Security Think Tank: Approaches to ransomware need a course correction
In the wake of renewed calls for lawmakers to consider enacting legal bans on ransomware payments, the Computer Weekly Security Think Tank weighs in to share their thoughts on how to tackle the scourge for good.
Back in 2015, my team and I were speaking at the government’s Security & Policing event in Farnborough. We had an interesting conversation with a visitor from the Home Office about the continuing legality of paying ransomware fines and indeed, at the time, that there was little or no guidance from the government.
That was in stark contrast to the guidelines on paying physical ransoms, which was then and still is, that payment is illegal.
This seemed illogical to us as we spend time talking about the interconnectedness of everything (thank you Douglas Adams and Dirk Gently) and the impact of malware of all kinds on business ecosystems, society and the wellness of people. How then, could it be illegal to pay or insure against a ransom situation?
The government at the time was busy tightening insurance loopholes on human ransom, but it remained perfectly legal to pay a cyber ransom, to effectively fund criminals who are engaged in the business of syphoning money from legitimate businesses, public bodies, and even charities in the most cynical manner, who use that money to build even more effective ransomware in order to attack everyone even more effectively. And so the cycle continues.
If you are not sure about that statement then look at the rise in the average price of a ransom over the last 10 years and you will see that these criminals have worked out their business plans meticulously and are able to target large civic centres of population, impacting public services and big businesses to extract much higher ransoms than the humble beginnings of trying to extort individuals. Ransom gangs have honed their software, their delivery and their targets for maximum pay-out.
Interestingly, the primary attack vector remains phishing. We have come a long way from the ILOVEYOU virus that promised love and attention 24 years ago, but in another way, we haven’t. We are vulnerable to the majority of ransomware because of this delivery method that has been so successful for such a long time. Surely, this level of carelessness would not be tolerated in physical ransom? A lack of training or awareness be allowed to continue? Ransom seen merely as a cost of doing business?
Of course not, but we are talking about a type of crime that we, as a society, have struggled with for a while now. And a crime that has somehow become viewed as semi-legitimate and a valid cost of doing business. This is perhaps in part due to the language used. Maybe its time to readdress that and stop calling it ransomware and start calling it blackmail and extortion, which is what it really is.
We not only need to think about the legality of paying digital ransoms but also how we legislate and punish those who carry it out. The gangs are making such vast sums of money, we are entering a period of great risk in my opinion as the bad guys are now often much better funded than the good guys. How we course correct now needs vision, commitment and knowledge.