Ransomware payment amounts have skyrocketed over the past year. As threat actors keep getting richer, they have more resources to fuel their operations. Many people argue that the way to discourage ransomware is to implement an outright ban on ransom payments. Is this suggestion idealistic or realistic? How would such a ban affect companies, and what are the alternatives? For episode 56 of Cyber Security Sauna, Päivi Tynninen of the Finnish National Cybersecurity Center and Jordan LaRose of F-Secure stopped by to share their views.
Janne: Welcome to the show.
Paivi: Thanks. Good to be here.
Jordan: Hello everybody.
So what kind of payments are these criminals usually after?
Jordan: I see a lot of ransomware cases day to day. I’m boots-on-the-ground incident response. So when I see the ransomware payments demanded, the amounts vary wildly. Quite honestly, I think the amount is based off of not just who the actor is, but also who they think the company is. The more money they think the company has, the larger payment they’re going to demand.
So they’re sizing the victim up and sort of figuring out, like, “This is how much money I think you have and would be willing to pay me.”
Jordan: Yes. And what I can also say is when it comes to ransomware payment negotiation, I know that a lot of negotiating parties will offer something, sometimes 10, 5% of the initial number, and the attacker will take that amount.
Jordan: So it’s almost like calling a bluff in a card game.
Paivi: Yeah. And especially in opportunistic attacks like those, you really should take everything you’re getting, because I think the expectations in each successful ransomware attack is that they are not getting paid. So if they’re offering something, I think it makes a whole lot of sense to take the amount that is being offered.
Yeah. Whatever you can get. All right. So let’s talk about the argument for banning ransomware payments outright. What’s the argument in favor of this?
Jordan: In the US, the Department of Treasury actually released a sanctioning on ransomware payments. Specifically, to certain countries and regions that are considered a risk by the Department of Treasury or sanctioned countries. So, the reasoning behind it is greater good. If you pay a ransomware actor, you individually may have your data recovered and decrypted, and you can resume operations. But then you are providing funding for them to carry out the next ransomware operation. It’s almost like passing the problem downhill rather than addressing it and trying to solve it.
I heard that argument, for example, with the Colonial Pipeline incident, a lot of the eastern seaboard of the United States was having problems with fuel distribution. And the ransomware criminals were asking for 5 million bucks or something that. So 5 million as opposed to holding the entire east coast ransom. Why don’t we just pay it? Right?
Jordan: Yeah. A lot of times companies will look at this as a business decision, honestly. Let’s say a company is completely ransomed and all of their operations have come to a stop, that lasting even for just a day can mean millions of dollars in revenue loss for larger companies. So if the attacker’s asking for a million dollars, in a lot of ways, it seems like a no-brainer to just pay the ransom and resume operations and in a way, make a profit of a million or so in having your operations back for that day.
But also, good information security is not cheap. So do you guys think companies are sort of, “This is just the cost of doing business. I’m not willing to spend all this money on information security. So if there’s a ransomware thing, I’ll just pay the ransom and I’ll save some money in the end anyway.”?
Paivi: I think that sounds more like uninformed decisions. Maybe the risks aren’t communicated that well, what comes with poor cybersecurity. So ransomware attacks are just a minor part of that whole picture. And if we keep communicating to the decision-makers, directors of companies, CXOs, whoever, that the biggest risk with having poor cybersecurity hygiene in your company is the risk of being ransomed against a million, couple of million dollars. That doesn’t paint the whole picture. And it doesn’t make the decision-makers understand what the real risks are and what the real cost is.
Yeah. I mean, if you were vulnerable for this one crew, who’s to say there isn’t the next one just around the corner?
Jordan: I think on top of that too, one thing you really need to look at is the reputational impact. When this oil pipeline was ransomed, sure, they’re down a few million dollars because they paid the ransom. But on top of that, they’ve lost the trust of essentially the American populace. So if you’re talking about a company that is not supported and backed by the government, if this kind of thing makes the news, it can ruin the company’s reputation, irrevocably.
