It is rarely in the best interest of the victim to pay ransom! Although the narrative often is “Because they have no choice” or “It is to protect people from the leak.” This is a complete myth, and it tends to be advanced by those who have paid ransom before, as a way of covering their terrible and avoidable behavior. Nobody owns this untrue narrative more than the insurance underwriters who normalized this behavior.
The problem with something like ransomware is that most companies are willing to pay ransom, and as long as this remains true it will be a persistent problem and only get worse. Ransomware has become so entrenched and is so easy and cheap to pull off, it will not subside until it becomes substantially difficult to succeed in a ransomware attack and make money doing so. Unfortunately, there have been no efforts to reduce ransom payments.
It is important to never forget exactly what is paid for, with money American companies pay
(Source)
When ransomware gangs lock down a system, they are frequently the first people the victims hear from and they will do their best to instill fear, create panic and make the situation seem much worse than it is. They will often claim that they will soon delete the data or raise their price for restoration. Paying for data restoration is never necessary, if even the most basic of precautions have been taken to back up data, but that is often not the cast and 80% of organizations facing ransomware do not have adequate backups. The situation is common, though always avoidable, and at least half of ransom payments are motivated primarily by the need to release systems and have data returned, not to avoid it leaking.
In many cases, companies have felt it was more reliable or faster to pay ransom, and with gangs so skilled at instilling fear and manipulating American companies, it is not uncommon. In some cases insurers have even insisted that victims pay ransom against their will. HSB is one of the few that still does this, forcing victims to pay ransom even if they felt it was not necessary, simply because the insurance company felt it was cheaper or safer to do so. However, the practice has never gone away completely from most insurers. Because the claims staff frequently receive kickbacks, they will tell organizations they are best off paying, even when they are not.
Unfortunately, it is not cheaper or safer to do so, and this is especially true if you do have backed up data. The restored data is 100% assured to be contaminated with malware and backdoors and the incident response will be far worse off. Paying ransom almost doubles the average cost of cleaning up an incident in the end. It also dramatically increases the chances of future attacks.
But what about data exfiltration? Since 2020 many gangs have moved to a model where they extort companies over threats of releasing sensitive data, which will get the company fined, sued or simply take a severe reputational hit. On its surface this appears to be valid. After all, sensitive data can really cause a great deal of harm to people. Shouldn’t we pay the terrorists to protect people’s data?
No, because it does not decrease risk at all. The problem is that the lack of discussion, refusal to restrict ransom and the complete absence of leadership ownership has created a very stupid situation, where our own regulations and practices are causing institutions to shoot themselves in the foot, pay ransom and encourage further attacks. The problem, more often than not, is not that the release of information would harm anyone, but rather it is believed to be a lesser risk to pay versus face the uncertainty of lawsuits and fines.
Misguided and poorly applied public policy:
One of the ways that governments have tried to improve cyber security is through the enactment of “privacy laws” such as the EU’s GDPR, “General Data Protection Regulation,” which has caused a great more harm than good. The problem is that legislators have attempted to solve the cyber crisis by becoming excessively punitive on the companies that suffer data breaches. While they are always, at least in theory, copiable, this has not worked out well at all, since most companies are clueless as to what they can do to make their systems secure.
This is somehow seen as protecting the privacy of citizens or doing good for the world by holding the companies that maintain poor security accountable. The problem is you can’t punish someone into understanding something that they don’t know. We know that historically punitive enforcement has generally not worked well in these kinds of complex regulatory situations. It just does not work.
The problem is it creates a terrible incentive. Companies are now put in a position where they face a worse situation if they do not pay the extortion. In most cases, it would be far more helpful to waive the fine so that the companies do not pay the extortion, but this rarely happens. There is little clear-headed thinking on this issue. It’s taboo to even discuss.
Laws like the GDPR have been enacted in states across the US. Today having a data breach means you might face millions in penalties… or hundreds of thousands in ransom. For many the choice seems simple. In other cases, it’s just seen as the safer bet, and organizations are increasingly incentivized to not even report paying the ransom! This is absolutely terrible for law enforcement and situational awareness.
Repeated attempts to engage attorney generals on this important issue have fallen on deaf ears.
