Ransomware payments may have greater implications than you thought – and not just for the company that gave in to the attackers’ demands.
Firstly, the answer to the question is likely to be ‘yes’. The debate on ransomware payments continues, which, of course, is positive; with discussion and differing viewpoints put forward, an informed conclusion should be the outcome.
Let’s now dive into the issue of who actually pays the ransom. Imagine, just for a moment, that you head to the store to purchase something for $100. Depending on where you are in the world, sales tax may need to be added at the checkout and your receipt of purchase will show $100 for the goods and maybe $10 for sales tax, totaling $110. The company selling the product needs to make a profit and cover their costs, which may include staff, premises, insurance, transport, and the many other costs associated with running a business.
If the company has been the victim of a ransomware attack and decided to pay the cybercriminals to regain access to systems or avoid data being published or sold on the dark web, this becomes a cost of doing business and needs to be recouped when selling their products or services to customers. What would you think if the receipt needed to disclose the company is funding cybercrime – product $100, sales tax $10, donation to cybercriminals $2.50? I suspect, and hope, you would question the charge and object. I know I would.
Companies would probably respond with, “it’s okay, our cyber-risk insurance paid the majority of the ransom”. This may well be the case, but the company needed to pay the insurance company that works on a probability of risk when charging a premium. If they insure 10 companies and 1 in 10 becomes the victim of ransomware, then a receipt from the 10 companies should maybe show the transaction of $100, $10 in sales tax, plus a $0.25 donation to cybercriminals, paid via the company’s insurers. The money to pay the ransom is ultimately coming from you, the consumer.
According to an article in The Hill, Bryan Vorndran, the assistant director of the FBI’s cyber division, said when answering a question posed by Senator Mazie Hirono that “it’s our opinion that banning ransomware payments is not the road to go down”. The basis of this being that not banning payment may lead to additional extortion in the form of companies not disclosing incidents to authorities. The conclusion of the discussion at the Senate Judiciary Committee seems to suggest greater reporting requirements, as opposed to banning payment.
This could be viewed as at odds with current requirements that prohibit the payment of funds to cybercriminals who appear on the OFAC sanctions list. As some ransomware groups or the individuals behind them are on the sanctions list, then does it suggest that companies paying the ransom to these groups or individuals would be open to double extortion of then trying to cover up the payment?
There are many questions, but one this is for certain: the debate on whether to pay ransomware demands or not is by no means nearing a conclusion. And we, the consumers, are likely to see increased product and services costs in order for companies to continue to pay the extortionists behind ransomware, either directly or via insurance.
written by Tony Anscombe, ESET We Live Security