Tackling the ransomware business model

In his personal policy position on ransomware not affiliated with SANS or any other group, Martin advocates banning ransomware payments altogether as the current best option for addressing the scourge. “We allow people to pay because they panic and are in a really difficult position. They don’t understand what’s going on,” he tells CSO. “I think governments have been very quick to have really tough policies on ransom payments for terrorist kidnapping and so on to make sure that Al-Qaeda and ISIS and all these horrific groups don’t get access to funds. But they keep saying without any serious analysis, at least in the public domain, ‘Oh, a ransomware ban would be too difficult.’”

However, some cybersecurity experts disagree that banning ransomware payments is a good option. “I don’t think [banning ransomware payments is] going to have the impact that people think it will,” Meyers says. “I’ve talked to a lot of companies that were victims of ransomware, and that was their only option. They would’ve either been out of business, and there would’ve been people out of work and people out of having services that they needed because of not being able to pay the ransom. Our guidance is usually not to pay the ransom, but sometimes organizations don’t have a choice.”

Di Maggio thinks that a ban would work but argues that there “would be massive loss economically because it would go from a ransomware attack to a sabotage attack because you’re no longer able even to have the possibility to decrypt your systems or pay for [stolen] data not to be posted. We would bleed out for a while, but then it would just stop because you’re not going to want to work 40-hour weeks doing what you consider to be your job, whether it’s a crime or not if you’re not getting paid.”

Martin says, “I think a ransomware ban tomorrow on its own would be too difficult,” but it’s a policy choice that a proper government mechanism should support. “British healthcare gets hit by ransomware much less than American healthcare. Why? Because British healthcare is publicly run and state bodies will not pay. Why can the National Health Service afford not to pay? Because if it does get ransomware, it gets the wider support of the state.”

Good cybersecurity is always a defense

Aside from banning ransom payments altogether, the only solution to fending off ransomware attacks is to practice good cybersecurity risk management and hygiene practices. With ransomware, the key “thing is backups and operability of backups because if it’s just the availability of service that they’re extorting you for, if you can get backups and run from a backup system, then that’s worthless [to the ransomware attacker],” Martin says. “I think every organization needs to work out particularly more critical issues, such as what would happen if I lost access to the system and what could I do to get back together relatively quickly.”

“The other areas where we could get better are preventing, defending, and having a proactive approach to it,” Di Maggio says. “Granted, it’s not going to stop it, but if the day you’re first impacted by ransomware is the first time you’ve come up with a plan of how to respond, you’re going to be in trouble. And a lot of companies are like that.”

Meyers thinks that “as long as people are still not taking security seriously and they’re not investing in this stuff, they’re going to continue to have these same outcomes. These threat actors are doing this because it’s easy money. Until we raise the barrier, raise the cost for these threat actors, and it’s no longer as easy for them to make money off this as it is today, they’re going to keep doing it, and if they get disrupted, they’ll build again.”