Why banning payments is not the solution to the ransomware epidemic
In recent weeks, Australian organizations have been on the receiving end of a spate of ransomware attacks. Predictably, politicians have been wading in. And predictably, their proposed solutions — while generating impactful headlines — fall short of what’s required. The government in Canberra is now considering banning the country’s businesses from making ransom payments altogether. It’s an idea that has been mooted in many nations’ capitals in recent years. But it fails to grasp the reality of the ransomware challenge.
Trying to ban payments is an over-simplistic solution to a complex problem. It fails to address what is arguably the biggest cause of the current ransomware epidemic: underpowered SMB security.
A knee-jerk reaction
The security breaches came thick and fast in Australia last month. Victim organizations included:
- Wine dealer Vinomofo, which said an unauthorized third party had unlawfully accessed a database containing the names, dates of birth, addresses, email addresses, phone numbers, and genders of customers.
- Woolworths Group subsidiary MyDeal, which revealed that 2.2 million customers may have been impacted by a breach of its CRM systems.
- Telecom giant Optus, 1.2 million of whose customers had government identification numbers compromised during a September cyberattack. It was subsequently extorted by the threat actor.
- The Australian Department of Defence, whose ForceNet service was targeted by ransomware actors.
- Health insurance firm Medibank, where hackers accessed sensitive data on nearly 10 million customers, including information about drug addiction treatments and abortions. The suspected threat actors, part of the infamous REvil group, have begun leaking the data after Medibank refused to pay up.
Sensing a threat to the new Labour government’s credibility, Australian cybersecurity minister Clare O’Neil went on the offensive, announcing a new cyber-taskforce to root out the “scumbags” who breached so many Australians' data. She also reportedly said the government was considering a ban on ransomware payments by breached companies.
Why a ban won’t work
In essence, the idea of such a ban is simple. By removing the ability of ransomware groups to profit from breaches, lawmakers would disrupt the business model driving the current epidemic. However, there are several reasons to believe it wouldn’t work:
- It could drive payments underground, which would impact industry efforts to tackle ransomware by disguising the true scale of the threat to investigating authorities.
- Such a decision would presumably need an exception for providers of critical infrastructure — like oil pipeline operator Colonial Pipeline, which had to pay its extorters $5 million to get key services back online quickly. This would incentivize threat actors to go after these firms
An alternative would be for insurers to withdraw coverage for ransom payments, as AXA did in France last year. However, even this may not have the desired effect, as the incentives to pay could be so strong for some organizations that they would find the money from other sources.
Getting it right
If bans like these wouldn’t work, what can industry stakeholders do to mitigate the persistent threat from ransomware? In the absence of an astonishing geopolitical turnaround, whereby hostile nations decide to prosecute rather than harbor ransomware actors, we need to focus on prevention. That means improving baseline security, especially among the SMBs that still comprise the majority of corporate victims.
In practice, this translates into cyber-hygiene measures such as:
- Risk-based patching
- Zero Trust Access with multifactor authentication
- Continuous network monitoring
- Threat detection and response
- Advanced email security including anti-phishing
- Updated security awareness training programs
- Cloud security posture management to correct misconfigurations
- Regular backups
- Strong data encryption
However, security vendors and government agencies have been promoting this message for years. It is perhaps the insurance industry that holds the key to actually changing corporate behaviors. Carriers could adopt a more prescriptive risk management approach, in which coverage is declined or reduced significantly (and pricing increased) according to how strong their customers’ security posture is. That would provide a major financial incentive for SMBs to adopt security best practices and tooling.
Time for change
This is already starting to happen, as insurers struggle to contain costs driven by ransomware-related claims. But it needs to happen in a more structured and systematic way — for example, by the insurance industry as a whole adopting a set of minimum security requirements for SMBs. This could even be based on existing frameworks like the UK’s Cyber Essentials.
London-based think tank the Royal United Services Institute made similar recommendations in a noted policy paper last year. It also called for a stronger role for government in sharing breach data with insurers by default, so they can form a clearer understanding of risk among prospective policyholders.
The government could even legislate to make cyber insurance compulsory, like professional liability insurance is in the UK — at least for government suppliers. Best practice could then eventually trickle down to the wider business community. But time is one thing network defenders don’t have. Instead of headline-grabbing policies like banning ransom payments, government should get smarter about how they tackle the biggest threat to businesses today. Corralling the cyber-insurance industry to be both ubiquitous and driven by incentivizing best practice security, would be a good place to start.