It is apparent that hundreds of companies and institutions in the U.S. have paid ransom to cyber criminals to restore IT operation and to avoid disclosure of sensitive documents. The latest incidents affecting Colonial Pipeline, JBS USA and the recent revelations concerning the clients of IT-service provider Kaseya confirm the need for immediate and concerted action.

The question arises as to whether governments should ban the payment of ransom as it is felt this encourages and emboldens criminals.  The fact that in recent weeks, JBS USA paid $11 million in ransom following Colonial Pipeline paying $4.4 million with accompanying disruption in services has renewed debate over appropriate responses to cybercrime.  When faced with a demand, most companies perform a benefit-to-cost analysis to determine whether the ransom is less than the cost of disruption of ongoing activities and restoring function with backups and intensive IT efforts.

From recent history it appears that businesses and institutions cannot expect much technical help from the U.S. Government.  Following disclosure of the Solar Winds breach, it became apparent that multiple government agencies were penetrated by agencies of the Russian Federation.  The topic of institutionalized cyberespionage was the subject of discussion at the recent summit between the Presidents of the U.S. and Russian Federation.  Cybercriminals cannot operate in the Russian Federation without the tacit approval by their government.  Accordingly many of the gangs have moved to former Soviet Republics from where they function with impunity. 

Appropriate responses to recent attacks should be considered, including:-

• Strengthening defense against cyberattack- This topic was the subject of a presidential Executive Order requiring upgrading of cybersecurity.

• Making it illegal for insurance companies to reimburse clients for payment of ransom, as in the U.K.

• Disqualifying ransom payments as a permitted tax deduction

• International action and agreement on stricter regulation of cybercurrency

• Obligatory reporting of cyberattacks whether or not ransom is paid.  This will enable government agencies to analyze attacks and develop appropriate countermeasures.  In the case of the Colonial Pipeline event the FBI recovered the Bitcoin tendered, suggesting that this capability serves as a deterrent to cyber criminals. This however requires the complete cooperation of victim companies.

• Companies should upgrade IT resources and make use of specialist consultants and service providers capable of strengthening defenses and developing backup systems.

Using available data it is evident that there are fewer but more sophisticated gangs such as REvil operating as cybercriminals.  Their focus has shifted from numerous small concerns and institutions with relatively low payment to large companies with multi-million dollar demands.  As large companies have strengthened their defenses, it is evident that the emphasis will revert to smaller entities and institutions with lower levels of protection as evidenced from the Kaseya breaches. 

Consumers and also cybersecurity professionals consider that restrictions on payment of ransom should be enforced.  This approach is totally justified until an event occurs that demands an immediate response.  Although cyber criminals appear to be “honest” in their follow-up on release of documentation following payment of ransom, a recent survey noted that 80 percent of businesses that paid a ransom suffered a subsequent attack.

The U.S. agricultural industry along with energy, pharmaceuticals, travel, banking and finance are now looking to the Federal government for assistance both in the form of technical support, policy and legislation in addition to aggressive diplomacy to resolve the issue of ransomware attacks. Perhaps it is time to exercise some of the presumed cyberoffensive capability of the U.S. to back up statements issued by the Administration. Shutting down the oil industry of the Russian Federation for a few days will certainly encourage cooperation in eliminating the endemic criminal element in Russia and neighboring kleptocracies.