A New Zealand-based cybersecurity company has come up with a painful but elegant solution to the problem of ransomware: make it illegal to pay it.
Emsisoft released a report on Tuesday that said hackers used ransomware to assault over 2,000 hospitals, schools and governments in the United States in 2023. Additionally, many more had been indirectly impacted through attacks on supply chains.
Emsisoft says that the severity of the response is justified because of the death toll caused by ransomware.
Estimates state ransomware is responsible for the death of approximately one American per month between 2016 and 2021. The longer the ransomware problem persists without a solution, the greater the number of people it will claim as victims. Additionally, the economic and societal harms inflicted will persist as long as the issue remains unresolved.
The argument is that criminals will cease attacking critical infrastructure providers like hospitals, utilities and schools if they knew it wasn’t going to help pad their bottom line.
“Current counter-ransomware strategies amount to little more than building speed bumps and whacking moles,” said Brett Callow, a threat analyst for Emsisoft.
“The reality is that we’re not going to defend our way out of this situation, and we’re not going to police our way out of it either. For as long as ransomware payments remain lawful, cybercriminals will do whatever it takes to collect them.”
Callow says that the only remaining solution is to provide a financial disincentive by making it illegal to pay ransomware demands. Until now, governments have refrained from introducing bans, likely because of their concerns about the potential impact on victims.
Read more: ‘Gay furry hackers’ hack into nuclear power labs network to ransom employee records
Read more: Terminally ill cybersecurity expert pleads guilty to hospital hack
No easy solution to ransomware problem
According to a 2021 ransomware task force report, the difficulty arises in finding a practical way to implement a ransom payment ban. This is due to the lack of cybersecurity readiness in various sectors and organizations worldwide.
The ransomware task force is a group effort from multiple high profile silicon valley tech companies including Microsoft Corporation (NASDAQ: MSFT) and Palo Alto Networks (NASDAQ: PANW).
Ransomware attackers can easily launch attacks with minimal risk, and such a ban might not deter them. Instead, they may continue their attacks and target more essential organizations like healthcare providers, local governments, and critical infrastructure operators to increase pressure.
Last year, 48 countries, including Canada and the U.S., agreed that their national governments should not comply with ransomware demands. The countries reached this conclusion at the end of the third annual meeting of the International Counter Ransomware Initiative (CRI) in Washington.
Palo Alto Networks surveyed IT professionals at 1,000 organizations with between 100 and 1,000 employees, and discovered that mid-sized Canadian companies effected by ransomware reported making an average payment of over $1 million in 2023.
The Canadian Ransomware Barometer revealed that although the volume of ransomware attacks in Canada had decreased since the last survey conducted two years ago, the average ransom paid was $1.13 million, marking a 150 per cent increase from 2021.
Among the businesses that paid ransoms, just over half of them paid amounts exceeding $500,000, whereas in 2021, only 29 per cent paid more than that amount.
The percentage of respondents reporting ransomware attacks on their firms remained relatively consistent, with 35 per cent experiencing such incidents this year, compared to 37 per cent in 2021.
.
Follow Joseph Morton on Twitter
joseph@mugglehead.com