Maybe the cynical argument is like, “So what? What are you going to do now? Build your own pipeline?”
Jordan: In the oil pipeline scenario it’s definitely a bit of a different story than most companies have. But I would still argue that something like this will probably prompt people to look into alternative energy resources or ways to not use this oil pipeline that is so much at risk of just going down or being insecure.
No, I hear you. But I was thinking the same thing back in the day when the cheating website, Ashley Madison, got hit and their accounts were published. People still kept using their service because they liked their illicit affairs better than they like their privacy.
Paivi: That’s the thing, if you don’t have any options, same goes with the critical infrastructure, that you can’t just decide that, “Yeah, I’m going to stop using oil because they have such poor cybersecurity hygiene.” I think the decision-making is happening on the grass level, on the individual level only when it’s reflected, for example, in the oil prices that, for example, paying the ransom is making the oil more expensive for the individuals. That is the only thing that is going to affect the consumer behavior.
Yeah. What about on the company’s side? Let’s say that ransom paying is now outlawed and that’s not an option for you, but you got hit by ransomware anyway. So what else can you do as a company?
Jordan: Yeah, there’s a very, very slim chance that you may be able to reverse the encryption mechanism, but most ransomware actors at this point have adopted ones that are essentially impossible to reverse. So once you’re hit, there’s not much you can do.
And I think one of the key problems when you’re facing ransomware is that security investment, security hygiene and things, those are problems that only really seem to get addressed at most companies after there’s been an attack, or after there’s been a significant impact as a result of poor security.
You can’t just respond to this type of thing. You have to be proactive. You have to, at the very least, have some kind of backups of your critical infrastructure. Ideally, you would have security policies in place and defensive measures, but even in a non-ideal world, something like backups, something like, let’s say EDR or something, just those sort of a basic single-item defensive measures are fairly easy to implement. They may be a decent amount of investment, but it’s worth its weight in gold when you’re facing a scenario like this.
That’s the thing. It’s not just about getting your information back. These days, criminals are also threatening to publish your information. Let’s say I’m a hospital and I’m sitting on a lot of people’s health records and personally identifiable information, like that. I don’t want that published out there. So if I can’t pay the ransom, what else can I do?
Paivi: But if you’re willing to pay the ransom, that means that you actually believe that the criminal who has stolen that information is actually going to hold up with his end of the deal. That, “Yeah, yeah, yeah. If you pay me enough, I’m not going to sell this information forward to anyone and gain even more money.” Yeah. That makes a whole lot of sense to me.
Jordan: Yeah. There’s no guarantee at all that when you pay one of these ransoms that you’re going to get everything back. Even if you get the encryption key, a lot of file types and things like databases, once they’re encrypted, when they’re decrypted, a lot of data can be corrupted in that process.
I’ve seen it firsthand, where a crucial customer database was encrypted, decrypted with a decryption key, and when that was done, the database was unusable. And it essentially ruined the value proposition of paying the ransom in the first place because that database was so vital. So there are a lot of reasons, even if you’re planning on paying the ransom, that things might not work out for you.
Paivi: Yeah. That is exactly what I’ve seen as well when I’ve looked, for example, for the encryption routines that the criminals have implemented to their ransomware. They are very poorly implemented and they lead to corruption. And even if you have the decryption keys, you are unable to retrieve the information back when it’s been encrypted, because it’s basically corrupted at that point.
Staying on the topic of hospitals. Do you guys think that regulators could just cut off these institutions from a potential solution to restoring their operations? Would the lawmakers just be happy with saying, “Yep. We’re not going to pay ransom no matter what. No matter if your hospital is ransomed, people’s private information is about to be leaked. Patients are dying on the tables. We’re sticking to our guns, no paying ransom.”
