Would banning ransomware insurance stop the scourge?
- Reference: 1728932410
- News link: https://www.theregister.co.uk/2024/10/14/ransomware_insurance_ban/
- Source link:
No one disputes that this particularly heinous brand of cybercrime is a scourge across societies. But eliminating the problem, or even putting a dent in it, has proven to be a huge challenge that, so far, has seemingly evaded everyone.
As soon as law enforcement [1]disrupts one menace , [2]three or [3]four [4]new ransomware groups spring up in its place because it's still a very lucrative business. Last year alone, the FBI received 2,825 reports of ransomware infections accounting for more than [5]$59.6 million in losses .
[6]
One solution suggested by White House cyber boss Anne Neuberger involves eliminating insurance reimbursements for extortion payments.
[7]
[8]
Neuberger, the US Deputy National Security Adviser for Cyber and Emerging Technology, also called on the industry to require organizations to implement strong cybersecurity measures as a condition for underwriting policies, "akin to the way fire alarm systems are required for home insurance," in an [9]opinion piece for the Financial Times.
Fueling cybercrime ecosystems
Then she blasted practices that make the problem even worse. "Some insurance company policies – for example covering reimbursement of ransomware payments – incentivize payment of ransoms that fuel cybercrime ecosystems," Neuberger wrote. "This is a troubling practice that must end."
As the [10]victim count and [11]monetary losses worldwide continue to grow, an increasing number of cybersecurity experts and law enforcement officers have called for a [12]complete ban on ransom payments.
I'm not convinced that banning the ransom from being paid by cyber insurance policies will remediate the issue
A ban on insurance payouts to cover ransom payments may be a way to achieve that objective – at least for the larger corporations that can afford a premium cyber-insurance policy in the first place.
Still, in addition to the extortion payment itself, there's still the costs associated with remediation, business interruption, and other financial impact. In its most recent [13]filing with US regulators, UnitedHealth said it had spent $776 million on network restoration and $1.4 billion on increased medical care expenditures as a result of the Change Healthcare ransomware attack in February.
Previously, the company's CEO admitted to paying the criminals a [14]$22 million ransom demand .
[15]
"I'm not convinced that banning the ransom from being paid by cyber insurance policies will remediate the issue," Monica Shokrai, Google Cloud's head of business risk and insurance, told The Register .
"In the case of large companies, cyber insurance will still cover the cost of the incident and the ransom itself often isn't material, particularly compared to the cost of business interruption that a large corporation may face," she added. "So, if larger companies continue to pay the ransom despite insurance not covering it, the impact of a ban on the insurance coverage becomes less meaningful."
And, as with most things, smaller companies would likely face disproportionately higher costs should an insurance payout ban be put in place.
[16]
"With SMBs, the ransom payment may also be a bigger proportion of the total loss and certainly a more significant percentage of their overall annual revenue," Shokrai said. "The impact of a cyber insurance ban on ransomware payments may mean they go out of business if they can't pay the ransom without insurance coverage."
Still, other experts argue that the only way to eliminate attacks is to cut off the financial incentive for the criminals.
"I agree that insurers should be banned from reimbursing corporations from paying for ransomware," said Tom Kellermann, SVP of Cyber Strategy at Contrast Security. "I also think corporations themselves really need to improve their cybersecurity and their backups and their relationships with the cyber-fraud task forces in the Secret Service or the FBI."
Ransom payments as sanctions evasion
Kellerman has been working to find a fix for this global problem since 2020, when he was appointed to the Cyber Investigations Advisory Board for the US Secret Service.
During a recent discussion with The Register about ransom payments and insurance policies, he echoed US Deputy Attorney General Lisa Monaco's previous statements that ransomware payments should be considered a type of sanctions evasion, "particularly given the fact that 80 percent of those ransomware payments are being funneled to cybercrime cartels who enjoy a [17]protection racket from the Russian regime ."
In many ransomware attacks, criminals also deploy a remote-access Trojan along with the file-encrypting malware, which gives the gangs persistent access to victims' networks.
[18]Ransomware negotiator weighs in on the extortion payment debate with El Reg
[19]Ransomware ban backers insist thugs must be cut off from payday
[20]Ransomware gang Trinity joins pile of scumbags targeting healthcare
[21]Ransomware crew infects 100+ orgs monthly with new MedusaLocker variant
"And that allows these cartels to basically teleport themselves into any system that some affiliate has compromised, or share that backdoor access with the [22]FSB and GRU ," Kellermann said. "Ransomware is out there creating a free-fire zone for a multiplicity of actors that allows for the larger, more significant campaigns of infiltration by Russia and her allies to be conducted."
