that are getting paid.

NO POLICE! AND APPLY NO MORAL INDUCTION!

[Pseudonymous Powers]

I've seen a few kidnapping movies in my time and I can't understand why ransoms aren't outlawed (unless they are, and the movies pretend otherwise). I guess the government wants to make sure that people keep talking to the police?

Re:

[VeryFluffyBunny]

No.We have to leave it up to the free market. The invisible hand will provide us all with optimal solutions. Government should get involved.

Right?! =D [ROTFL]

Re:

[DarkOx]

because it would just make criminals of people who are already victims.

Imagine someone had your kid and was demanding money. Would say welp, sorry paying you would be illegal? No nobody would do that. They'd figure out how to pay and deal with the consequences later. -Worse they'd pay and then many likely would help hide the entire crime from the authorities not wanting to get into legal hot water themselves. It would make the problem worse.

Re: NO POLICE! AND APPLY NO MORAL INDUCTION!

[drinkypoo]

How about we hire educated police instead of community college educated children, and have them actually fight actual crime?

Re:

[TheRealMindChild]

On a long enough timeline, every cop becomes a corrupt bully with only self interest as their prime motivator

think of it as a bribe

[cellocgw]

It's strictly illegal for corporations to pay bribes or kickbacks to facilitate their business operations. Congress could easily extend those laws to make paying ransom illegal as well.

Insurance

[JBMcB]

The proper place to fix this is with insurance. To get business insurance to cover this stuff, you should have to prove you have a proven, tested and audited recovery plan.

Re:

[Voyager529]

Or have a strict published policy of not paying ransoms.

That's how you either 1.) lose customers to another insurance company who is not that strict, or 2.) play the shell game where the customer hires a consulting firm to "reverse engineer" the ransomware and "extract the key", which is a highly skilled process costing...1.5X the ransom, conveniently, since all that happened was that the consulting firm paid the ransom and is making money for their service of enabling the client to collect on the insurance payout.

Re:

[dargaud]

Easily prevented by auditing any such consulting firm. Make paying ransomwares punishable by prison time.

Re:

[postbigbang]

Insurance will climb until it's not payable any more, look at FL for examples.

Instead, using intelligence to set up outside-US IP address databanks and watch where they go, and what they do, is a solution.

Having fast backups and a business continuity plan is a solution.

Looking for big globs of data being heisted/exported/movements is a solution. Think of it as Data Customs.

Increasing liability for posting your certs on git/hub is a solution.

Criminal penalties for fiduciary irresponsibility is a solution.

And

Re:

[lsllll]

you should have to prove you have a proven, tested and audited recovery plan.

If you have all that, then what do you need insurance for? For your downtime?

Re:

[ukoda]

Yes, that is what the insurance should be for, and only that. Such insurance should be relatively cheap since money would no longer be going to criminals.

Re:

[ukoda]

Define 'Fix'. If insurance is used to pay a ransom that is not a fix, and it should be a crime as it will only lead to more victims. Any insurance fix should be limited to recovery and covering losses where a victim deals with the problem, without giving a single cent to criminals.

Re:

[Brain-Fu]

When criminals hack hospital equipment and literally hold the lives of patients in their hands, you think the right thing for the hospital to do is just let their patients die and say "sorry, blame the criminals?"

When they could instead pay the ransom and save lives?

(Same goes for when people's children are kidnapped).

Simply making ransom-paying illegal is actually very morally questionable.

Re: think of it as a bribe

[drinkypoo]

Allowing hospitals to have shit security is unsustainable.

There is such a thing as a write only database. Nobody should be able to erase anyone's critical records.

It should be illegal to run a hospital without competent security. Solve the problem at the supply side.

Re:

[ukoda]

Wrong. Have you wonder why USA hospitals are top priority for targeting? It is because they pay, its not like it cost the hospital much, they simply pass on the cost to patients. Contrast that with when a hospital was taken down with ransomware in New Zealand. It probably cost lives but it was a dumb move and has never happened again because it was impossible for the criminals to get paid. Sure, it caused weeks of disruptions while services were slowly recovered, but the criminals didn't get a single c

The fix is easy

[rsilvergun]

just make it illegal to pay the ransom. Companies have calculated good security costs more than paying the ransoms. The only fix to that is to fine them more for paying the ransoms than not.

But we don't actually treat white collar corporate crime like a crime, let alone have enough white collar cops (aka "bureaucrats") to enforce it if we did.

