The Government is Getting Fed Up With Ransomware Payments Fueling Endless Cycle of Cyberattacks

With ransomware attacks surging and 2024 on track to be one of the worst years on record, U.S. officials are seeking ways to counter the threat, in some cases, urging a new approach to ransom payments. From a report: Ann Neuberger, U.S. deputy national security adviser for cyber and emerging technologies, wrote in a recent Financial Times opinion piece, that insurance policies -- especially those covering ransomware payment reimbursements -- are fueling the very same criminal ecosystems they seek to mitigate. "This is a troubling practice that must end," she wrote, advocating for stricter cybersecurity requirements as a condition for coverage to discourage ransom payments.

Zeroing in on cyber insurance as a key area for reform comes as the U.S. government scrambles to find ways to disrupt ransomware networks. According to the latest report by the Office of the Director of National Intelligence, by mid-2024 more than 2,300 incidents already had been recorded -- nearly half targeting U.S. organizations -- suggesting that 2024 could exceed the 4,506 attacks recorded globally in 2023. Yet even as policymakers scrutinize insurance practices and explore broader measures to disrupt ransomware operations, businesses are still left to grapple with the immediate question when they are under attack: Pay the ransom and potentially incentivize future attacks or refuse and risk further damage.

For many organizations, deciding whether to pay a ransom is a difficult and urgent decision. "In 2024, I attended a briefing by the FBI where they continued to advise against paying a ransom," said Paul Underwood, vice president of security at IT services company Neovera. "However, after making that statement, they said that they understand that it's a business decision and that when companies make that decision, it is taking into account many more factors than just ethics and good business practices. Even the FBI understood that businesses need to do whatever it takes to get back to operations," Underwood said.

Duh

[dark.nebulae]

The only folks not fed up with it are the criminals that are getting paid.

NO POLICE! AND APPLY NO MORAL INDUCTION!

[Pseudonymous Powers]

I've seen a few kidnapping movies in my time and I can't understand why ransoms aren't outlawed (unless they are, and the movies pretend otherwise). I guess the government wants to make sure that people keep talking to the police?

Re:

[VeryFluffyBunny]

No.We have to leave it up to the free market. The invisible hand will provide us all with optimal solutions. Government should get involved.

Right?! =D [ROTFL]

Re:

[DarkOx]

because it would just make criminals of people who are already victims.

Imagine someone had your kid and was demanding money. Would say welp, sorry paying you would be illegal? No nobody would do that. They'd figure out how to pay and deal with the consequences later. -Worse they'd pay and then many likely would help hide the entire crime from the authorities not wanting to get into legal hot water themselves. It would make the problem worse.

Re: NO POLICE! AND APPLY NO MORAL INDUCTION!

[drinkypoo]

How about we hire educated police instead of community college educated children, and have them actually fight actual crime?

Re:

[RossCWilliams]

Right, require PHD in psychology to be a cop. Our real problem are educated bigots who think they know everything because they knew the right answers on the SAT test. The reality is that education has almost nothing to do with police work.

Re:

[newbie_fantod]

because it would just make criminals of people who are already victims.

Does your insurance pay off if your unlocked car, parked with all the windows open gets stolen?

think of it as a bribe

[cellocgw]

It's strictly illegal for corporations to pay bribes or kickbacks to facilitate their business operations. Congress could easily extend those laws to make paying ransom illegal as well.

Insurance

[JBMcB]

The proper place to fix this is with insurance. To get business insurance to cover this stuff, you should have to prove you have a proven, tested and audited recovery plan.

Re:

[Anonymous Coward]

Or have a strict published policy of not paying ransoms. Alternatively, paint a target on your company, and get what you've payed for.

Re:

[Voyager529]

Or have a strict published policy of not paying ransoms.

That's how you either 1.) lose customers to another insurance company who is not that strict, or 2.) play the shell game where the customer hires a consulting firm to "reverse engineer" the ransomware and "extract the key", which is a highly skilled process costing...1.5X the ransom, conveniently, since all that happened was that the consulting firm paid the ransom and is making money for their service of enabling the client to collect on the insurance payout.