The insurance payment ban should come from government regulators, he added – not the industry itself.
The US government has long had a policy, we don't negotiate with terrorists
Insurers don't want to cover ransom reimbursements. "They're losing so much money on cybersecurity coverage," Kellermann noted. "This would basically give them an out. It's high time the regulators stepped in and banned ransomware payments from either financial institutions or insurers, and considered it sanctions evasion."
Ransomware protection firm BullWall's US executive VP, Steve Hahn, suggested taking this policy one step further, and banning ransom payments from insurers and corporations altogether.
"The US government has long had a policy, we don't negotiate with terrorists," Hahn told The Register . "The money we pay for insurance and recovery could be better spent on cybersecurity and the threat actors' coffers would run dry while our security posture increased."
This calculus may involve human lives being lost, as have similar decisions not to pay ransoms for hostages held by terrorist organizations and rogue governments, he added. But in the long run, it would "all but eliminate ransomware," Hahn suggested.
Of course, this is easier said than done and Hanh acknowledges it would be a very tough policy decision to make.
It's one thing to make a blanket statement that we will not give into ransom demands under any circumstances, but it's much more difficult to hold fast to that when [23]hospital patients are dying because they don't have access to life-saving drugs or surgeries because of a ransomware infection.
No one wants to finance criminal activity in theory, but it becomes much easier to find acceptable exceptions to that when, say, paying a ransom means that water will again flow from people's faucets or heat will turn back on in the dead of winter.
'Payment ban will backfire'
"Complex problems are rarely solved with binary solutions, and ransomware is no different," Sezaneh Seymour, VP and head of regulatory risk and policy at Coalition, told The Register . "A payment ban will backfire because it doesn't address the root cause of our national problem: widespread digital insecurity."
Any type of payment ban isn't actually a ban, and there will always be exceptions for exigency – just as with the Treasury's Office of Foreign Assets Control, which also has expectations of sanctions, she argued.
"Beyond concerns that a ban will re-victimize ransomware victims, a ban is more likely to paint a [24]target on our critical infrastructure – potentially resulting, ironically, in increased attacks on the very infrastructure we seek to protect," Seymour said.
"Nobody wants to pay a ransom: not a victim, not an insurer," she added. But any type of long-term fix needs to address the underlying security problem of which ransomware is a symptom.
"The more effective approach is to first advance policies that meaningfully improve our nation's digital resilience." Seymour said. "For example, by shifting incentives so that the technology sold is more secure and by compelling good cyber hygiene practices across the infrastructure that provides our critical services." ®
Get our [25]Tech Resources
[1] https://www.theregister.com/2024/10/01/euro_cops_arrest_four_mystery/
[2] https://www.theregister.com/2024/09/19/valencia_ransomware_california_city/
[3] https://www.theregister.com/2024/10/09/trinity_ransomware_targets_healthcare_orgs/
[4] https://www.theregister.com/2024/10/03/ransomware_spree_infects_100_orgs/
[5] https://www.ic3.gov/media/pdf/annualreport/2023_ic3report.pdf
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zw2Ug3KFsntpXb-3spzRXgAAAME&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zw2Ug3KFsntpXb-3spzRXgAAAME&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zw2Ug3KFsntpXb-3spzRXgAAAME&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.ft.com/content/3b172a2a-4be5-4ef4-87cb-7fdcdee2ad99
[10] https://www.theregister.com/2024/09/30/texan_hospital_ransomware/
[11] https://www.theregister.com/2024/07/17/ransomware_continues_to_pile_on/
[12] https://www.theregister.com/2024/03/04/experts_echo_calls_for_ransomware/
[13] https://www.sec.gov/ix?doc=/Archives/edgar/data/731766/000073176624000262/unh-20240630.htm
[14] https://www.theregister.com/2024/04/30/unitedhealth_ceo_ransom/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zw2Ug3KFsntpXb-3spzRXgAAAME&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zw2Ug3KFsntpXb-3spzRXgAAAME&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[17] https://www.theregister.com/2024/10/01/evil_corp_russia_relationship/
[18] https://www.theregister.com/2024/05/12/ransomware_negotiator_payments/
[19] https://www.theregister.com/2024/03/04/experts_echo_calls_for_ransomware/
[20] https://www.theregister.com/2024/10/09/trinity_ransomware_targets_healthcare_orgs/
[21] https://www.theregister.com/2024/10/03/ransomware_spree_infects_100_orgs/
[22] https://www.theregister.com/2024/09/05/uncle_sam_charges_russian_gru/
[23] https://www.theregister.com/2024/07/05/qilin_impacts_patient/
[24] https://www.theregister.com/2024/01/06/ransomware_payment_ban_wrong_idea/
[25] https://whitepapers.theregister.com/
Ban paymentz, ends financial incentives for crooks
This has been obvious for years. The payments fund criminal activity, often fund terrorism, and keep people from having a responsible WORKING back up strategy.
