The Government is Getting Fed Up With Ransomware Payments Fueling Endless Cycle of Cyberattacks 100
With ransomware attacks surging and 2024 on track to be one of the worst years on record, U.S. officials are seeking ways to counter the threat, in some cases, urging a new approach to ransom payments. From a report: Ann Neuberger, U.S. deputy national security adviser for cyber and emerging technologies, wrote in a recent Financial Times opinion piece, that insurance policies -- especially those covering ransomware payment reimbursements -- are fueling the very same criminal ecosystems they seek to mitigate. "This is a troubling practice that must end," she wrote, advocating for stricter cybersecurity requirements as a condition for coverage to discourage ransom payments.
Zeroing in on cyber insurance as a key area for reform comes as the U.S. government scrambles to find ways to disrupt ransomware networks. According to the latest report by the Office of the Director of National Intelligence, by mid-2024 more than 2,300 incidents already had been recorded -- nearly half targeting U.S. organizations -- suggesting that 2024 could exceed the 4,506 attacks recorded globally in 2023. Yet even as policymakers scrutinize insurance practices and explore broader measures to disrupt ransomware operations, businesses are still left to grapple with the immediate question when they are under attack: Pay the ransom and potentially incentivize future attacks or refuse and risk further damage.
For many organizations, deciding whether to pay a ransom is a difficult and urgent decision. "In 2024, I attended a briefing by the FBI where they continued to advise against paying a ransom," said Paul Underwood, vice president of security at IT services company Neovera. "However, after making that statement, they said that they understand that it's a business decision and that when companies make that decision, it is taking into account many more factors than just ethics and good business practices. Even the FBI understood that businesses need to do whatever it takes to get back to operations," Underwood said.
Zeroing in on cyber insurance as a key area for reform comes as the U.S. government scrambles to find ways to disrupt ransomware networks. According to the latest report by the Office of the Director of National Intelligence, by mid-2024 more than 2,300 incidents already had been recorded -- nearly half targeting U.S. organizations -- suggesting that 2024 could exceed the 4,506 attacks recorded globally in 2023. Yet even as policymakers scrutinize insurance practices and explore broader measures to disrupt ransomware operations, businesses are still left to grapple with the immediate question when they are under attack: Pay the ransom and potentially incentivize future attacks or refuse and risk further damage.
For many organizations, deciding whether to pay a ransom is a difficult and urgent decision. "In 2024, I attended a briefing by the FBI where they continued to advise against paying a ransom," said Paul Underwood, vice president of security at IT services company Neovera. "However, after making that statement, they said that they understand that it's a business decision and that when companies make that decision, it is taking into account many more factors than just ethics and good business practices. Even the FBI understood that businesses need to do whatever it takes to get back to operations," Underwood said.
Duh (Score:5, Insightful)
The only folks not fed up with it are the criminals that are getting paid.
Car seats and T-Tops (Score:2)
Uncle X told me that in the 1980s car insurance companies would buy used car seats and used T-Tops to replace ones which were stolen.
That setup a thriving market for people to steal a car, steal the seats out of it, steal the T-Tops and sell them to a junk yard.
The junk yard would then sell them to the insurance company.
It took about 2 years for insurance companies to figure out that buying used parts only enabled the theft in the first place. The insurance companies stopped buying used parts and bought on
Re: (Score:2)
Many businesses don't care because getting stung by it is cheaper than having proper security and backups. Plus, ransomware has better quality software and tech support than almost anything else in the tech sector.
NO POLICE! AND APPLY NO MORAL INDUCTION! (Score:2)
Re: (Score:2, Flamebait)
Right?! =D [ROTFL]
Re: (Score:2)
Re: (Score:2, Insightful)
because it would just make criminals of people who are already victims.
Imagine someone had your kid and was demanding money. Would say welp, sorry paying you would be illegal? No nobody would do that. They'd figure out how to pay and deal with the consequences later. -Worse they'd pay and then many likely would help hide the entire crime from the authorities not wanting to get into legal hot water themselves. It would make the problem worse.
Re: NO POLICE! AND APPLY NO MORAL INDUCTION! (Score:1)
How about we hire educated police instead of community college educated children, and have them actually fight actual crime?
Re: (Score:1)
Re: (Score:2)
A PHD isn't going to prevent a cop from killing people. You give them a gun and tell them to "be safe" and send them out to deal with people who are often the worst people at their worst. Do that over and over with "veterans" telling them the best way to survive is "shoot first and explain later" and there are no consequences for doing that. And they will be ostracized for not shooting fast enough. Surprise! People get killed.