Re:

[dargaud]

Easily prevented by auditing any such consulting firm. Make paying ransomwares punishable by prison time.

Re:

[postbigbang]

Insurance will climb until it's not payable any more, look at FL for examples.

Instead, using intelligence to set up outside-US IP address databanks and watch where they go, and what they do, is a solution.

Having fast backups and a business continuity plan is a solution.

Looking for big globs of data being heisted/exported/movements is a solution. Think of it as Data Customs.

Increasing liability for posting your certs on git/hub is a solution.

Criminal penalties for fiduciary irresponsibility is a solution.

And

Re:

[lsllll]

you should have to prove you have a proven, tested and audited recovery plan.

If you have all that, then what do you need insurance for? For your downtime?

Re:

[ukoda]

Yes, that is what the insurance should be for, and only that. Such insurance should be relatively cheap since money would no longer be going to criminals.

Risk Analysis

[JBMcB]

It's simple pareto. A good recovery plan will get you through 80% of potential issues. Insurance is there for the 20% your recovery plan can't cover. You get back up but Crowdstrike takes everything back down. Your IT department all quits at the same time.

Re:

[ukoda]

Define 'Fix'. If insurance is used to pay a ransom that is not a fix, and it should be a crime as it will only lead to more victims. Any insurance fix should be limited to recovery and covering losses where a victim deals with the problem, without giving a single cent to criminals.

Re:

[Fly Swatter]

So you are saying the fix is to just inflate the price of everything just like retailers do to cover theft and credit cards do to cover theft.. Quite frankly I am tired of indirectly funding the fucking criminals.

Price

[JBMcB]

What's a better return on your investment if you are a company - spending the time and money on a reliable disaster recover plan, or paying out a ransom?

Re:

[Brain-Fu]

When criminals hack hospital equipment and literally hold the lives of patients in their hands, you think the right thing for the hospital to do is just let their patients die and say "sorry, blame the criminals?"

When they could instead pay the ransom and save lives?

(Same goes for when people's children are kidnapped).

Simply making ransom-paying illegal is actually very morally questionable.

Re: think of it as a bribe

[drinkypoo]

Allowing hospitals to have shit security is unsustainable.

There is such a thing as a write only database. Nobody should be able to erase anyone's critical records.

It should be illegal to run a hospital without competent security. Solve the problem at the supply side.

Re:

[ukoda]

Wrong. Have you wonder why USA hospitals are top priority for targeting? It is because they pay, its not like it cost the hospital much, they simply pass on the cost to patients. Contrast that with when a hospital was taken down with ransomware in New Zealand. It probably cost lives but it was a dumb move and has never happened again because it was impossible for the criminals to get paid. Sure, it caused weeks of disruptions while services were slowly recovered, but the criminals didn't get a single c

Re:

[Brain-Fu]

It is because they pay,

It's also because hospitals and medical devices have awful security. And it's not because the state-of-the-art in online security just isn't good enough to fend off criminals, it's because the administrators and manufacturers are all too cheap to apply them. They cut those corners, and people die because of it.

Simply making ransom-paying illegal is a serious "punish the victim" approach, and it will cost people their lives. Instead, make regulatory changes that will require hospit

Re:

[ukoda]

Yes, punish the victim, because by paying up they just made things worse for everyone else. They got hacked, I feel bad for them, but how they respond matters. Having decent security protection is important but all it does is move you down the list of targets. Total security is impossible, you should strive for it, but have a plan for when it fails. That plan should not be pay up and give the attackers more resource and motive to attack others.

While "punish the victim" approach may seem unfair it wil

Re:

[sodul]

IINAL

AFAIK, it is only a bribe if you think the money will go to a government official. While some of these hackers are working for the benefit of hostile countries they are not 'officials' and are not covered under anti-bribery laws, at least from my understanding under US law.

To me the main problem is that the folks that are in charge of deciding how much effort and cost is put in security practices are never personally liable for what should account to willful negligence. In practice these folks will jus

Re:

[jabuzz]

If we could get the combination of the G7 and the EU to make paying a ransomware carry a jail term for the board members along with band on being on board for the next 20 years and also anyone aware of the ransomware being paid for not reporting it get jail time, the practice would go out of fashion very quickly. Under those terms nobody is paying the ransom and if you can't make money there is no point to the practice.