Re:

[Fly Swatter]

The fine would have to be big enough to also take away the business incentive of paying the ransom. Usually paying the ransom is much cheaper than trying to rebuild what was lost, if not saving the company outright.

Fines won't help, the risk to the company for paying a ransom should simply be the shutdown and closing of the company - make paying ransoms a choice they simply can't make.

Re:

[DarkOx]

Oh yeah punish the victim. This type of thinking is exactly why I am as anti-government as I am.

The thing to do is punish the criminals. Make crimes involving ransons carry a mandatory minimum of 50 years with no option for parole or early release! Make the damn State Department make it clear to our so called allies that if they permit cyber ransom operators to collect remittances, and operate the will face diplomatic consequences, trade sanctions, embargoes, possible military incursions and special opera

Re:

[abulafia]

The thing to do is punish the criminals. Make crimes involving ransons carry a mandatory minimum of 50 years with no option for parole or early release

Because as we all know, longer sentences solve crime. If you still have crime, you haven't made them long enough yet.

Here in the real world, the vast majority of these players are in jurisdictions that don't give a shit about your law. Now what?

Oh yeah punish the victim

If you cannot competently manage your systems, you should not be building piles of s

Re:

[ukoda]

Or make it jail time for whomever authorises payment to the criminals. See how many corporate employees are ready to do jail time for a quick fix that passes costs on to customers.

Re:

[smooth wombat]

There are laws making it illegal to solicit bribes, to commit fraud, falsify records, or not do the work. And yet, all of the above, and more, keeps happening.

Re:

[bleedingobvious]

just make it illegal to pay the ransom..

Dumbass says dumbass thing.

Imagines they are BRILLANT like TRUMP

First rule of reality. Stop being a dumbass.

Re:

[gweihir]

Indeed. And do not just fine the company. Lock those up that made the decision to pay.

Re:

[codebase7]

Companies have calculated good security costs more than paying the ransoms.

Exactly the quote I got working part time at regional hospital. They'd had multiple visits from the FBI for data breaches, and forced network reorganizations to "mitigate" issues in the future.

They still said that they'd pay the ransom and push the cost onto their patients (who's data had been stolen for the upteethtime) because it's cheaper than doing proper backups.

The free market has decided that the safety and well being of the general public isn't profitable enough. These corporate clowns aren't g

I have an idea

[CEC-P]

THEN MAKE IT ILLEGAL TO PAY THEM. If there's a zero chance you're getting paid in a certain country, you're not going to attack that country for money. It's that damn simple. Oh noooo, irreplaceable data! You're sunk without it. FUCK YOU! Ggo out of business, you morons. Sincerely, a better IT technician in a better prepared IT department at a better company.

It is illegal in a number of cases...

[ctilsie242]

It is illegal, but it is TRIVIALLY (pardon the all caps) easy to get around.

Company A considers security to have no ROI, gets hacked and ransomwared.

Company A hired offshore firm "B", pays them the cost of the ransom plus a percentage fee.

Hired offshore form "B" pays the ransom.

Company A gets their decryption keys.

?????

Profit on all areas, because the ransom will get charged off, the offshore consulting company gets a bonus, and the guys in North Korea get money for more troops to send to Russia, and more m

Re:

[gweihir]

I completely agree. This crime financing has to stop. I expect that a few CEOs behind bars will serve nicely to stop this mess.

Too few understand the idea of proper protection

[Targon]

First up, why do ISPs not give an option to just blanket block e-mails and even connections from other regions? If you want to allow them, your ISP can have settings to open up connections from various places, but for the majority of people and companies, are you doing business from Nigeria, or even for smaller businesses, if you aren't involved or interested in doing business outside of your own country, wouldn't you feel safer if your ISP were just blocking all traffic from other countries? I know tha

Re:

[ceoyoyo]

"We can set up firewalls ourselves as well"

Yes you can. Leave the ISP out of it. They're annoying enough already.

Cloud POC subscriptions

[bleedingobvious]

Seriously. I have over 200 Digital Ocean/Azure/AWS/etc IP blocks already and it continues to grow.

With cloud automation, it's trivial to spin up infrastructure, spew the campaign, grab the necessary then simply dissolve it all.

Cloud vendors have to become part of the defense-in-depth solution or we will remain farked.

Simple solution ...

[Pinky's Brain]

Just sanction all crypto exchanges. The moment the US cuts off crypto from the financial system it's dead and ransomware with it.

Ransomware solved. Gigawatts of power saved. Win win.

