{"id":413,"date":"2024-10-29T23:49:48","date_gmt":"2024-10-29T23:49:48","guid":{"rendered":"https:\/\/cybersecuritysanity.com\/?p=413"},"modified":"2024-11-01T08:07:02","modified_gmt":"2024-11-01T08:07:02","slug":"why-is-ransom-paid-panic-perverse-incentives-and-bluffs","status":"publish","type":"post","link":"https:\/\/cybersecuritysanity.com\/?p=413","title":{"rendered":"Why is Ransom Paid? Panic, Perverse Incentives and Bluffs.\u00a0"},"content":{"rendered":"\n

It is rarely in the best interest of the victim to pay ransom! Although the narrative often is “Because they have no choice” or “It is to protect people from the leak.” This is a complete myth, and it tends to be advanced by those who have paid ransom before, as a way of covering their terrible and avoidable behavior. Nobody owns this untrue narrative more than the insurance underwriters who normalized this behavior.<\/strong><\/p>\n\n\n\n

The problem with something like ransomware is that most companies are willing to pay ransom, and as long as this remains true it will be a persistent problem and only get worse.  Ransomware has become so entrenched and is so easy and cheap to pull off, it will not subside until it becomes substantially difficult to succeed in a ransomware attack and make money doing so.  Unfortunately, there have been no efforts to reduce ransom payments.<\/p>\n\n\n

\n
\"\"<\/figure><\/div>\n\n\n

It is important to never forget exactly what is paid for, with money American companies pay<\/strong>
(Source<\/a>)<\/p>\n\n\n\n

When ransomware gangs lock down a system, they are frequently the first people the victims hear from and they will do their best to instill fear, create panic and make the situation seem much worse than it is.\u00a0 They will often claim that they will soon delete the data or raise their price for restoration.\u00a0 Paying for data restoration is never necessary, if even the most basic of precautions have been taken to back up data, but that is often not the cast and 80% of organizations facing ransomware do not have adequate backups.\u00a0\u00a0 The situation is common, though always avoidable, and at least half of ransom payments are motivated primarily by the need to release systems and have data returned, not to avoid it leaking.<\/p>\n\n\n\n

In many cases, companies have felt it was more reliable or faster to pay ransom, and with gangs so skilled at instilling fear and manipulating American companies, it is not uncommon.  In some cases insurers have even insisted that victims pay ransom against their will.  HSB is one of the few that still does this, forcing victims to pay ransom even if they felt it was not necessary, simply because the insurance company felt it was cheaper or safer to do so. However, the practice has never gone away completely from most insurers. Because the claims staff frequently receive kickbacks, they will tell organizations they are best off paying, even when they are not.<\/p>\n\n\n\n

Unfortunately, it is not cheaper or safer to do so, and this is especially true if you do have backed up data.  The restored data is 100% assured to be contaminated with malware and backdoors and the incident response will be far worse off. Paying ransom almost doubles the average cost of cleaning up an incident in the end.  It also dramatically increases the chances of future attacks.<\/p>\n\n\n\n\n\n\n\n

But what about data exfiltration?  Since 2020 many gangs have moved to a model where they extort companies over threats of releasing sensitive data, which will get the company fined, sued or simply take a severe reputational hit.  On its surface this appears to be valid.  After all, sensitive data can really cause a great deal of harm to people.  Shouldn\u2019t we pay the terrorists to protect people\u2019s data?<\/p>\n\n\n\n

No, because it does not decrease risk at all.  The problem is that the lack of discussion, refusal to restrict ransom and the complete absence of leadership ownership has created a very stupid situation, where our own regulations and practices are causing institutions to shoot themselves in the foot, pay ransom and encourage further attacks.  The problem, more often than not, is not that the release of information would harm anyone, but rather it is believed to be a lesser risk to pay versus face the uncertainty of lawsuits and fines.<\/p>\n\n\n\n