Jordan: I think when we talk about specific scenarios, individual scenarios where maybe people’s lives are at stake, maybe there’s some kind of greater impact to be considered there. I think that’s something that could be handled on a case-by-case basis.
And I think the oil pipeline scenario is actually one that’s worth considering here because we don’t really know much about the ransomware actor in that case. I mean, we’ve got some artifacts and things, but as far as attribution, I don’t recall seeing much in the news as to whether or not they fall under that regulation from the Department of the Treasury. And I think the reasoning for that is there was a decision made by maybe the government that it’s worth having the oil pipeline restored. It’s worth having that ransom paid in order to keep operations running.
Whether or not those decisions are the right ones, I think, is a different argument. But in the case of this argument, specifically about ransomware, I think the regulation needs to happen across the board as a first step. And then we can start to consider those individual scenarios, once we’ve got that step in place.
Paivi: If we think about security outside the cyber realm, for example, if we think about how safe airplanes and cars and such are, they have very strict security regulations and those are being actually followed and monitored. And no one is allowed to operate, for example, an airplane, if that hasn’t passed all of these very rigorous security measures. Why that can’t be implemented, at least to critical infrastructure?
It makes a whole lot of sense to me to regulate these kinds of things, that you have very secure infrastructure. It’s been proven decade after decade and on very different topics that it can be done. Why is it impossible in cybersecurity? We can’t say that airplanes are 100% secure, or there are no car accidents, but they are of minimal impact because of these security measures.
So I think we just have to accept criminals will be always criminals and there will be always attacks and ransomware incidents and such. But we just have to minimize the impact, at least on critical infrastructure.
All right, we come from different countries, Jordan and Päivi and myself. So what if paying ransomware was legal in some countries but illegal in others? Would that cause ransomware actors to focus more on the countries where you can pay the ransom, or is the key here just a global ban and we’ve fixed ransomware, it’s gone now.
Paivi: It would definitely lead to a situation that you find ways to transfer the money. You would be able to pay the ransom if you really want to. And what comes through your proposal of implementing these global regulations and restrictions that hasn’t worked, at all, in anything.
Jordan: Yeah. I think when you’re talking about ransomware, it’s almost always an opportunistic attack. It’s an attack where maybe it’s done as a result of a scan across the internet. I mean, a great example of this was WannaCry. That was literally just an automated attack across the entire internet. They just went IP address by IP address, launched the exploit, if it worked, the estate was ransomed. If it didn’t work, it wasn’t ransomed.
So I don’t think regulations will stop the attack outright. And I think that’s why, like we’ve been saying, we need to put more regulation in place, not just around whether you pay or you don’t pay, but also around what defenses you must have in place before you even get to the point that you’ve been ransomed. Especially when we’re talking about critical infrastructure, things that people’s lives depend on if it’s ransomed or not.
You don’t think that would just encourage the attackers to sort of focus on these critical infrastructure organizations so that there is more pressure to pay the ransom?
Jordan: Well, if we’re talking about increasing the security posture of these organizations, the best deterrent is either annoyance or delay. If the regulations force these companies to put in place a lot of security measures…Like I said, these attacks are opportunistic, mostly, in nature. So it’s a complex conversation, but I think at the end of the day, the stronger your cybersecurity posture is even if it’s just in small measures, the better chance you have of not getting hit by a ransomware attack for a myriad of reasons.
Paivi: Yeah. And if we think about this from the criminal perspective, that is their job and they are trying to make as good money with as little effort as possible. So if you have a high security posture, the odds are that they are going to look somewhere else where it’s easier to attack and easier to get the ransom.
Okay. There was an article on Forbes saying that 90% of organizations who pay the ransom, don’t get all their data back. Is that what you’re seeing as well?
Jordan: Absolutely. Yeah. I’ve seen a lot of cases where the ransom is paid and the attacker just either takes the money and runs, or they will take the initial payment, provide a decryption key, but then ransom additional data that they’ve exfiltrated. This is not a transaction that’s verified in any way really. You’re just crossing your fingers when you send those Bitcoins out. So I think that’s another crucial argument here against paying the ransom is there’s absolutely no guarantee that you’re going to get anything back.