All a PHD will do is keep them from taking that kind of job.
Re: (Score:2)
because it would just make criminals of people who are already victims.
Does your insurance pay off if your unlocked car, parked with all the windows open gets stolen?
think of it as a bribe (Score:4, Interesting)
It's strictly illegal for corporations to pay bribes or kickbacks to facilitate their business operations. Congress could easily extend those laws to make paying ransom illegal as well.
Insurance (Score:4, Insightful)
The proper place to fix this is with insurance. To get business insurance to cover this stuff, you should have to prove you have a proven, tested and audited recovery plan.
Re: (Score:1)
Re: (Score:2)
Or have a strict published policy of not paying ransoms.
That's how you either 1.) lose customers to another insurance company who is not that strict, or 2.) play the shell game where the customer hires a consulting firm to "reverse engineer" the ransomware and "extract the key", which is a highly skilled process costing...1.5X the ransom, conveniently, since all that happened was that the consulting firm paid the ransom and is making money for their service of enabling the client to collect on the insurance payout.
Re: (Score:2)
Re: (Score:3)
Insurance will climb until it's not payable any more, look at FL for examples.
Instead, using intelligence to set up outside-US IP address databanks and watch where they go, and what they do, is a solution.
Having fast backups and a business continuity plan is a solution.
Looking for big globs of data being heisted/exported/movements is a solution. Think of it as Data Customs.
Increasing liability for posting your certs on git/hub is a solution.
Criminal penalties for fiduciary irresponsibility is a solution.
And
Re: (Score:2)
you should have to prove you have a proven, tested and audited recovery plan.
If you have all that, then what do you need insurance for? For your downtime?
Re: (Score:2)
Risk Analysis (Score:2)
It's simple pareto. A good recovery plan will get you through 80% of potential issues. Insurance is there for the 20% your recovery plan can't cover. You get back up but Crowdstrike takes everything back down. Your IT department all quits at the same time.
Re: (Score:3)
Re: (Score:2)
Price (Score:2)
What's a better return on your investment if you are a company - spending the time and money on a reliable disaster recover plan, or paying out a ransom?
Re: Tax Impact (Score:2)
Most insurance premiums - and the payments to blackmailers - are legitimate business expenses. So they are deducted from revenue, and not taxed.
Make them non-eligible and they will need to be paid with profits (rather than gross revenues).
Then you will see a big change in behaviour.
Re: (Score:2, Interesting)
When criminals hack hospital equipment and literally hold the lives of patients in their hands, you think the right thing for the hospital to do is just let their patients die and say "sorry, blame the criminals?"
When they could instead pay the ransom and save lives?
(Same goes for when people's children are kidnapped).
Simply making ransom-paying illegal is actually very morally questionable.
Re: think of it as a bribe (Score:5, Insightful)
Allowing hospitals to have shit security is unsustainable.
There is such a thing as a write only database. Nobody should be able to erase anyone's critical records.
It should be illegal to run a hospital without competent security. Solve the problem at the supply side.
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
It is because they pay,
It's also because hospitals and medical devices have awful security. And it's not because the state-of-the-art in online security just isn't good enough to fend off criminals, it's because the administrators and manufacturers are all too cheap to apply them. They cut those corners, and people die because of it.
Simply making ransom-paying illegal is a serious "punish the victim" approach, and it will cost people their lives. Instead, make regulatory changes that will require hospit
Re: (Score:2)
While "punish the victim" approach may seem unfair it wil
Re: (Score:2)
I really think you would change your tune if you were drowning in your own blood on a hospital bed while hackers demanded money to turn the power back on, so the doctors could save your life.
If you were conscious you might even offer to pay part of the ransom yourself rather than die a slow and agonizing death.
And if it was YOUR kid, who you loved very much, that kidnappers were holding for ransom...a ransom that you could totally afford to pay....are you just going to let them murder your child instead? "
Re: (Score:2)
No I'm not heartless, the ransom of an individual is a different story, you have few options, but commercial ransomware attacks are different, you have options.
In your "I really think you would change your tune if you were drowning in
Re: (Score:3)
IINAL
AFAIK, it is only a bribe if you think the money will go to a government official. While some of these hackers are working for the benefit of hostile countries they are not 'officials' and are not covered under anti-bribery laws, at least from my understanding under US law.
