Ransomware: It’s Time to Stop Negotiating

Ransomware attacks hit suddenly and without apparent warning. One morning, your computers don’t function. You quickly realize you’ve been hacked: Your data has been stolen and your servers, along with all your crucial data, have been encrypted. In short, your business is crippled.

The attackers leave clear instructions: They will provide you the decryption key and promise to destroy the copy of the data they’ve stolen if you pay a ransom. They know how big your company is and what being out of business for a few days will cost you. Thus, their multimillion-dollar ransom demand is tailored to you – perhaps the equivalent of several days’ revenue.

Companies facing a ransomware attack have two options: They can rebuild their systems from scratch at great cost over the course of several weeks – all while losing millions in revenue and suffering untold reputational damage – or they can negotiate and ultimately pay a ransom. Because of the realities of the first option, most companies (and their insurers) opt for the second, perpetuating ransomware as a lucrative stream of income for hackers. We propose a third option designed to address the collective action problem created by America’s ransomware epidemic.

The Collective Action Problem

Ransomware is a type of malicious software, or malware, that encrypts a computer network, locking out legitimate users until a “ransom” is paid in exchange for a decryption key. No one is immune; individuals, Forbes 100 companies, municipalities and governments have all fallen victim. Threat actors typically penetrate a victim’s system by exploiting security holes or using social engineering to trick an unsuspecting user into clicking a link or opening an attachment that downloads malware. Once this occurs, the threat actor works invisibly to escalate user privileges, find sensitive data and prepare to strike, all while the oblivious victim goes about their business for days, weeks or even months. And then, suddenly, everything is locked.

It would be better for everyone if no one paid ransoms. As the hackers make clear, they are in it for the money. If everyone stopped paying ransoms, ransomware would no longer be lucrative and the incentive for hackers would be radically reduced. Indeed, the FBI discourages victims from paying ransoms, but – except in certain rare circumstances where an attacker or its cryptocurrency wallet has been specifically included on the U.S. Department of the Treasury’s Office of Foreign Assets Control list – it is not illegal to do so.

In practice, law enforcement understands that most victims pay the ransom to avoid ruinous consequences. Indeed, oftentimes, insurance companies will even foot the bill for the ransom, as it is typically cheaper than covering the cost of the business interruption. Not surprisingly, the cybercrime insurance market is one of the fastest growing, and insurance companies play a critical role in keeping organizations and their data safe. But because attacks are easy to perpetrate and payoffs from deep-pocketed insurance companies are easy to obtain, ransomware has become a one-way ratchet, resulting in higher ransom demands and higher insurance premiums.

Law enforcement is working hard to investigate attacks and bring perpetrators to justice, but it is severely hampered in the effort. Few attackers are traceable. Those that are often live in countries without extradition treaties or are foreign officials who need not fear arrest. Cryptocurrencies make the ransom payment virtually untraceable and efforts to stop the flow – such as tagging specific bitcoin wallets as Specially Designated and Blocked – are essentially useless, since hackers can easily create new wallets. As a result, the cost and frequency of ransomware attacks have been increasing rapidly. The FBI estimates that more than 4,000 ransomware attacks have occurred daily since 2016. Moreover, the size of ransom demands has skyrocketed. In just the last few years, ransom demands for businesses have climbed from a few tens of thousands of dollars to millions of dollars. It’s time for a new approach.

A New National Strategy for Ransomware

To stop ransomware attacks, we need to make ransomware unprofitable. In other words, victims need to stop paying ransoms. However, merely making ransom payments illegal likely won’t work and wouldn’t be fair – it would be difficult to enforce and doubly victimize the victims of attacks. Before outlawing ransom payments, we must create a system that provides financial support for ransomware victims to rebuild without paying the ransom. Such a system could be publicly or privately run.

The public option would require the federal government to set up an FDIC-like fund for businesses. It would require that each business over a certain size contribute a small payment each year (perhaps a fraction of a percent of revenue) that would go into a fund. Once the fund was established, a business facing a ransomware attack could obtain funds to rebuild their system and cover a portion of lost profits, provided that they don’t pay any ransom.

The private option would work similarly, but would be administered by insurance companies who have committed to not paying ransoms. If attackers became convinced that businesses covered by this type of anti-ransomware insurance would never pay, organizations may even advertise that they have such insurance to communicate to attackers that it would be fruitless to seek ransoms from them.

Some might object to this arrangement on the theory that the system might incentivize companies to underinvest in cybersecurity. Though that might be a concern, it could be mitigated by requiring companies to publicly announce that they were victims of a successful attack and by ensuring that insurance would only cover costs associated with ransomware attacks, not other types of cyberattacks. There is also a concern that attackers might increase their efforts as the system is being set up to ensure it collapses. In this scenario, a company would never advertise that they have anti-ransomware insurance for fear that it would invite, rather than prevent, attacks. This risk is real and should be acknowledged, but it isn’t so different from the situation we are in now. In our view, it is a risk worth taking.