And even if you do get something back, you’re painting a target on your back, not just for the ransomware attackers that you’re dealing with, but any of their friends as well. I’ve seen forums on dark websites where people are talking about, “Oh, well I had good luck launching exploits against this company. You should give it a try as well.” And then as soon as you’ve ousted this first problem and recovered, maybe the decryption key even worked for you, that’s the lucky 10%, well too bad, you’ve got another ransomware actor on your front door two days later.
Paivi: Yeah, I would propose or say something a little bit counter-argument about this. The organizations that have been ransomed and have paid and have gotten their data back, how willing they are to speak up?
I could see that being the case, that in the public eye, we’re only seeing a portion of the cases. But even if we allow for a little bit of bias in the data that we’re seeing, if it’s not a sure thing, if it’s not a guarantee, if it’s a roll of the dice, anyway, if you’re going to get your information back or not, doesn’t that mean that the business is going to die out on its own? Do we need to penalize paying at all?
Paivi: That hasn’t been working so far at all. So if we look back, for example, what ransomware was five years ago, it was more trying to spew out these ransomware attacks wherever there were recipients. And usually, these recipients of these attacks were PC users, individual users. And the trend in the past couple of years, has been that they’ve been growing into these more targeted operations, that they are actually looking at the environment where they are, and whether the information that they are going to hold ransom against is valuable, and how valuable that is. And that has been growing a lot.
So even though recovering after paying the ransom hasn’t been that successful and that has been the story from the beginning, it seems that the ransomware problem is just growing bigger and more problematic.
Jordan: Yeah. I think a good way to think about the regulation scenario is traffic speeding on a highway or something. So, on every highway there are signs that say speed limit 65, right? Does everybody drive 65 miles or kilometers per hour? No. Many people do still speed and do still take the risk of being pulled over and fined or arrested or whatever the outcome will be. So even if-
Getting into an accident, I think you’ll find is the real outcome there, but go on.
Jordan: Well, I think that’s actually why this is such a great analogy, is part of the potential outcome when you’re taking that chance and you’re paying the attacker, i.e., going over the speed limit, you’re not just risking being fined by a regulator, you’re still risking getting into a car accident, or you’re still risking a problem with that attacker.
But the biggest reasoning for posting that speed limit or putting these regulations in place is not to penalize individual businesses. It’s as a deterrent in general, to stop businesses from just making this decision purely based off of, “Oh, well, my daily operation is worth $2 million, but I only have to pay 1 million to restore my network. So I’m just going to pay the 1 million because it makes sense from a financial perspective.”
Paivi: But if we add the sanctions on top of that, so if your daily operations cost the $2 million per day, the ransom is $1 million and the sanctions are maybe 500,000, that would still be a pretty good offer, or the decision to pay the ransom and pay the sanction fee. That would still make sense. So, that is just like kicking someone already when he’s being attacked.
Jordan: Yeah. And I actually quite like the Department of Treasury’s implementation because it does threaten potential jail time. So no matter how good of a decision that looks like from a financial perspective, the company’s CEO isn’t going to want to put their own life at risk. So it adds a layer of risk assessment to that decision. And again, it’s a deterrent. Is it going to stop every single person from paying ransom? No, but it will help reduce the problem. It will help reduce the funding that these attackers have in their pocket when they go to attack the next victim.
What that just means that we’re going to be getting even less data about attacks from now on, because companies are going to be even more tight-lipped about getting hit by ransomware, where they can. Unless they absolutely have to come out and admit that they’re not going to, because there’s going to be all these repercussions.
Paivi: In my opinion, that would lead to that. There’s sort of this shame and the fear of being penalized.