Re:

[gweihir]

For that you would have to get rod of some no honor, no brains politicians and their followers. I do not see that happening.

Sigh...

[WolfgangVL]

If it's infrastructure, don't connect it to the internet.

If it's internet connected business hardware/software, 3-2-1 backups, and a real capable on staff administrator.

If it's lifesaving must-be-connected-to-save-the-life gear, keep a spare on-hand and disconnected.

If it's consumer IOT lightbulb vacuum washing machine surveillance silliness, make better buying decisions in the future.

It's crazy how this is still such a problem. I've personally guided multiple business through ransomware infections. It's no

Product of their own lack of foresight

[rtkluttz]

I used to run the IT security program at a large multinational business that dealt with a really nasty chemical. The fact that we dealt with that chemical forced us to be brought under the Homeland Chemsec level 2 tiered site and we had to submit to audits by Homeland security. The auditing that audited us said I did the best on the initial audit of any company they had ever audited. The ONLY things that I got dinged on, I had proof that I had attempted to put in place but got over ridden by executive levels. Simple things like PC lockdowns that existed on every other machine in the org but fucking entitled execs refused to allow to happen to their own machines. Things like delivery times and every PC that had data that showed deliveries, storage, personnel all had to be very tightly controlled. Executive levels were privvy to that and had it on their laptops. We got dinged for it in the audit, but NOTHING HAPPENED with of any substance. Executive levels are the WORST security issues in most companies and no one does a thing about it. Security teams warn them. Nothing. External audits... nothing. Security really isn't as hard as people make it out to be. A 100% whitelist based system where nothing new works and everything has to be vetted and approved in advance actually makes IT security fairly simple and cheap. It's only when you have to cater to employee "happiness" that things go off the rails. In IT security, happiness is irrelevant. Configure every single machine in the company to be able to do the pre-defined and assigned job function and anything other than that should fail and you can have cheap and simple security system. But that never happens fully because employee happiness is a consideration above security and that should NEVER be the case.

Re:

[gweihir]

Security really isn't as hard as people make it out to be. A 100% whitelist based system where nothing new works and everything has to be vetted and approved in advance actually makes IT security fairly simple and cheap.

I agree. Those that get hid usually did ignore the problem. In case of the C-levels, often in hopes of a bigger bonus. I essentially see that as fraud against the company these days.

It's only when you have to cater to employee "happiness" that things go off the rails. In IT security, happiness is irrelevant.

That one I disagree rather strongly with. People need to be able to work with minimal hassle. Or they start to circumvent security measures. That means that getting something to run must be easy, denials by IT must be clear and make sense and generally, user support must be good. For example, if a user wants "insecure product xy

Re:

[rtkluttz]

You misunderstand. WORK should work. With no hassle. Anything NOT related to work should not. Every web page, every piece of software, every permission should be tailored to the absolute bare minimum to get the job done and not one single thing else. I don't give a fuck if the employee or executive is unhappy that they can't install software or visit a web page to get sports scores.

Re:

[gweihir]

Ah. Well, I agree on "other" software. I do not agree on that "bare minimum".

Re:

[Retired Chemist]

It is not just IT. Most leaks of confidential information are at the executive level. Get a few drinks into one and he will start boasting about all the neat stuff his companying is doing. Fortunately, many of them know so little about what is really going on that they cannot really leak anything critical.

Outlaw payment

[gweihir]

The fuckers that pay did try to go cheap before and basically asked for it. There really is no sane way to see these organizations as "victims" at this time. They are perpetrators that make things worse, nothing else.

IF the government outlaws ransom payments ...

[schwit1]

It needs to be decided and voted on by Congress, not an unelected bureaucracy.

Re:

[Fly Swatter]

Congress is lobbied by big Corp. First things would be make lobbying illegal so that the congress critters will actually vote in their constituent's best interests. Then get term limits so that fresh eyes are always in the system instead of career politicians.

But really, paying blackmail is already illegal...

Tax shitty cybersecurity

[John.Banister]

Just start up BuSab, Frank Herbert's bureau of sabotage, only have it attack domestic businesses. Of course, it would provide the victims (and after a delay everyone else) with details on how it successfully attacked with what should have been done to prevent that, and it wouldn't exploit customer data, just prevent the company from having access to it. And, it would attack relentlessly, so that no company could afford to continue operating with shitty security. Additionally, continue with fining companie

seems weird

[Slashythenkilly]

If you incentivize criminals to steal that they would keep doing it. You paid them, they should stop right? Is that how that works?