Fear of Litigation:
The other major fear of organizations is litigation. Due to the phenomena of social inflation and the American style of suing over everything, data breaches can cause huge lawsuits against companies. These suits are frequently disproportional to the actual harm anyone suffered. In fact, having your PII released in a data breach is rarely materially harmful to anyone. The problem is, of course, companies do not want to be sued and fear the unknown consequences it could cause.
Paying ransom may or may not reduce the chances that a company would be sued for a data breach, but the fact is it is not doing the world any favors to put organizations in this terrible situation. The answer is simple: because cyber security is a topic that is so confusing and unfamiliar to many courts, there must be an effort at tort reform, which would move data and cyber litigation to a court of special masters, which would be better equipped for the issues.
Unfortunately, there exists no lobbying or advocacy effort for this and a lot of lawyers like things the way they are.
General Desire to Do the “Safer” Thing or an Impression that it Reduces Risk:
This is a fairly toxic and misguided thought process but should be familiar to anyone who has worked in business. Organizations want to put the issue to bed, they want to move on and they want to be as sure as possible that it is behind them. They don’t want to take unnecessary risks. So, it might seem reasonable, at least in the moment that paying ransom is just the safer option or might be an “insurance policy” of sorts against the gang getting even more angry.
This is at least partially because it is made by people who are in a panic, who are unsure what the consequences are and who are being personally threatened. The fact is that it is rarely in the best interest of the organization to pay. For one thing, it never removes the risk that the data will be released and it often is anyway. Paying ransom dramatically increases the risks of being targeted again. In fact, it is the one most reliable indicator of risk of ransomware. If your company ever paid ransom before, expect to be attacked again and again and again.
Paying ransom increases the average cost of the incident by 150%. This has been proven, but many companies don’t seem to see it that way. They often think they are the one-off case that will be better off paying. They often fear the unknown or just are in a panic. It’s truly not hard to see how this can happen given the fear and opposition to unknown liabilities.
In these cases, insurance may contribute to the problem. There is definitely an effect of “May as well pay it” because the insurance does cover it. Additionally, it’s not uncommon for claims representatives to encourage payment of ransom as the fastest, cheapest way of closing out a claim.
Only Receiving Information and Advice from The Ransomware Gang:
It should be noted that most ransomware victims first contact with anyone who can give them advice is directly with the ransomware gang, most of whom now either employ English or use AI to facilitate communications. They are master manipulators and know the exact words to say that make companies pay ransom. They instill fear and bluff about the severity of the consequences. They frequently attack the victims personally, sometimes threatening their family. Ransomware gangs also have gone so far as to reach out to clients and customers with threats or even engage the news media. They even will report incidents to authorities.
These terrorists have all the dishonesty and ruthlessness of the Russian Mafia, because that is who they are. It’s absolutely chilling to think that organizations are left alone, with no guidance at all and the ransomware gang is the only on doing the talking and calling the shots. No organization should ever engage in discussions with ransomware gangs without first surveying the damage and considering their options carefully.
In this unregulated world, many also turn to “Russian Speaking Ransom Negotiation” services…..
……lets think about this for a second here. Yes, of course they are all in bed with the ransomware gangs!
Bribery and Kickbacks:
This is a very important thing that appears to be completely unknown to insurers, but kickbacks are very common in ransomware negotiations. When the negotiator is not the actual party paying the ransom, they are almost always offered a cut of the ransom in order to facilitate the highest payment possible. This is very true in insurance situations, but many seem to be unaware of it. It’s not uncommon for 1-10% of the ransom to be paid as a kickback to the negotiator who agreed to pay it.
One classic is a “Keep the change” scheme, which ransomware groups have reported used to sucker in claims staff at insurance companies. It works something like this: In the process of transferring bitcoins to the ransomware group, the individual is instructed to create several small test transactions between accounts. After they have transferred most of the money to the gang, they are told that they may keep access to the smaller test transfer account. Since this is completely unmonitored, it is hard to know how often it happens, but it is very common.
It is hard to be certain how often the claims staff of insurers receive direct kickbacks. It should be noted that cyber insurance receives almost no supervision by the leadership of insurance companies, and so it’s certain to happen from time to time, and likely with increasing frequency. There is strong circumstantial evidence that it is a regular occurrence with some insurers. The gangs themselves claim to do just that and laugh it off.
Those who work in cyber insurance are frequently the target of recruitment by ransomware gangs. This is done primarily on Discord, a service used primarily geared toward gamers and online communities, but also used by threat actors.
