Throughout the COVID-19 crisis, we have focused on the significant uptick in ransomware attacks.  Government agencies such as OFAC, CISA, and New York’s DFS have updated their guidance on how to prepare for and respond to such attacks and provided tools to help stop ransomware attacks.  Cybersecurity also continues to be a major focus of private enterprise.  Despite businesses and government agencies’ increased attention to ransomware, however, 2021 is shaping up to be the most profitable year for data-nappers yet.  In fact, according to a recent report by OFAC, ransomware payments in 2021 are on track to exceed the total amount paid over the previous ten years combined. 

Total Suspicious Amount from Ransomware-Related SARs and Transactions, 2011 to June 2021

Source: OFAC, Financial Trend Analysis (Oct. 15, 2021), https://www.fincen.gov/sites/default/files/2021-10/Financial%20Trend%20Analysis_Ransomware%20508%20FINAL.pdf

That is a troubling sign for OFAC and other government agencies, which have encouraged targets not to pay ransoms.  Unfortunately, for an individual business there is no magic bullet to defend against these increasingly sophisticated attacks.  For businesses facing an existential threat and perhaps the large-scale release of sensitive data, it is difficult to take a principled stand against sophisticated ransomware syndicates.  Making a one-time payment (often covered by insurance) and moving on is often the only commercially reasonable option.  As a result, the status quo is a large-scale prisoner’s dilemma, with the attendant incentives mismatch.  While collectively it would be better for society if no one paid a ransom—thus reducing the incentive for bad actors to launch ransomware attacks and making the ransomware-as-a-service industry less viable—individually it often makes more practical sense to pay.  A business is unlikely to realize the incremental benefit of standing on principle, but very likely to see the downside of losing access to, and even the publication of, valuable data.  

A number of commentators have observed recently that the sharp uptick in ransomware attacks echoes a similar trend in the commercial airline industry decades ago.  As air travel became more prevalent, so did airplane hijackings.  From 1961-1972, there were 159 hijackings in American airspace alone, with the majority occurring between 1968-1972.  In November 1972, however, three men hijacked a commuter airplane and threatened to crash it into the atomic reactor at Oak Ridge National Laboratory in Tennessee.  Following that hijacking, the FAA implemented universal physical screening of passengers.  While today, it is difficult to imagine airline travel without rigorous security checkpoints, modern security protocols at any American airport would be unimaginable to the 1960s traveler. 

As the Atlantic Council observed in a recent analysis, a similar paradigm shift may be coming in the cybersecurity space.  Like airports of the 1970s, private businesses and government agencies alike must be more careful about who and what they let into their networks.  Whether at the airport or on your network, increased security protocols are disruptive and annoying (to say the least), but they may be necessary to help stem the tide of ransomware attacks.  And to enhance security protocols or otherwise limit the profitability of ransomware attacks, government agencies may need to act more aggressively.  For example, the Atlantic Council suggests “policy changes to force more defensible and secure design in widely used technologies,” somewhat akin to metal detectors at airports mandated after the spike in hijackings.  The Atlantic Council further suggests “better and consistent identification of core ransomware-group personnel . . . and escalating sanctions on these individual operators,” analogous to President Nixon’s ordered (but later abandoned) bombing of the Popular Front for the Liberation of Palestine’s positions in Jordan after the group hijacked four commercial aircraft.  Regardless of the specific policy proposal, simply encouraging targets not to pay is clearly not working.

It remains to be seen whether the government takes any lessons from the airline hijacking crisis in its efforts to address the ransomware threat companies face today—and if so, how those efforts will impact private entities—but there is no question that ransomware is a major focus of the Biden administration.  Just this week, the Department of Justice announced the arrest and indictment of two Ukrainian nationals accused of conducting ransomware attacks against multiple victims, most notably the IT-management software company Kaseya.

We will continue to monitor and report on developments in this area.