The fix is easy

[rsilvergun]

just make it illegal to pay the ransom. Companies have calculated good security costs more than paying the ransoms. The only fix to that is to fine them more for paying the ransoms than not.

But we don't actually treat white collar corporate crime like a crime, let alone have enough white collar cops (aka "bureaucrats") to enforce it if we did.

Re:

[Fly Swatter]

The fine would have to be big enough to also take away the business incentive of paying the ransom. Usually paying the ransom is much cheaper than trying to rebuild what was lost, if not saving the company outright.

Fines won't help, the risk to the company for paying a ransom should simply be the shutdown and closing of the company - make paying ransoms a choice they simply can't make.

Re:

[DarkOx]

Oh yeah punish the victim. This type of thinking is exactly why I am as anti-government as I am.

The thing to do is punish the criminals. Make crimes involving ransons carry a mandatory minimum of 50 years with no option for parole or early release! Make the damn State Department make it clear to our so called allies that if they permit cyber ransom operators to collect remittances, and operate the will face diplomatic consequences, trade sanctions, embargoes, possible military incursions and special opera

Re:

[abulafia]

The thing to do is punish the criminals. Make crimes involving ransons carry a mandatory minimum of 50 years with no option for parole or early release

Because as we all know, longer sentences solve crime. If you still have crime, you haven't made them long enough yet.

Here in the real world, the vast majority of these players are in jurisdictions that don't give a shit about your law. Now what?

Oh yeah punish the victim

If you cannot competently manage your systems, you should not be building piles of s

Re:

[ukoda]

Or make it jail time for whomever authorises payment to the criminals. See how many corporate employees are ready to do jail time for a quick fix that passes costs on to customers.

Re:

[smooth wombat]

There are laws making it illegal to solicit bribes, to commit fraud, falsify records, or not do the work. And yet, all of the above, and more, keeps happening.

Re:

[ukoda]

Sure, but the amount of bribes, fraud and falsify records are a fraction of what they would be if was legal. Just because laws get broken does not mean they don't have a meaningful effect.

The proof is in how rare ransomware attacks are on target with no legal way to pay criminals, such as organizations run directly by governments.

Re:

[gweihir]

Indeed. And do not just fine the company. Lock those up that made the decision to pay.

Re:

[codebase7]

Companies have calculated good security costs more than paying the ransoms.

Exactly the quote I got working part time at regional hospital. They'd had multiple visits from the FBI for data breaches, and forced network reorganizations to "mitigate" issues in the future.

They still said that they'd pay the ransom and push the cost onto their patients (who's data had been stolen for the upteethtime) because it's cheaper than doing proper backups.

The free market has decided that the safety and well being of the general public isn't profitable enough. These corporate clowns aren't g

Re:

[jabuzz]

A fine won't work. What will work is a minimum jail term of 12 months for the C-levels and a ban on holding a C-level position for the next decade if a ransom is paid. Also jail time say six months minimum for anyone aware the ransom was paid who didn't report it to the FBI. Now nobody is paying the ransom period.

I have an idea

[CEC-P]

THEN MAKE IT ILLEGAL TO PAY THEM. If there's a zero chance you're getting paid in a certain country, you're not going to attack that country for money. It's that damn simple. Oh noooo, irreplaceable data! You're sunk without it. FUCK YOU! Ggo out of business, you morons. Sincerely, a better IT technician in a better prepared IT department at a better company.

It is illegal in a number of cases...

[ctilsie242]

It is illegal, but it is TRIVIALLY (pardon the all caps) easy to get around.

Company A considers security to have no ROI, gets hacked and ransomwared.

Company A hired offshore firm "B", pays them the cost of the ransom plus a percentage fee.

Hired offshore form "B" pays the ransom.

Company A gets their decryption keys.

?????

