Companies are increasingly choosing not to pay ransom for ransomware and extortionware due to the growing associated risks. In fact, a recent report by crypto-crime analyst firm Chainalysis found that payments to threat actors for ransomware and extortionware was down to about $456 million in 2022 from a peak of $765 million the prior year. Not only did the total payments drop, the Chainalysis report shows that, in 2019, 76% of victims paid the ransom, but by 2022, that number declined to just 41%.
Does this mean that we have seen an abatement in the problem of ransomware, or just that victims are simply refusing to pay ransom? The answer is more complicated, and reflects a new political, regulatory, and technological environment.
The Decline in Ransom Payments
A good deal of the decline in ransom payments reflects increasing pressure by U.S. regulators, including the SEC, the Treasury Department’s Office of Foreign Asset Control (OFAC), the FBI and others to discourage ransomware payments by requiring those who make such payments to report the payments promptly, to justify the making of these payments, and in some cases, to obtain a license from OFAC to transfer the funds. Additionally, the Russian invasion of Ukraine has led to the imposition of broad economic sanctions on Russian entities – prohibiting a host of financial transactions with Specially Designated Nationals (SDN’s). Thus, even when it makes economic sense for a US company victimized by ransomware that is tied to Russia to make a payment to have their data or networks released from attack, the US sanctions regime may prohibit the payment.
Another reason companies may not be paying ransom as often is the increase in enforcement and cooperation of law enforcement entities. Indeed, on Jan. 26, 2023, the FBI announced they had covertly infiltrated the Hive ransomware group, and disrupted their activities. The press release indicated the undercover operation meant that the agents had captured the network’s decryption keys and:
“Offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded. Since infiltrating Hive’s network in July 2022, the FBI has provided over 300 decryption keys to Hive victims who were under attack. In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims.”
Of course, if a company can obtain decryption keys for free from the FBI, the need to pay ransom becomes obsolete.
To Pay or Not to Pay
Companies facing threats of ransomware and extortionware (the threats to release sensitive information if a payment is not made) should preemptively take steps to ensure that they are prepared. These steps can mitigate the potential impact of ransomware and lessen the likelihood that payments will have to be made. These steps include:
1. Make Sure All Partners Execute and Enforce Data Security Agreements
A company is only as secure as its weakest link, which in today’s technological environment is the weakest partner. Companies need to “push down” not only the obligation to protect data and networks on any entity that has access to their data or networks, but also on cloud providers, technology providers, software developers and others. These agreements should set standards for security, require regular audits (and possibly third party audits), and compel the reporting of data breaches or significant security events.
2. Check Your Insurance
Most decisions about how to respond to ransomware/extortionware incidents are made by insurance companies working with Digital Forensics and Incident Response (DFIR) companies. These DFIR companies have broad experience dealing with ransomware threat actors, tracking wallets used, tools, and technologies, and can help make informed decisions about whether a payment is likely to result in a genuine decryption key or will make you more of a target for future attacks. But many so-called “cyber-insurance” policies do not cover ransomware, extortionware, and payments to threat actors. Many cover only “physical destruction” of data or networks – not logical destruction. KRE (Kidnap, Ransom and Extortion) policies may not cover cyber-extortion, and publicity policies may not cover threats to reveal corporate secrets stolen by threat actors. Policy limits and exclusions may also limit coverages. One critical part of ransomware preparedness is to have a thorough insurance policy review.
3. Network Security and Segmentation
Of course, the best way to prevent having to pay ransom is to prevent a ransomware/extortionware incident to begin with. This means ensuring that your networks, devices and configurations meet or exceed the current NIST Cybersecurity framework guidelines, and include continuous monitoring and evaluation. Network and device segmentation may mean that a malicious incident may impact only a portion of a network, which can be more easily recovered from than an entire network shutdown. Effective data encryption may mean that data that is “stolen” cannot be used or disseminated by the hackers, reducing the risk of extortion.
4. Backup, Archive and DR/BCP
Companies should have comprehensive Disaster Recovery/Business Continuity Plans that include the threat of ransomware. Simply backing up data on devices, networks, and cloud storage platforms may mean that data locked up by a ransomware attack can be restored or recovered relatively quickly – influencing the “pay/do not pay” decision.
5. Know the Legal/Regulatory Environment
Various laws and regulations impact the decision on whether to pay ransom or extortion. As noted, US Treasury rules on foreign transactions administered by OFAC prohibit a wide variety of financial transactions to specific entities, countries, or individuals. Indeed, OFAC also publishes lists of cryptocurrency wallets which have been involved in specific prohibited or criminal activity. Companies that pay ransom without working with OFAC (directly or through the FBI or USSS) do so at their own legal peril. Other Treasury regulations include various Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations, as well as regulations that prohibit the use of unlicensed Money Transfer Agents (MTA’s), to facilitate ransomware or extortionware payments. Federal laws also prohibit payments that might facilitate criminal activity or provide “material support” to certain criminal organizations. The new federal Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and proposed SEC rules require both entities in the “critical infrastructure” or those that are publicly traded to report disruptive cyber incidents and further to justify the payment of ransom for ransomware or extortionware cases. Additionally, new SEC proposed guidelines on cybersecurity would require reporting to the SEC of any material cybersecurity event – including both a ransomware event and the payment of ransom – within four days.
The Bottom Line
Unfortunately, the issue of ransomware is not going away, and the number of incidents, and their impact, continues to increase. However, we are seeing a change in the overall willingness of companies (or their insurers) to pay a portion of the ransom – or pay the full ransom. This may reflect a maturity in the incident response process, a resiliency in the victim’s infrastructure, or a reluctance to run afoul of OFAC and other regulations. It may also reflect increased competition among ransomware threat actors such that they cannot sustain the multi-million dollar payments demanded in the past. Whatever the reason, companies still need to be resilient, responsive and ready.