Potential Out and Out Fraud:
It is hard to know for sure how often cyber insurance fraud happens, and part of the reason is that insurance companies have done very little to check for it. What is known is that ransomware organization do offer companies the chance to volunteer to be infected in order to collect insurance payments, with kickbacks up to 50% for those who will submit to it.
It is also known that there has been a massive influence to recruit insiders and build partnerships with dishonest Americans.
So while it is certain that insurance fraud happens, it would be especially difficult to detect here, since insurers do not make an effort to verify that data exists before hand or properly qualify insurability. When protecting something as intangible as data in the cloud, fraud is inherently difficult to detect if you do not take steps preemptively.
It seems likely that ransomware gangs have staged quite a few cases of insurance fraud, with willing companies. They may also be doing so with shell companies. It’s possible they are regularly providing kickbacks to insurance claims staff. The problem is we have no way of knowing this due to the lack of concern.
Ransomware gangs providing “Insurance consulting service:”
It may shock some, but it is well documented that ransomware gangs offer a kind of “consulting service” for companies they victimize. They present themselves as a group that can aid the victim in getting their data back as soon as possible and without pain or cost by working with them to maximize the insurance payout. This is not only a thing that happens, but it is extremely common.
The level of disconnect between insurance leadership and ransomware experts is absolutely stunning, because it is unlikely many are even aware of this fact.
YES YOU READ CORRECTLY!
This is not at all uncommon. The hands-off approach and desire to not spend time on cyber insurance has lead to most carriers being completely oblivious to the fact that this happens!
Ransomware gangs are ruthless Russian criminals with no morals at all and bribery and kickbacks are part of the Russian way, so this should not actually be surprising.
Ransom gangs preferentially targeting those with cyber insurance should be unsettling. In many cases, insurers require that the insured do everything possible not to disclose that they have cyber insurance or what its limits are. This is unlikely to do much to resist risk. The extorsion gangs already have access to volumes of data from third parties, which will help them determine which companies have cyber insurance.
Since some organizations and industries now see it as mandatory, it’s not hard at all to figure out who has cyber insurance. In some cases it may be necessary to disclose things like insurance in regulatory filings or public audits, so trying to keep coverage under wraps is not a feasible way of reducing the risk of attack,
It known that cyber insurance is something that ransomware gangs are actively exploiting as a means of increasing profits. Some have given interviews, including the mastermind of the LockBit gang, who says his gang prefers targeting the US, where all large companies are fully insured. In a similar anonymous interview, this is what Revil (another notorious gang) had to say:
Do your operators target organizations that have cyber insurance?
Yes, this is one of the tastiest morsels. Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.
But does it actually benefit anyone to pay ransom?
Addressing the cases of data leaking, but not necessarily data loss to encryption, which can always be avoided by backing up data properly.
Believe it or not no. Almost never does it benefit anyone to pay ransom and it certainly does not protect people’s privacy! Most data breaches involve extortion over the threat of releasing PII (Personally identifiable information) but the harm causes by this is badly overstated and the perceived safety of paying ransom is a false narrative. There are times when more sensitive information, such as trade secrets or sensitive medical or legal information. Perhaps the most dangerous is when the data breach contains login information, such as passwords, encryption keys or other security-related information, which can be leveraged to cause much more harm than the initial breach, multiplying the damage.
It is very important to note one thing: Ransomware gangs to no delete your data, no matter what. They keep it. It’s used for whatever they want and potentially to facilitate other ransomware. Gangs are not disciplined, and it’s not unusual for one of the gang members to go rogue and demand more money to avoid releasing data. In many cases, having data released is less harmful because it gets it over with and at least then we can tell whose identity might be at risk and financial institutions can actually flag it as higher risk.
Any data that can be used for getting into more systems will be used. It may be aggregated with other data and it may be traded between gangs. It may also still be sold as private information, though the source where they got the data will not be disclosed.
One thing is more important to understand: If you pay ransom and your data is not released, it probably will be when the gangs finally run out of victims.
In a future post, I will better explain why it is so useless and harmful to pay ransom. NO, it does not protect anyone. NO, it does not mean that it is over faster. NO, it is not cheaper. What actually happens is that the thugs who perpetrated the crime will never delete the data and use it for their own purposes, trading it and frequently releasing it anyway.
Do you, or should I ask does the cyber security industry, have any idea how much of this activity is supported by foreign states compared to purely criminal actors?
