Companies should be banned by law from paying ransoms to criminal gangs that attack their computer systems, said the former head of Britain’s cyber intelligence unit.
Ciaran Martin, who was chief executive of the National Cyber Security Centre, said the battle between authorities and gangs was heavily weighted in favour of the criminals, who were securing high returns for ransomware attacks with little risk.
Ransomware is a form of malicious software that blocks organisations’ access to vital files until they pay a ransom – usually in Bitcoin – in return for a key to unblock their systems.
Criminal cyber-operations are based mainly in Russia – out of reach of western law enforcement – and are believed to earn more than $1 billion a year through ransomware. The majority of the attacks are on businesses in the United States.
Attacks have surged in the past year, bolstered in part by criminals’ success in persuading victims to pay rather than face the potentially higher cost of having to rebuild systems, a process that could take months.
“I remain in favour of a ban in principle,” said Mr Martin, who led the agency from 2016 until last year. “I also don’t think it’s a panacea.”
Industry estimates suggest that between 10 and 33 per cent of victims pay the sums demanded.
Some companies pay up because they have taken out cyber insurance and know the insurer will take the hit. Companies also face pressure to settle quietly or face fines from data regulators because of the loss of sensitive customer details.
But news of successful pay-offs fuels the business case for the criminal technique, which has surged during the coronavirus pandemic.
There were at least 1,200 ransomware attacks by operators of 16 strains of the malware in 2020, according to a study by the London-based think tank the Royal United Services Institute. Victims from more than 60 countries were identified.
Mr Martin said during a Rusi webinar on Tuesday that the case for a ban was made by the world’s biggest meat producer, JBS, which last month paid $11 million ( to a Russian-based cybercrime unit identified as REvil to “prevent any potential risk for our customers”.
REvil has since been identified as the source of a $70m demand after an attack on an IT management software provider that led to the temporary closure of supermarkets in Sweden and public services around the world.
“I think that’s wrong,” Mr Martin said of the JBS payment. “I would find a way of banning that ... A month later, the same group is closing schools in New Zealand and disrupting Swedish villagers from buying food.”
But Jen Ellis, vice president of community and public affairs at cyber security agency Rapid7, said outlawing the payment of ransoms would drive the operation underground and any secret transactions would make victims more vulnerable.
“We need to know more about what is happening. People that make those payments have put themselves in the pocket of their attacker – and the attacker will keep coming back to them,” she said.
Ransomware attacks date back to the early 2000s but have increased in sophistication, scale and menace.
Some ransomware operators include a chat and support function for their victims. One group has started using paid Facebook adverts to increase the pressure on victims.
Experts have told of a rise in so-called “double extortion” attacks in which organisations are not only held to ransom to have their files unlocked, but are also threatened with the public release of sensitive data if they fail to pay up.
One of the most prominent ransomware attacks was against the foreign currency exchange Travelex. It ultimately cost the company more than £25 million ($34.5m).
The company, then owned by financial services company Finablr, subsequently fell into administration with the loss of 1,300 jobs.
Colonial Pipeline, a US oil network, was shut down in May after being hacked, sparking panic buying and a sharp rise in petrol prices.
In a meeting with Vladimir Putin last month, US President Joe Biden raised the prospect of a cybersecurity agreement between the two countries, with 16 sectors off-limits to attackers to “bring some order” to the lawless environment.