It would also reduce collecting and storing unnecessary data, making for less desirable targets.
Also ban cryptocurrency
Or at least put some hefty control around it the way we do with "fiat" currency.
Re: Also ban cryptocurrency
I think it would be nearly sufficient to disallow banks and brokerages from transacting or managing crypto.
Re: Also ban cryptocurrency
You fools. I'm sure the global drug cartels have enough paper money, of every denomination and national currency to become a shadow world bank for every criminal organisation on the planet.
Re: Also ban cryptocurrency
The problem is not the form the money takes, it's how it gets transferred. Paying a ransom in physical currency or currency-equivalents means that there must be a physical transfer of assets which can be surveilled, making it high work. Conventional electronic banking transfers are subject to intense scrutiny when large amounts of money are involved, and banks in first world countries are subject to stringent regulations to avoid funding criminal enterprises and terrorism (which is not to say that "reputable" banks such as Deutsche Bank haven't been caught engaging in shenanigans). This leaves crypto currency as the money transfer medium of choice for the enterprising crook, since it can readily be transferred across national borders with no oversight, allowing criminals to collect their ill-gotten gains without fear of legal consequences.
From my own experience, it's a safe bet that anyone involved in crypto is engaging or intends to engage in criminal activity or fraud.
Also: "you fools"? Are you ... are you going to DESTROY US ALL?!
I've been saying this ever since I first heard of ransomware insurance
If they had done it back then, the ransomware industry would have never grown beyond 1% of its current size, and would be almost non-existent today if they followed up the ban on ransomware insurance with a ban on paying ransom. We wouldn't have had all the hospital attacks, because once the funding stream was cut off the ransomware criminals would have found something else to do to get paid.
i guess she's saying that law enforcement is pathetic
Otherwise, she wouldn't need to suggest this type of change, would she.
Re: i guess she's saying that law enforcement is pathetic
When you have a plan for having a law enforcement body with the ability and power to find people who are hiding well, whose organization, ringleaders, and many of the participants are in a country that is unwilling to extradite or even investigate them, and who do not need to meet physically, let us know. In the meantime, we will need to plan for how to combat ransomware when you can't catch them. There are only so many of them who will be identified and travel to countries they shouldn't, although when it happens, law enforcement has tended to make them regret doing so.
Duty of care
Most insurance includes a ‘duty of care’, requiring you to take steps to prevent a claim. If ransomware insurance exists, then use it to improve cyber security. No 2FA - no payout. Kept the default admin password - no payout. Failed to train employees to spot phishing emails - no payout. You get the idea. It looks like the politicians are not going to ban paying ransoms, or ban insuring against ransomware, so lets force the insurance companies to make their clients harder targets. Insurance companies love a reason to not pay out for a claim. They could start with the basic stuff and then each time a ransomware attack succeeds, find out how they got in and make securing that way in part of the policy 'duty of care'. Yes I am a hopeless idealist but I'm not the only one.
Preemptive strikes with Liberationware (TM)
1. Find points of entry. Zero-day, social, technical, insider, etc.
2. Install firewalls, close ports, update passwords after installing a password manager and communicate access to known trusted parties.
3. Inconvenient? Perhaps, it’s a pain to have to use a password manager. But is it? I’ve used 1Password for more than a decade and it’s essential, simple, and it even makes Passkeys usable.
Ransomware problems stem from organisation and training failings. There’s no excuse for treating confidential customer and patient data like this.
And don’t start me on the scam that’s called The Insurance Industry.