The majority of it is Russian, and that is where it started. That makes it hard to say whether it is just “state sanctioned” or “state sponsored.”
A couple of years ago, I would have said it was just state sanctioned, but did not necessarily get carried out by the state of Russia. For the most part, that’s still true, but ransomware funds the pro-russian militias and groups in Ukraine and the government may now use it more, due to sanctions.
A while ago, I read that the Wagner group had raised $175 million in funds for the Ukraine war from ransomware.
There is undoubtedly an increasing amount that is home grown, but the epicenter is Russia. Putin has always loved this and encouraged it. There is evidence that some of the Russian operatives are working with gangs. It has been used to attack a number of NATO countries.
However, while the Russia/Eastern Europe connection is hazy, other areas are more cut and dry:
North Korea has moved to funding its regime primarily with ransomware and it is paying for their nuclear program. This i a shift from previously using a lot of counterfeiting and drug sales on the international market. They don’t even bother trafficking fake prescription drugs anymore.
However, we see a minority of the problem from North Korea. Some, but for the most part, North Korea attacks Japanese and South Korean targets.
It is also used by the Islamic Jihad of Iran and affiliated groups: Hezbollah and the Hothi groups, which receive it through Iran.
It is less well connected to Hamas. It would not surprise me, but I have not seen a smoking gun on that.
Also, the Taliban. It’s not clear that they primarily attack the US however. For whatever reason they seem to mostly attack India and Pakistani targets.
A lot of this has to do with Putin’s efforts to destabilize US/Nato interests in the world.
https://www.csis.org/analysis/how-are-cyberattacks-fueling-north-koreas-nuclear-ambitions
https://www.cnn.com/2023/05/10/politics/north-korean-missile-program-cyberattacks/index.html
https://www.aha.org/news/headline/2024-07-26-north-korean-hacker-indicted-allegedly-extorting-us-hospitals-agencies-issue-cyberthreat-advisory
https://thehackernews.com/2024/08/us-agencies-warn-of-iranian-hacking.html
https://www.bloomberg.com/news/newsletters/2023-07-12/hack-blamed-on-wagner-group-had-another-culprit-experts-say
I suspected as much, the fact is we are in the middle of the Third World War and cyberspace is one of the theaters of combat along with disinformation, political tampering, and economic warfare. The sooner we collectively wake up to this and actively engage the better.
I don’t know if this is getting past the obvious concentration of attention on your own upcoming election, but it is becoming increasingly clear that the Conservative Party in Canada has been seriously compromised by India. This fact is now just about the only thing being discussed in Parliament at the moment with damning reports from CISIS and the RCMP that the leader of the Conservatives refuses to get security clearance to allow him to read. This avoids him being questioned under oath and being held accountable. Instead he is trying to force an election.
Sounds familiar, doesn’t it? The bald fact is our nations are under attack and we better start to defend ourselves seriously
In general, it does not benefit you to pay because it will never get you back your data any way other than contaminated. I can’t believe this is an issue, and I just don’t get why everyone does not back up. If you don’t just back up, you can expect this.
But as you talk about leakage, I think the point is that once the bad guys have the data, your not going to gain anything by paying, because they will likely come bac and you can’t trust them.
Didn’t United Health pay and the data was still leaked? That goes to show.
I like that you are going after the insurers directly. That’s good. I did not realize how bad they were, but I knew cyber insurance was a joke. It’s just too damn bad that they caused this and it is something most accept.
I think companies and most people just don’t care because of global warming, the election, the economy and all the other stuff they have to worry about.
Why do companies that don’t understand this sell the insurance? Can’t they insure cars or boats or something instead?
Companies pay ransom primarily because
A) They can. There are no restrictions
B) They are not prepared
C) They think it is safer
Whether or not they are safer, whether or not they have options does not enter the equation because they just want it over with.
Insurance companies will never restrict ransomware. Insurance is trying to make a profit off of cyber, and they want the risks to be high as long as the premiums are higher.
To be perfectly honest, I have given up on a career in cyber security and it is exactly because insurance has ruined the job market, and something does need to be done about it, but that is not my job.
it is honestly not a great career, these days. Being an AI developer, or any developer at all is a better deal, because insurance has decided to take over cyber security, and that simply means they would rather pay ransom, and I’m just saying I’d rather just not fight that/. They are shooting themselves in the foot, long run I think.