Press play to listen to this article
A U.S. pipeline blocked. Irish hospitals brought to a standstill. A French insurer’s operations hacked. A Toshiba business unit hit. In the span of two weeks, four high-profile incidents have alerted the world to the growing danger of ransomware attacks.
But as policymakers try to respond, they’re finding out that the problem is larger than cybercriminals extorting corporations and governments to regain access to their own data.
It extends to a booming cottage industry linked to such attacks involving everyone from cyber insurers to security consultants and programmers in which many people stand to make money, and few have an interest in making the attacks go away.
“At the moment it’s very easy to pay organized crime. Is that really right? Should we not have a serious policy review about it?” said Ciaran Martin, former head of the U.K.’s cybersecurity agency who now teaches at Oxford University.
The realization that the incentives of industry players may be skewed comes as ransomware has emerged as the foremost cybersecurity threat facing businesses and public services.
For most victims, an attack begins when their computer is taken over by a worm-like virus. It then spreads across local networks, encrypts data, locks screens and demands a ransom, often in cryptocurrencies like Bitcoin, in exchange for giving back control.
In hospitals, this means doctors not being able to access patient records and having to work with pen and paper. In companies, it’s losing access to operational data and critical trade records.
Part of the reason such attacks have become more widespread is the greater sophistication of tools used to carry them out.
The ransomware used to attack U.S. pipeline operator Colonial, called DarkSide, is in fact an entire platform which offers “ransomware-as-a-service” — complete with features like a built-in call functionality to increase pressure on victims.
Other ransomware threatens to leak victims’ data if they don’t pay, or encrypts it twice to double the profit. Some were engineered by state-linked groups in Russia and North Korea using exploits allegedly developed by U.S. intelligence services.
So far, authorities have a simple but clear message to fight the problem: Don’t pay the hackers.
“Our position is clear: Don’t pay,” said Philipp Amann, head of strategy at Europe’s law enforcement agency Europol. “You’re dealing with criminals. If you pay once you’re very likely to become a victim again.”
Officials also stress that companies and organizations should keep comprehensive backups of their IT systems at all times. “If something bad happens at least you know how to recover from situations like this,” said Evangelos Ouzounis, head of secure infrastructure at the EU Cybersecurity Agency ENISA.
But those messages aren’t stopping the attacks, which on the contrary have become more targeted and lucrative in the past 12 months, according to a study by cybersecurity firm Sophos.
They also are not stopping victims from paying: More than half of them pay ransoms even though only a quarter of ransomware victims get all of their data back, a recent survey by cybersecurity firm Kaspersky found. In the case of Colonial, management paid out around $5 million to the hackers, according to Bloomberg.
Some victims have turned to outside experts to manage ransom negotiations, fostering an industry of consultancies — “ransomware negotiation services” — that promise to negotiate on behalf of victims and to reduce the amount of money they have to pay to regain access to their data.
Many victims also reclaim damages from cybersecurity insurance schemes, which generally allow companies to be reimbursed for ransom payments. The cybersecurity insurance market is expected to grow into the tens of billions of dollars in coming years, according to recent industry estimates.
Insurance associations have defended the practice of reimbursing ransomware payouts saying their policies still encourage higher cybersecurity protection standards. (French giant Axa was the apparent first big player to come out publicly against the practice earlier this month, when it said it would stop reimbursing ransoms in France — just days before the insurer confirmed it had itself been a victim of ransomware attacks.)
But critics argue that ransomware insurance creates the wrong incentives for companies and hackers alike. If companies know they can be reimbursed after paying a ransom, they might not take other steps that would dissuade attackers in the first place — like backing up their IT systems. They may also be less likely to investigate the origins of an attack and take legal action against the hackers.
Conversely, hackers might be emboldened to carry out more attacks knowing that their victims have “priced in” the damages by taking out insurance.
According to Martin, governments could consider banning ransom payments, imposing penalties for them, forcing companies to disclose them or regulating the insurance or cryptocurrency markets. “Whatever it is, let’s have a look at what’s most effective,” he said.
For Bart Groothuis, a European Parliament lawmaker in charge of drafting a new EU cybersecurity bill, the solution is cracking down on the criminal networks that have turned ransomware into a booming industry.
“What you have to do as European politicians is find a TV camera and call on all EU member countries to instruct their law enforcement services to hunt down these hackers,” he said. “As a society, we have to be clear: This is where we draw the line.”
But doing so would also require the Russian government to play ball. The attacks often originate from Russia-based infrastructure and Russian groups. Western and Russian diplomats at the United Nations as well as the Council of Europe have quarrelled for years over international cybercrime law without finding much common ground.
“If there were crimes being operated from the U.K., from U.S. or from Europe, we would be able to send law enforcement to stop them,” said Martin, the former U.K. cyber chief. “But we can’t because they’re in Russia.”
America Hernandez contributed reporting.
This article is part of POLITICO Pro’s premium coverage of Cybersecurity and Data Protection. From the emerging threats of a volatile digital world to the legislation being shaped to protect business and citizens, across sectors. For a complimentary trial email [email protected] and mention Cyber.