To me the main problem is that the folks that are in charge of deciding how much effort and cost is put in security practices are never personally liable for what should account to willful negligence. In practice these folks will jus
Re: (Score:2)
If we could get the combination of the G7 and the EU to make paying a ransomware carry a jail term for the board members along with band on being on board for the next 20 years and also anyone aware of the ransomware being paid for not reporting it get jail time, the practice would go out of fashion very quickly. Under those terms nobody is paying the ransom and if you can't make money there is no point to the practice.
Re: (Score:2)
What do you do when a hospital has a choice between paying ransom and letting patients die?
The fix is easy (Score:3)
But we don't actually treat white collar corporate crime like a crime, let alone have enough white collar cops (aka "bureaucrats") to enforce it if we did.
Re: (Score:2)
Fines won't help, the risk to the company for paying a ransom should simply be the shutdown and closing of the company - make paying ransoms a choice they simply can't make.
Re: (Score:2)
Oh yeah punish the victim. This type of thinking is exactly why I am as anti-government as I am.
The thing to do is punish the criminals. Make crimes involving ransons carry a mandatory minimum of 50 years with no option for parole or early release! Make the damn State Department make it clear to our so called allies that if they permit cyber ransom operators to collect remittances, and operate the will face diplomatic consequences, trade sanctions, embargoes, possible military incursions and special opera
Re: (Score:2)
Because as we all know, longer sentences solve crime. If you still have crime, you haven't made them long enough yet.
Here in the real world, the vast majority of these players are in jurisdictions that don't give a shit about your law. Now what?
If you cannot competently manage your systems, you should not be building piles of s
Re: The fix is easy (Score:2)
Yes, exactly. Punish the "victim". It's fair, because in this particular case, it's not just a victim. It's both a victim AND a perpetrator's accomplice. Aiding and abetting a felon has its consequences.
Re: (Score:2)
Re: (Score:2)
There are laws making it illegal to solicit bribes, to commit fraud, falsify records, or not do the work. And yet, all of the above, and more, keeps happening.
Re: (Score:2)
The proof is in how rare ransomware attacks are on target with no legal way to pay criminals, such as organizations run directly by governments.
Re: (Score:2)
Indeed. And do not just fine the company. Lock those up that made the decision to pay.
Re: (Score:2)
Companies have calculated good security costs more than paying the ransoms.
Exactly the quote I got working part time at regional hospital. They'd had multiple visits from the FBI for data breaches, and forced network reorganizations to "mitigate" issues in the future.
They still said that they'd pay the ransom and push the cost onto their patients (who's data had been stolen for the upteethtime) because it's cheaper than doing proper backups.
The free market has decided that the safety and well being of the general public isn't profitable enough. These corporate clowns aren't g
Re: (Score:2)
A fine won't work. What will work is a minimum jail term of 12 months for the C-levels and a ban on holding a C-level position for the next decade if a ransom is paid. Also jail time say six months minimum for anyone aware the ransom was paid who didn't report it to the FBI. Now nobody is paying the ransom period.
I have an idea (Score:2)
It is illegal in a number of cases... (Score:2)
It is illegal, but it is TRIVIALLY (pardon the all caps) easy to get around.
Company A considers security to have no ROI, gets hacked and ransomwared.
Company A hired offshore firm "B", pays them the cost of the ransom plus a percentage fee.
Hired offshore form "B" pays the ransom.
Company A gets their decryption keys.
?????
Profit on all areas, because the ransom will get charged off, the offshore consulting company gets a bonus, and the guys in North Korea get money for more troops to send to Russia, and more m
Re: (Score:2)
Re: (Score:2)
If company "B" is offshore, then enforcing it becomes an international effort, and with many countries it just won't be bothered with. The loophole is trivial. Pretty much all big US businesses offshore anyway, so having ransom "taken care of" by this method is easy.
Re: It is illegal in a number of cases... (Score:2)
If the company "A" is not offshore, then it still can be audited. And when it becomes clear that it was ransomwared, yet somehow got the decrypting key by unclear means, there will be hard questions to be answered. And a hell to pay.
Re: (Score:2)
I hope you are right. I've never seen an incident where government prevailed over the private sector in all the time I've been in IT, other than maybe some lip service to regulations, be it pinky promises, POA&Ms which had more high fantasy in them than anything Tolkien or Piers Anthony could ever make, stupid tricks like powering off Windows machines when the auditors were scanning, or whatnot.
The -only- industry I've worked in where regs were taken as more than a laughing stock was the film industry.
Re: (Score:2)
I completely agree. This crime financing has to stop. I expect that a few CEOs behind bars will serve nicely to stop this mess.
