It also raises a sensitive question: should companies be forced to ransom extortionists or resist payments? Often there is a choice between regaining access to IT systems for a fee so that operations can be restored, or the risk of persistent disruption that can have a huge impact on employees, shareholders, customers, the economy, and even national security . Much is at stake with the Colonial Pipeline, which has not yet fully restored its operations. The pipeline supplies nearly half of the diesel and gasoline consumed on the east coast and delivers jet fuel to major airports, many of which have limited supplies on site. A growing number of gas stations are running out of fuel as anxious drivers fill their tanks quickly and American Airlines is forced to stop for fuel on some longer routes.
However, paying the attackers carries the risk of fueling even more ransomware attacks by showing how lucrative the business model can be. The FBI confirmed on Monday that the pipeline hackers are a Russian-based criminal group called DarkSide.
According to Josephine Wolff, assistant professor of cybersecurity policy at Tufts University’s Fletcher School, one way to stop cybercrime and ransomware attacks is to “make the company less profitable.” “These groups are not going any further [launch attacks] when it’s not a viable business model, “she added.
DarkSide has already posted a notice on the dark internet that, according to Binary Defense, a cyber counter-espionage company, her motivation was “only to make money”. The group offers “ransomware as a service,” said Wolff.
“They are essentially selling ransomware attacks to customers,” she said. “That’s a pretty strong signal that this is a profitable business.”
A thriving industry
The world has received many warnings. Four years ago, an unprecedented wave of ransomware attacks hit businesses and organizations around the world. In the UK, some hospitals have been forced to cancel outpatient appointments and urge people to stay away from emergency rooms.
And it will take a lot more than a handful of companies that reject extortion payments to deter cybercriminals.
“You will find another victim, another way of making money,” said Peter Yapp, former deputy director of the UK’s National Cyber Security Center and now a partner at Schillings.
“What will stop this is much higher levels of [cyber] Security, “he told CNN Business.” Instead of putting money in paying people after the event, we should invest money and make sure we close the hatches before the event, “he added.
Cybercrime losses have increased significantly in recent years. A report last year by the Center for Strategic and International Studies and software security firm McAfee estimated the global cost of cybercrime to be nearly $ 1 trillion between 2018 and 2020.
“Cybercrime seems unstoppable … The risk of cybercrime to operations and profits continues to rise for many businesses,” he added.
According to PwC, this is a growing opportunity for insurance companies. Global cyber insurance premiums are expected to rise from around $ 2.5 billion today to $ 7.5 billion by the end of the decade, according to PwC.
Cyber insurance policies usually cover ransom payments when allowed by law and when sanctioned bodies such as terrorist organizations are not involved. However, there are signs that this may change.
AXA ((AXAHF) Recently, France stopped offering ransom refunds under new cyber insurance policies in response to concerns raised by French cybersecurity officials.
In a statement, the insurer said it was waiting “for the authorities’ decision”.
“The issue of ransom reimbursement has become a key issue for cyber insurance … It is important that the authorities express their position on this issue specifically so that all market participants can harmonize their practices,” the company added.
Thomas Sepp, Chief Claims Officer at alliance ((ALIZF) Global Corporate & Specialty said the insurer advises policyholders to cooperate with the authorities early on and avoid ransom payments “in order not to create further incentives for the commercial business model of hacking groups”.
“Of course, this has its limits when people’s lives and health are at risk,” he added.
How governments can help
While the US and UK governments provide advice and advice to businesses on how to deal with cyberattacks, there is no official policy on ransomware payments.
For example, the FBI’s ongoing guidance is that victims should not pay ransom in response to an attack in order to discourage perpetrators from targeting more victims. However, multiple sources previously told CNN that the FBI sometimes privately shares targets they understand when they feel they have to pay.
When asked Monday whether Colonial paid a ransom, senior White House officials declined.
“This is a private sector decision and the administration has not given any further advice at this time. With the rise in ransomware, this is an area where we are now looking at how the government should deal with ransomware actors and ransom money overall “said Anne Neuberger, the senior cybersecurity officer on the National Security Council.
According to Wolff of Tufts, governments need to give companies more clarity about what resources and support are available to them if they don’t pay the ransom.
In extreme cases, companies could go under if they don’t pay the ransom and the impact on the economy could be huge. Therefore, it is not enough for law enforcement to simply say, “Don’t pay … you fuel an industry,” added Yapp.
While it is not the government’s job to take care of commercial entities, the growing wave of ransomware attacks suggests that it may be time for law enforcement officers to step up efforts to combat cybercriminals, Yapp said.
“Commercially, this is a huge burden for companies around the world,” he added. The threat of “being found out and prosecuted” could in itself act as a powerful deterrent, he said.
As critical national infrastructure networks are increasingly connected to other devices and systems via the Internet, the risk of these attacks only increases.
“Attacks on operational technology – the industrial control systems on the production line or in the factory – are becoming more common,” Algirde Pipikaite, head of cyber strategy at the World Economic Forum’s cybersecurity center, said in a statement.
“If cybersecurity measures are not embedded in the development phase of a technology, we are likely to see attacks on industrial systems like oil and gas pipelines or water treatment plants more frequently,” she added.
– Zachary Cohen, Geneva Sands and Matt Egan contributed to the coverage.
