U.S. Executives Often Make Ransomware Payments, But Maybe Not For Long

As ransomware attacks have surged by more than 100% across the United States this year, C-suite executives have largely taken a common approach: pay the cyber criminals, seek reimbursement from their insurance providers and try to keep the episodes under wraps.

But corporate America’s strategy for handling the ransomware scourge isn’t tenable for the long-term, as the U.S. government increasingly views this digital piracy as a national security threat. Foreign hacking gangs have hit U.S. hospitals, oil pipelines and food companies in recent months, seriously damaging the American economy and undermining confidence in the country’s cyber defenses.

The Biden administration, in response, is currently discussing regulations that would limit the ability of companies to make ransomware payments and require them to report the crimes to federal and local law enforcement. A growing number of American states are also debating legislation that would seek to dry up funds for cyber criminals by outright banning many ransomware payments. Insurance companies, meanwhile, are drastically increasing the premiums they’re charging companies for their cyber policies.

In this context, executives, whether from Fortune 500 companies or smaller firms, are going to have to rethink their approach to ransomware in the years ahead. Simply hiding the attacks from investors, employees, customers and the government will increasingly not be an option. But a more transparent response presents its own threat to a company’s operations, brand and public profile.

The obstacles to making ransomware payments are clearly mounting:

U.S. Sanctions

Both the Biden and Trump administrations have stated that they view ransomware attacks as national security threats. As a result, they’ve begun formally sanctioning cyber criminals and gangs for their illicit work. These actions make it illegal for any American company or individual to make a payment to these groups.

This process started in 2016 when the Treasury Department formally designated Evgeniy Mikhailovich Bogachev, the creator of the Russian ransomware company, Cryptolocker. This process continued with sanctions on Iranian, North Korean and more Russian entities, such as Evil Corp., which launched a string of attacks against American and European companies that caused at least $100 million in damage in 2018 and 2019.

But this sanctions list is expected to grow, especially as the Biden administration has signaled that it’s going to designate cryptocurrency companies that are involved in the payments to cyber criminals. Many ransomware assailants require their victims to make payments in cryptocurrencies, which are difficult to trace.

Federal and State Legislation

The Biden administration and a number of U.S states are weighing executive orders and legislation to regulate ransomware payments. At a minimum, these actions will force companies to inform local and federal agencies that they’ve been targeted by cyberattacks. This could end the practice of American executives simply hiding cyber intrusions from the public, their employees and investors, and the press.

But some states, such as New York, Pennsylvania and North Carolina, are currently deliberating legislation to curb ransomware payments outright. These proposed bills are largely focused on blocking local government agencies and their contractors from making payments. Their argument is that the public’s money shouldn’t be used to pay criminals. But some lawmakers want to ban the payments from private companies too.

Insurance Payouts

The number of ransomware attacks in the U.S. and globally have exploded since the Covid-19 pandemic hit in early 2020 https://bit.ly/3CGTSDN.  Cyber criminals have exploited the remote work environment, and the relatively weaker defenses of employees’ home computers and personal devices, to access the data of major corporations and small- and medium-size businesses.

This sharp increase in attacks has placed enormous pressure on insurance companies that have continued to pay out their cyber policies. This financial strain is leading these insurers to significantly raise the premiums on their polices. The chief executive of the American insurer, AIG, has cited a 40% increase in the cost to his clients in recent months, and the French global insurer, AXA, has announced that it will no longer cover ransomware payments for its clients at all.

The Debate

The debate over ransomware payments isn’t an easy one. Many cyber experts say outright banning them could cripple government agencies and major corporations, many of whom simply don’t have the luxury of being offline for a prolonged period of time. Smaller firms might not have the funds to pay their attackers.

The ransomware attack in May on the Colonial Pipeline significantly impaired the delivery of gasoline and fuel to the southern United States. The international airports in Charlotte and Atlanta were particularly impacted, and forced the delay of some of the flights leaving from those cities. In the end, Colonial paid over $4 million to its cyber assailant.

But this growing scrutiny on ransomware should also place renewed pressure on companies of all sizes to improve their cyber defenses and better manage their data, which are good things. Today, it’s not a question of if a company’s going to get hacked, but when. And C-suite executives must engage partners in the proper crisis preparedness training to be ready for when it does happen.