Profit on all areas, because the ransom will get charged off, the offshore consulting company gets a bonus, and the guys in North Korea get money for more troops to send to Russia, and more m

Re:

[ukoda]

With a properly written and enforced law then paying company 'B' would still be treated as paying the ransom. It doesn't need to be 100% enforcable to have an effect, and you can keep closing loopholes as we do with other laws.

Re:

[gweihir]

I completely agree. This crime financing has to stop. I expect that a few CEOs behind bars will serve nicely to stop this mess.

Too few understand the idea of proper protection

[Targon]

First up, why do ISPs not give an option to just blanket block e-mails and even connections from other regions? If you want to allow them, your ISP can have settings to open up connections from various places, but for the majority of people and companies, are you doing business from Nigeria, or even for smaller businesses, if you aren't involved or interested in doing business outside of your own country, wouldn't you feel safer if your ISP were just blocking all traffic from other countries? I know tha

Re:

[ceoyoyo]

"We can set up firewalls ourselves as well"

Yes you can. Leave the ISP out of it. They're annoying enough already.

Cloud POC subscriptions

[bleedingobvious]

Seriously. I have over 200 Digital Ocean/Azure/AWS/etc IP blocks already and it continues to grow.

With cloud automation, it's trivial to spin up infrastructure, spew the campaign, grab the necessary then simply dissolve it all.

Cloud vendors have to become part of the defense-in-depth solution or we will remain farked.

Simple solution ...

[Pinky's Brain]

Just sanction all crypto exchanges. The moment the US cuts off crypto from the financial system it's dead and ransomware with it.

Ransomware solved. Gigawatts of power saved. Win win.

Re:

[gweihir]

For that you would have to get rod of some no honor, no brains politicians and their followers. I do not see that happening.

Sigh...

[WolfgangVL]

If it's infrastructure, don't connect it to the internet.

If it's internet connected business hardware/software, 3-2-1 backups, and a real capable on staff administrator.

If it's lifesaving must-be-connected-to-save-the-life gear, keep a spare on-hand and disconnected.

If it's consumer IOT lightbulb vacuum washing machine surveillance silliness, make better buying decisions in the future.

It's crazy how this is still such a problem. I've personally guided multiple business through ransomware infections. It's no

Product of their own lack of foresight

[rtkluttz]

I used to run the IT security program at a large multinational business that dealt with a really nasty chemical. The fact that we dealt with that chemical forced us to be brought under the Homeland Chemsec level 2 tiered site and we had to submit to audits by Homeland security. The auditing that audited us said I did the best on the initial audit of any company they had ever audited. The ONLY things that I got dinged on, I had proof that I had attempted to put in place but got over ridden by executive levels. Simple things like PC lockdowns that existed on every other machine in the org but fucking entitled execs refused to allow to happen to their own machines. Things like delivery times and every PC that had data that showed deliveries, storage, personnel all had to be very tightly controlled. Executive levels were privvy to that and had it on their laptops. We got dinged for it in the audit, but NOTHING HAPPENED with of any substance. Executive levels are the WORST security issues in most companies and no one does a thing about it. Security teams warn them. Nothing. External audits... nothing. Security really isn't as hard as people make it out to be. A 100% whitelist based system where nothing new works and everything has to be vetted and approved in advance actually makes IT security fairly simple and cheap. It's only when you have to cater to employee "happiness" that things go off the rails. In IT security, happiness is irrelevant. Configure every single machine in the company to be able to do the pre-defined and assigned job function and anything other than that should fail and you can have cheap and simple security system. But that never happens fully because employee happiness is a consideration above security and that should NEVER be the case.

Re:

[gweihir]

Security really isn't as hard as people make it out to be. A 100% whitelist based system where nothing new works and everything has to be vetted and approved in advance actually makes IT security fairly simple and cheap.

I agree. Those that get hid usually did ignore the problem. In case of the C-levels, often in hopes of a bigger bonus. I essentially see that as fraud against the company these days.

It's only when you have to cater to employee "happiness" that things go off the rails. In IT security, happiness is irrelevant.