Too few understand the idea of proper protection (Score:2)
First up, why do ISPs not give an option to just blanket block e-mails and even connections from other regions? If you want to allow them, your ISP can have settings to open up connections from various places, but for the majority of people and companies, are you doing business from Nigeria, or even for smaller businesses, if you aren't involved or interested in doing business outside of your own country, wouldn't you feel safer if your ISP were just blocking all traffic from other countries? I know tha
Re: (Score:2)
"We can set up firewalls ourselves as well"
Yes you can. Leave the ISP out of it. They're annoying enough already.
Re: (Score:2)
Bringing the ISP in as an active censor means that whatever IP group can then tell the ISP to block what they feel like a la SOPA/PIPA. Once some process is in place, even if is intended only for uses in emergencies, that "emergency" tier bar always lowers and lowers to "that person pirated a song" or even "that person blocked an ad" tier.
Re: (Score:2)
You're thinking too small. The OPs particular suggestion was blocking all foreign traffic. "Wouldn't you feel safer if your ISP were just blocking all traffic from other countries?"
North Korea does that, for very specific reasons.
Cloud POC subscriptions (Score:3)
Seriously. I have over 200 Digital Ocean/Azure/AWS/etc IP blocks already and it continues to grow.
With cloud automation, it's trivial to spin up infrastructure, spew the campaign, grab the necessary then simply dissolve it all.
Cloud vendors have to become part of the defense-in-depth solution or we will remain farked.
Simple solution ... (Score:3)
Just sanction all crypto exchanges. The moment the US cuts off crypto from the financial system it's dead and ransomware with it.
Ransomware solved. Gigawatts of power saved. Win win.
Re: (Score:2)
For that you would have to get rod of some no honor, no brains politicians and their followers. I do not see that happening.
Re: (Score:2)
Sanctioning Iran's banking didn't cut it off from Swift. The US can sanction anyone it damn pleases.
Sigh... (Score:2)
If it's infrastructure, don't connect it to the internet.
If it's internet connected business hardware/software, 3-2-1 backups, and a real capable on staff administrator.
If it's lifesaving must-be-connected-to-save-the-life gear, keep a spare on-hand and disconnected.
If it's consumer IOT lightbulb vacuum washing machine surveillance silliness, make better buying decisions in the future.
It's crazy how this is still such a problem. I've personally guided multiple business through ransomware infections. It's no
Re: (Score:2)
Maybe the ideal is going back to the idea of air-gapped networks with data diodes, so data can go out, like logs and analytics, but nothing comes in. We had this in the past where companies really didn't want to connect all their secret stuff to the Internet so any Joe in any country could guzzle their data.
What needs to happen is that operating systems need to get better at running in offline mode. Red Hat does this well, and Ubuntu is decent. Windows... who knows. No cloud connections, no constant tel
Product of their own lack of foresight (Score:5, Insightful)
I used to run the IT security program at a large multinational business that dealt with a really nasty chemical. The fact that we dealt with that chemical forced us to be brought under the Homeland Chemsec level 2 tiered site and we had to submit to audits by Homeland security. The auditing that audited us said I did the best on the initial audit of any company they had ever audited. The ONLY things that I got dinged on, I had proof that I had attempted to put in place but got over ridden by executive levels. Simple things like PC lockdowns that existed on every other machine in the org but fucking entitled execs refused to allow to happen to their own machines. Things like delivery times and every PC that had data that showed deliveries, storage, personnel all had to be very tightly controlled. Executive levels were privvy to that and had it on their laptops. We got dinged for it in the audit, but NOTHING HAPPENED with of any substance. Executive levels are the WORST security issues in most companies and no one does a thing about it. Security teams warn them. Nothing. External audits... nothing. Security really isn't as hard as people make it out to be. A 100% whitelist based system where nothing new works and everything has to be vetted and approved in advance actually makes IT security fairly simple and cheap. It's only when you have to cater to employee "happiness" that things go off the rails. In IT security, happiness is irrelevant. Configure every single machine in the company to be able to do the pre-defined and assigned job function and anything other than that should fail and you can have cheap and simple security system. But that never happens fully because employee happiness is a consideration above security and that should NEVER be the case.
Re: (Score:2)
Security really isn't as hard as people make it out to be. A 100% whitelist based system where nothing new works and everything has to be vetted and approved in advance actually makes IT security fairly simple and cheap.
I agree. Those that get hid usually did ignore the problem. In case of the C-levels, often in hopes of a bigger bonus. I essentially see that as fraud against the company these days.
