What if we made ransomware payments illegal?

/in


The September 2023 ransomware attacks against Las Vegas casinos are a great opportunity to examine the challenges enterprises face when they are attacked by ransomware.

In a sort of “Choose Your Own Adventure” version of addressing the problem, while Caesars reportedly paid a $15 milllion ransom to the perpetrators (Scattered Spider) and quickly returned to normal operations, MGM chose not to pay the same group when they were attacked. MGM’s choice, while aligned with the  U.S. Government’s stance on ransomware payments, resulted in 10+ days of impact to MGM that generated a reported loss of $100 millon.

It doesn’t take a math wiz to realize that the choice Caesar’s made was $85 million less expensive than the route MGM took, and that’s before accounting for whatever losses were covered by their cyber insurance policy.

With that in mind, why does the federal government still strongly advise against paying the ransom? Answer: The government (FBI) focuses on the big picture, not any single event. Paying ransom addresses an immediate problem, while not paying ransom exponentially increases the immediate pain. The former focuses on one’s own needs as a company or security practitioner, while the latter requires accepting the consequences of upholding a policy that’s in everyone’s best interest.

The divergent responses to the casino attacks demonstrated that not everyone will accept a bigger loss to uphold a greater good. We can’t expect to address that through volunteerism, particularly when quarterly profits are the most important metric for profit-making companies. The leaders get paid for meeting that metric. When our eyes are focused on short-term goals, long-term needs are subordinated, and business leaders don’t willingly make decisions that require them to suffer for the benefit of others.

Since cybercriminals are motivated almost exclusively by money, if they know organizations are willing to pay ransom to regain access to their systems and data – even without guarantees the criminals will deliver on those promises – they have a perpetually strong business model. When we also consider that there are at least 100 active ransomware gangs ranging from…

Source…