Police always advise ransomware victims against paying off the criminal gangs that have encrypted their computer systems – and there are many good reasons for that.
At the most basic level, even after the companies have handed over the money, it’s not always certain they will get their data restored. They are negotiating with crooks after all.
But even if they do get their data back, paying up is still a bad idea. It gives the crooks a big payday, which encourages further attacks – perhaps even on the same organisation again. And that big payoff means that gangs can invest in hiring more software developers and hackers to go after even bigger targets.
SEE: Network security policy (TechRepublic Premium)
Paying the ransom might save you pain in the short term but means a bigger problem for everyone else in the longer run.
Currently businesses in the UK are unlikely to be prosecuted for paying up to a ransomware gang – unless there is a reasonable chance of the payment being used to fund terrorism. But at least one senior figure in the security industry thinks that it should be a lot harder or even illegal to pay ransoms.
In a speech earlier this month at security think tank RUSI, former head of the National Cyber Security Centre (NCSC) Ciaran Martin explained just how big a problem the agency considers ransomware to be.
“Right up until my final hours at NCSC last month, I remained of the view that the most likely cause of a major incident was a ransomware attack on an important service,” he said.
“For the attacker, the choice of the service would be incidental. They were just after money. But from the point of view of national harm, that incidental choice of victim could be important. What most kept me awake at night was the prospect of physical harm inadvertently resulting from ransomware.”
He added: “Criminal ransomware used recklessly by amoral criminals is one of the biggest but least discussed scourges of the modern internet.”
Martin said if he had “one policy card to play in the next year”, he would ask for “a serious examination of whether we should change the law to make it illegal for organisations in the UK to pay ransoms in the case of ransomware”.
“The case for doing so is not – and I stress is not – a slam dunk, and if the answer is no [to making paying ransoms illegal], we should think of something else to counter ransomware, because it’s the single biggest contemporary scourge in cyberspace right now.”
Martin said it was a curious anomaly that UK extortion laws are largely based on the experience of kidnapping by terrorist groups. That is, if you are ransomwared by a proscribed terrorist group, it is illegal to pay, but if the attackers are ordinary criminals, or even state attackers, then it’s fine. “Surely that needs a look,” he said.
It’s thought that as many as half of organisations pay up when hit with ransomware, which has made data-encrypting malware a major source of revenue for sophisticated criminal gangs. Some versions of ransomware have raked in tens of millions in ransom, usually in the form of hard-to-trace cryptocurrencies like bitcoin.
Many victims feel they have little choice but to pay up if the alternative is rebuilding all their computer systems and databases effectively from scratch – and trying not to go out of business as they do it.
But critics have warned being able to pay the ransom means that ransomware attacks are viewed by some as just another cost of doing business, which means they are less likely to invest in the sometimes-costly security systems that would prevent such attacks.
If paying the ransom were no longer a legal option, companies would have to make sure their systems were robust enough to stop the attackers in the first place. But it would also put much more pressure on police to track down gangs as well.