That one I disagree rather strongly with. People need to be able to work with minimal hassle. Or they start to circumvent security measures. That means that getting something to run must be easy, denials by IT must be clear and make sense and generally, user support must be good. For example, if a user wants "insecure product xy

Re:

[rtkluttz]

You misunderstand. WORK should work. With no hassle. Anything NOT related to work should not. Every web page, every piece of software, every permission should be tailored to the absolute bare minimum to get the job done and not one single thing else. I don't give a fuck if the employee or executive is unhappy that they can't install software or visit a web page to get sports scores.

Re:

[gweihir]

Ah. Well, I agree on "other" software. I do not agree on that "bare minimum".

Re:

[Retired Chemist]

It is not just IT. Most leaks of confidential information are at the executive level. Get a few drinks into one and he will start boasting about all the neat stuff his companying is doing. Fortunately, many of them know so little about what is really going on that they cannot really leak anything critical.

Outlaw payment

[gweihir]

The fuckers that pay did try to go cheap before and basically asked for it. There really is no sane way to see these organizations as "victims" at this time. They are perpetrators that make things worse, nothing else.

IF the government outlaws ransom payments ...

[schwit1]

It needs to be decided and voted on by Congress, not an unelected bureaucracy.

Re:

[Fly Swatter]

Congress is lobbied by big Corp. First things would be make lobbying illegal so that the congress critters will actually vote in their constituent's best interests. Then get term limits so that fresh eyes are always in the system instead of career politicians.

But really, paying blackmail is already illegal...

Re:

[istartedi]

Lobbying is too broad a thing to make illegal. It encompasses legit activity such as writing your Congressperson. The right to petition the government is literally a part of the First Amendment.

What you need to target is the appearance of quid pro quo--the funding. Also, the authorship of bills by organizations, ie, Congress subbing out their jobs to special interests. The devil is in these details, because the very people who could intelligently figure out how to do it are...

...people with experience

Re:

[Fly Swatter]

Apologies, lobbying by anything not a US citizen. If one US citizen wants to align with corporate interests that is fine as long as they don't use corporate funds to bribe congress, or any funds directed at a member of the government in general.

If you need to be in the government more than 10 years to accomplish something then why are you there? The world is evolving faster and faster, government needs new blood instead of the old boys club that remains in place to line their friend's pockets.

Tax shitty cybersecurity

[John.Banister]

Just start up BuSab, Frank Herbert's bureau of sabotage, only have it attack domestic businesses. Of course, it would provide the victims (and after a delay everyone else) with details on how it successfully attacked with what should have been done to prevent that, and it wouldn't exploit customer data, just prevent the company from having access to it. And, it would attack relentlessly, so that no company could afford to continue operating with shitty security. Additionally, continue with fining companie

seems weird

[Slashythenkilly]

If you incentivize criminals to steal that they would keep doing it. You paid them, they should stop right? Is that how that works?

Make it illegal to pay the ransom

[too2late]

That will force companies to make sure they have proper backups, which is the correct solution to a ransomware attack.

Hold up..

[Vegan Cyclist]

Isn't it illegal to give money to enemies of the state?

If those paying ransoms are funding enemies of the state, aren't they committing federal offenses?

Not an American, so maybe have this mixed up...but that's my impression.

The devil on my shoulder

[JThundley]

The devil on my shoulder is telling me to start spreading cryptolocker malware and then not sending the unlock key after payment. I'll make businesses across the country safer (in the long run) while also getting rich!

Is it possible to prevent this?

[RossCWilliams]

Let me suggest that the problem is people are a busing the internet by using it for things it is not capable of securely supporting. As long as you are connected to the internet you are going to be vulnerable. The answer is to get off the internet. Demanding a 100% security is impossible but the more valuable the service you offer the bigger the reward from ransomware. You aren't going to pay $1000 ransom because your kids phone is bricked.

Don't Horde vulnerabilities...

[BardBollocks]

...so you can weaponise them in your fight against witnesses, whistleblowers, journalists, politicians and activists.... or whatever country is the latest victim of your out of control foreign policy. how many times does it take them being used before responsible behavior becomes the norm?

have watched the sheer idiocy of the policy evolve over the decades, and it's clear that 'surveil everything' has taken precedence over 'secure everything'.