There’s no easy fix to the worsening ransomware epidemic

Ransomware attacks will continue as long criminals find them profitable — but cutting off this revenue stream is easier said than done, according to experts speaking during an Aug 25 Institute for Security and Technology (IST) panel.

Policymakers need to work to reduce the frequency with which ransomware sufferers give in to extortion demands, but should avoid jumping straight to banning payments, panellists suggested.

Lawmakers instead may need to start by putting in place a variety of progressive steps that can discourage many payments and blunt the pain victims, and those who depend on them, are likely to experience as they try to resist giving in to cyber criminals.

During the discussion, panellists examined factors that make certain victims most likely to pay and the measures that gradually reduce ransomware’s appeal to attackers.

Need versus caution

Victims may know that paying ransom means rewarding criminals and funding their future exploits, but those who — accurately or not — see it as the quickest or most affordable way to get up and running again may still feel compelled to hand over the money.

Disruptions to health-care providers and utilities’ operations can put lives at risk, prompting these firms to pay up in hopes of more quickly restoring their systems. Small family businesses, too, are likely to feel pressure to give in because they rarely have the finances to survive temporary closures without shutting down for good, said Jen Ellis, IST Ransomware Task Force working group co-chair.

“For them, a ransom incident can mean an end-of-business event. If you don’t pay, you have no recourse,” Ellis said. “If they can’t recover their business and do so quickly, they’re done, they’re sunk.”

On the flip side are better resourced companies that hand over ransom without fully exploring other options. Josephine Wolff, associate professor of cybersecurity policy at Tufts University’s Fletcher School, viewed Colonial Pipeline as one of these, stating that its choice to shut down systems following a ransomware attack seemed to be driven from “an excess of caution” rather than true…