Jordan: Yeah. The reality of it, at least in the US that I can share is the FBI is monitoring many of these ransomware attacks before they even hit a network. I’ve worked with the FBI on myriad occasion where the ransomware attacker comes into the network. A day later, the company gets a call from the FBI. We jump on the phone with them and I’m sure you can assume how they get this information, but they have screenshots from the terminal window on the command-and-control server. They’re seeing this attack happened in real-time. It’s honestly really cool to see.
But what that also means is even if these companies don’t say anything, the FBI still has a good chance of knowing that you did something. It’s a bit of a big brother scenario, but that’s the reality of it. Yeah.
Then you get extra jail.
But if paying the ransom is only 10% effective in regaining your data, but 100% effective in fueling this criminal phenomenon, isn’t that an argument in favor of just banning it, outlawing it entirely?
Paivi: Well, it sounds like that. But how would you implement that effectively? The banning?
I think the most effective way to outright ban the ransomware payments is to ban the money transfer. So I’m not big on this jail time and giving big fines to CEOs who pay the ransom. I’m more of this trying to stop the money transfer. So I think that is something that could be done and would be way more effective than just sanctioning afterwards.
So would that actually be a good alternative to outright banning? Just start off by having companies report payments that you can pay the ransom, but you have to report it. And then sort of see what the situation is, what the next step is, then look at, maybe can we restrict these payments somehow? Get more information? What else could lawmakers do than just ban ransom payments?
Jordan: I think as far as alternative options, even if we ban the payments, the attackers are going to find something else to do here. Even if we get rid of every single untraceable way of handling money, I guarantee you, these attackers are going to just turn around and find a different way to monetize this. Something like selling data on the dark web or selling it to competitors, or what have you. I think we might see an increase in that if we ban ransomware payments outright. These criminals are going to continue being criminals, regardless of whether we ban payment methods or ransomware or whatever it is we do.
Paivi: I have to totally agree with Jordan on that one. And what comes to the alternatives you listed, if every ransomware attack has to report that they are being ransomed, that would help probably the regulators as well, to build a thorough threat picture of how much it is affecting, and what kind of industries, and feeding in that kind of information about the prevalence of the problem would help probably in the future to mitigate in a larger scale against these attacks.
But on the short-term solutions, just banning the payments, that’s not going to solve the problem for a long time. And as we’ve seen, the criminals are always adapting and they’re always looking for new ways to monetize their activities.
Well, speaking of short-term solutions, a lot of companies have been turning to cyber insurance and now cyber insurance companies have been paying through the nose and now they don’t want to anymore. So what’s going to happen to that whole area?
Jordan: Yeah. So I think with cyber insurance, it really is just contributing to the problem. And again, it’s making it a very economically viable decision to pay the ransom. I think that’s part of why having these regulations in place is important, because there’s going to be a way to get out of the situation with a net positive, from a financial perspective. So even if a company is ransomed for some ridiculous amount of money, if they have cyber insurance, they can just turn around and say, “Well, this cost us X amount. Plus we had to pay the ransom. Hey, cyber insurance, give me my recompense for all of this.”
So if we’re allowed to follow that sort of model, the insurance industry will benefit from this probably. And the individual companies will benefit from this. And most importantly, the ransomware attackers will benefit hugely from this.
The only people that are losing out here are the people that can’t afford cyber insurance. And those are the ones that I think need the most protection in the form of regulation. If we slow down or perhaps someday even stop the ransomware machine, these smaller mom-and-pop-shop style businesses are going to be less at risk of being just completely eradicated by something like this. Not every business can afford to just throw money at the problem to make it go away.
Paivi: Yeah. And I think in addition to fueling the ransomware problem, it’s also fueling the problem overall that if we pay for cyber insurance, we don’t have to invest that much money for our internal security operations. We don’t have to maintain this certain level of security hygiene and such.