It's only when you have to cater to employee "happiness" that things go off the rails. In IT security, happiness is irrelevant.
That one I disagree rather strongly with. People need to be able to work with minimal hassle. Or they start to circumvent security measures. That means that getting something to run must be easy, denials by IT must be clear and make sense and generally, user support must be good. For example, if a user wants "insecure product xy
Re: (Score:2)
You misunderstand. WORK should work. With no hassle. Anything NOT related to work should not. Every web page, every piece of software, every permission should be tailored to the absolute bare minimum to get the job done and not one single thing else. I don't give a fuck if the employee or executive is unhappy that they can't install software or visit a web page to get sports scores.
Re: (Score:2)
Ah. Well, I agree on "other" software. I do not agree on that "bare minimum".
Re: (Score:2)
I do wonder why we need web browsers for internal apps at all. We don't need to go back to 3270 interfaces, although those, in a lot of cases, worked extremely well. However, something that is very basic that one can arrange fields, and highly responsive to combat user frustration. In general, an app frontend that runs on the endpoints is going to be a lot faster and more useful than a browser, just because browser code is so poorly written and bloated in general. It would be nice to have a UI-lite with
Re: (Score:2)
Outlaw payment (Score:1)
The fuckers that pay did try to go cheap before and basically asked for it. There really is no sane way to see these organizations as "victims" at this time. They are perpetrators that make things worse, nothing else.
IF the government outlaws ransom payments ... (Score:2)
It needs to be decided and voted on by Congress, not an unelected bureaucracy.
Re: (Score:2)
But really, paying blackmail is already illegal...
Re: (Score:3)
Lobbying is too broad a thing to make illegal. It encompasses legit activity such as writing your Congressperson. The right to petition the government is literally a part of the First Amendment.
What you need to target is the appearance of quid pro quo--the funding. Also, the authorship of bills by organizations, ie, Congress subbing out their jobs to special interests. The devil is in these details, because the very people who could intelligently figure out how to do it are...
...people with experience
Re: (Score:2)
If you need to be in the government more than 10 years to accomplish something then why are you there? The world is evolving faster and faster, government needs new blood instead of the old boys club that remains in place to line their friend's pockets.
Re: (Score:2)
OK, I think we're pretty much on the same page regarding non-individuals lobbying, although there's a distinction to be made between things like AARP as opposed to Chevron. With modern technology, there's an argument to be made that you don't need non-profit advocacy organizations either because they could (in theory) mass-filter emails from individuals or something to get an aggregate opinion of what retirees really think, as opposed to AARP's reps. Not picking on AARP in particular, just using it as an
Re: (Score:2)
I think you could start by outlawing corporate political contributions as de facto quid pro quo while we re-examine the whole notion or corporate personhood.
Maybe some problems with political PACs, but those should be under strict disclosure laws anyway and can be considered seperately.
Billionaires of course are still free to spend their own money in defense of their political causes, but no more raiding the corporate kitty as if it were sentient to exercise free speech as some shell game.
Tax shitty cybersecurity (Score:2)
seems weird (Score:2)
Make it illegal to pay the ransom (Score:2)
Hold up.. (Score:2)
Isn't it illegal to give money to enemies of the state?
If those paying ransoms are funding enemies of the state, aren't they committing federal offenses?
Not an American, so maybe have this mixed up...but that's my impression.
The devil on my shoulder (Score:2)
The devil on my shoulder is telling me to start spreading cryptolocker malware and then not sending the unlock key after payment. I'll make businesses across the country safer (in the long run) while also getting rich!
Is it possible to prevent this? (Score:2)
Don't Horde vulnerabilities... (Score:1)
...so you can weaponise them in your fight against witnesses, whistleblowers, journalists, politicians and activists.... or whatever country is the latest victim of your out of control foreign policy. how many times does it take them being used before responsible behavior becomes the norm?
have watched the sheer idiocy of the policy evolve over the decades, and it's clear that 'surveil everything' has taken precedence over 'secure everything'.
This just in . . . (Score:2)
Enabling criminals by giving them what they want causes an increase in crime !
News at 11 :|
Could We Please... (Score:2)
...bring back drawing and quartering? I mean just for hackers? Huh? We could sell tickets...
Aid to criminals (Score:2)
Making a profit is more important than wearing the consequences of poor IT management. Corporations can aid and abet criminals in a way that ordinary people can't. Time to remember, taxes from ordinary people fund this policy of, pretend 'people' don't have to obey the law.