Regulations against ransomware payment not ideal solution

With ransomware attacks increasing, legislations have been mooted as a way to bar companies from paying up and further fuelling such activities, but such policies can be difficult to enforce and may result in more dire consequences.
Written by Eileen Yu, Senior Contributing Editor

With ransomware attacks increasing, legislations have been mooted as a way to bar companies from paying up and further fuelling such activities. In this second piece of a two-part feature on ransomware, ZDNet looks at how such policies can be difficult to enforce and may result in more dire consequences. 

Regulations that compelled victims not to pay up could put these businesses in a precarious position, said Steve Turner, a New York-based Forrester analyst who focuses on security and risk. For one, any debate over whether to pay up would be muted when physical lives were at stake.

Turner pointed to ransomware attacks that brought down critical infrastructure systems such as power and healthcare, impacting the likes of US Colonial Pipeline, Ireland's Health Service Executive, and Germany's Duesseldorf University Hospital.

The US pipeline operator paid up almost $5 million in ransom, the bulk of which was later recovered by authorities, while the Irish healthcare operator refused to pay and spent weeks struggling to recover from the attack, affecting hundreds of patients. The Duesseldorf hospital's inability to function also indirectly caused the death of a patient whose treatment was delayed because she had to be rerouted to a hospital further away.  

Capgemini's Southeast Asia head of cybersecurity Hamza Siddique noted that threat actor groups now had such great success in inflicting critical impact on their victims that it left these organisations with few viable options other than to pay up.

"Paying the ransom may be the less expensive option for a cash-strapped company than engaging in the painstaking [task of] rebuilding company systems and databases," Siddique said in an email interview. "Other entities may choose to pay the threat actor in hopes of avoiding the public release of sensitive information, which may lead to bankruptcy or legal issues."

He advised victims to make "informed decisions" on whether to fork out the ransom or embark on the more difficult path of building from scratch. Paying the ransom not only encouraged threat actors to engage in future ransomware attacks, but also provided funds for these groups to act against nations, governments, and foreign policy interests, he noted.

On whether penalties should be imposed on companies that chose to pay the ransom, he said this decision should be made in line with the country's IT policy and cost-benefit analysis.

Foremost, emphasis should be on not paying, Siddique said, adding that this should be the case if the impact on the business was low. However, if the impact could lead to bankruptcy or major legal issues, organisations should be allowed to decide if they wanted to pay the ransom, he said.

Acronis' CISO Kevin Reed noted that in the short-term, regulations that outlawed ransom payment could have significant adverse effects, but in the long-term, might have an overall positive impact.

He said in a video interview that cybercriminals were interested mainly in financial gains and if they faced increasing obstacles in their efforts to extract money, they would stop doing it.

However, he cautioned, criminals tended to be creative in how they extorted money, moving from one plan to another until they succeeded in their goal.

Regulations on cryptocurrency also not fool-proof

CYFIRMA CEO and Chairman Kumar Ritesh suggested that regulations should instead focus on virtual currencies, since these were used to orchestrate ransom payments.

Cryptocurrency exchanges or trading firms could be mandated to provide information to the relevant authorities so transactions or accounts with the targeted unique identifiers could be blocked or frozen, Ritesh said in a video interview. Without a trading platform on which to complete the transaction, cybercriminals would find it more difficult to convert their virtual currencies into fiat money.

Turner noted that there already were regulations governing legitimate cryptocurrency trading platforms such as Coinbase, which included intricate identification processes before transactions were processed.

Such policies that identified movements across these cryptocurrency hubs could help cut down illicit activities conducted by regular scammers who were not very tech-savvy. However, threat actor groups behind the recent massive ransomware attacks were not run-of-the-mill criminals, the Forrester analyst said in a video interview.

For one, they would not be trading cryptocurrencies through common digital wallets. They typically had the skillsets to quickly move and launder these currencies, much like any organised crime operation, so these could be "clean" for use in the real-world, he said.

Furthermore, Turner added that cybercriminals would simply use alternative payment modes should more regulations be introduced to monitor cryptocurrency transactions or bar companies from paying ransoms.

"Attackers will just find another payment mechanism that hasn't been outlawed," he said. "It could be something as [innocuous] as Walmart gift cards, as long as it doesn't enable hackers to be traced and allows companies to pay the ransom. Outlawing [the use of] cryptocurrency will only put ransomware victims in a bad position."

Turner noted, though, that some form of regulations could raise the collective security posture of companies across the board, since there would be stronger motivation to avoid being put in a position where they would be held ransom.

Policies needed to ensure vendors continue critical support

Regulations also may be necessary to ensure businesses remain protected when vendors cease support for IT products and systems. 

For example, Western Digital in June advised users of its My Book Live and My Book Live Duo to unplug their devices from the internet following a series of remote attacks that triggered a factory reset, wiping out all data on the device. The breach was due to a vulnerability that was introduced in April 2011 due to a coding oversight. 

Launched in 2010, the portable storage devices were issued their final firmware update in 2015, after which Western Digital discontinued support for the products. The storage vendor later provided data recovery services for customers who lost data as a result of the attacks.

Siddique noted that organisations today were mostly digital in nature and highly dependent on vendors and suppliers to provide support as well as reliable products over a longer period of time, and even after these systems were discontinued.

"It's imperative that there should be policies in place for a vendor to provide minimum support for discontinued product lines, considering client may not be in position to upgrade their software or may have certain dependency on the old version of the products," he said.

There should be clearly defined policies for such support to be provided for a specific minimum number of years after its market release, he suggested. Vendors also should be expected to provide information on upcoming product releases and ease migration to new products.

He said changes could be made in the SLA (service level agreement) and, if it was not viable for vendors to maintain a support team for discontinued products, there should be minimum requirement for such provisions based on the severity of security vulnerabilities.

At the very least, Turner noted, vendors that chose to continue to support online services linked to their products, should then also continue to offer support to the actual products. Otherwise, these online services should be disabled, he said, noting that Western Digital should have disabled the remote access or online services for the My Book models when they cut support for the products in 2015.

"If there are no eyes on it, someone is going to exploit it," the analyst said. He added that the optics would not look good for a manufacturer of data storage products to suffer a breach of this scale. 

Any potential regulation here could look at requiring vendors to support a product as long as they supported the services that required the product to connect to the internet, he said.

However, Reed suggested that such policies, if introduced, should apply only to critical systems such as medical and industrial control systems. 

He noted that some hospitals today operated MRI (magnetic resonance imaging) machines that ran on old versions of Windows that were no longer supported by Microsoft. And these machines could impact actual lives, he said. 

While he agreed that software vendors should take more responsibility for their products, he said legislations were not necessary for all sectors. 


Editorial standards