It’s easier to measure if you don’t understand. For example, if you don’t understand the security industry at all, it’s easier to measure in your budgets and such to just invest some block amount to a cyber insurance. And that is just your level of security at that point. So everything bad that happens after you’ve been breached, you’ve lost data, or you’ve been ransomed. You just go to your insurance company and ask for compensation. And that is a very, very bad cybersecurity strategy.
Yeah. And also it’s an untenable situation. I don’t think cyber insurance companies are going to be happy to do this for much longer. I think premiums are going to go up and payments are going to go down and then what’s the benefit of having cyber insurance anyway?
Jordan: Yeah. I think it’ll be a case of the more incidences that happen, like you said, the more that premiums will go up and restrictions will be placed on what exactly constitutes a payout.
Now I was thinking, in the case of that oil pipeline, I was thinking if this was a terrorist attack, the response would have been, I would have thought, much more visible and high profile. And President Biden is actually talking about taking a more active role, countering cyber attacks. The new US strategy seems to put them in that same level with other terrorist attacks. How does that correlate with penalizing ransom payment, for example?
Paivi: I think the approach Biden has taken with taking the cyber attacks on the same level as terrorism as overall, I think that is a good way of showing that yes, these incidents, they are affecting, on a large scale individuals and organizations, and they are threats to a nation as a whole. So making that big of a statement could help understanding that levels of these cybersecurity breaches could have potentially.
Jordan: Yeah, I think just like the executive order that came out from Biden, it’s a nuanced issue, but it is overall an excellent step forward. I think a pretty common turn of phrase nowadays is, “Today’s wars are fought on computers rather than battlegrounds.” Many of the attacks that we’re going to see, whether they be diplomatic in nature, maybe they’re just financially motivated, whatever it is. I think we’re going to see more and more of them happening on computers.
And I mean, I personally have seen many of them that are motivated at a geopolitical level where we need to have preparations in place to address something like this and deal with it in order to respond appropriately and effectively.
So, okay. So the best defense probably is not to get hit by ransomware in the first place at all. So what are some of the things that companies should and could be doing to sort of prevent this problem from ever happening?
Jordan: So it’s a complex issue, right? Cyber security is a long and twisted chain that you need to establish in order to stop these things. But just like a chain, it’s only as strong as the weakest link. So when we’re talking about how to defend against something this, it’s going to be shoring up your defenses in every way you possibly can.
If I had to narrow it down to a specific recommendation, I would say a tooling like having EDR in place, some kind of network-wide visibility, and hopefully monitoring as well, will give you the best chance of seeing something like this happening before the attacker pulls the trigger.
When it comes to ransomware, they want to affect the entire network. They want to get the domain controllers. They want to get the servers. They want to get the backups so that you have no chance of recovering. So in many of these attack scenarios, even if a certain subset of computers are infected, you still have a chance to respond and stop it. It’s just a question of how quickly can you see the attack and how quickly can you turn that into an effective response and containment of said attack?
Paivi: And also for not allowing the attack happen in the first place. There are very simple security hygiene rules that are… Minimize the attack surface, so you don’t put your services up on the open internet and the ones that you have to have open, have proper authentication, two-factor authentication, multi-factor authentication. So you’re preventing unauthorized access to these services.
And the other point that will stop the lateral movement that Jordan mentioned that they are trying to infect the whole network is to have proper network segregation. Separate the networks from one another and just open up enough holes for your critical operations. Don’t leave anything open. So implementing those two would go miles long for preventing any type of cyber attack.
So this has been another episode where we fail to solve the problems, failed to come up with new shiny, blinky solutions and instead recommend people to just get the basics right. So I want to thank you guys for being on the show and talking about this very nuanced problem with us.
Jordan: Absolutely. And I think everybody could do with revisiting the basics and making sure that their bases are covered there. There’s no shame in being at the very first step in your security journey. It’s just a question of putting the next foot right after the other.
That was the show for today. I hope you enjoyed it. Please get in touch with us through Twitter @CyberSauna with your feedback, comments and ideas. Thanks for listening. Be sure to subscribe.