Misguided and poorly applied public policy:<\/strong>
One of the ways that governments have tried to improve cyber security is through the enactment of \u201cprivacy laws\u201d such as the EU\u2019s GDPR, \u201cGeneral Data Protection Regulation,\u201d which has caused a great more harm than good.  The problem is that legislators have attempted to solve the cyber crisis by becoming excessively punitive on the companies that suffer data breaches.  While they are always, at least in theory, copiable, this has not worked out well at all, since most companies are clueless as to what they can do to make their systems secure. <\/p>\n\n\n\n

This is somehow seen as protecting the privacy of citizens or doing good for the world by holding the companies that maintain poor security accountable.  The problem is you can\u2019t punish someone into understanding something that they don\u2019t know.  We know that historically punitive enforcement has generally not worked well in these kinds of complex regulatory situations.  It just does not work.<\/p>\n\n\n

\n
\"\"<\/figure><\/div>\n\n\n

The problem is it creates a terrible incentive.  Companies are now put in a position where they face a worse situation if they do not pay the extortion.  In most cases, it would be far more helpful to waive the fine so that the companies do not pay the extortion, but this rarely happens.   There is little clear-headed thinking on this issue.  It\u2019s taboo to even discuss. <\/p>\n\n\n\n

Laws like the GDPR have been enacted in states across the US.  Today having a data breach means you might face millions in penalties\u2026 or hundreds of thousands in ransom.  For many the choice seems simple.  In other cases, it\u2019s just seen as the safer bet, and organizations are increasingly incentivized to not even report paying the ransom!  This is absolutely terrible for law enforcement and situational awareness.<\/p>\n\n\n\n

Repeated attempts to engage attorney generals on this important issue have fallen on deaf ears.<\/p>\n\n\n\n

Fear of Litigation:<\/strong>
The other major fear of organizations is litigation.  Due to the phenomena of social inflation and the American style of suing over everything, data breaches can cause huge lawsuits against companies.  These suits are frequently disproportional to the actual harm anyone suffered.  In fact, having your PII released in a data breach is rarely materially harmful to anyone.   The problem is, of course, companies do not want to be sued and fear the unknown consequences it could cause.<\/p>\n\n\n\n

Paying ransom may or may not reduce the chances that a company would be sued for a data breach, but the fact is it is not doing the world any favors to put organizations in this terrible situation.  The answer is simple: because cyber security is a topic that is so confusing and unfamiliar to many courts, there must be an effort at tort reform, which would move data and cyber litigation to a court of special masters, which would be better equipped for the issues.<\/p>\n\n\n\n

Unfortunately, there exists no lobbying or advocacy effort for this and a lot of lawyers like things the way they are.<\/p>\n\n\n\n

General Desire to Do the \u201cSafer\u201d Thing or an Impression that it Reduces Risk:<\/strong>
This is a fairly toxic and misguided thought process but should be familiar to anyone who has worked in business.  Organizations want to put the issue to bed, they want to move on and they want to be as sure as possible that it is behind them.  They don\u2019t want to take unnecessary risks.  So, it might seem reasonable, at least in the moment that paying ransom is just the safer option or might be an \u201cinsurance policy\u201d of sorts against the gang getting even more angry.

This is at least partially because it is made by people who are in a panic, who are unsure what the consequences are and who are being personally threatened.  The fact is that it is rarely in the best interest of the organization to pay.  For one thing, it never removes the risk that the data will be released and it often is anyway.  Paying ransom dramatically increases the risks of being targeted again. In fact, it is the one most reliable indicator of risk of ransomware.  If your company ever paid ransom before, expect to be attacked again and again and again.<\/p>\n\n\n

\n
\"\"<\/figure><\/div>\n\n\n

Paying ransom increases the average cost of the incident by 150%.  This has been proven, but many companies don\u2019t seem to see it that way.  They often think they are the one-off case that will be better off paying.  They often fear the unknown or just are in a panic.  It\u2019s truly not hard to see how this can happen given the fear and opposition to unknown liabilities.<\/p>\n\n\n\n

In these cases, insurance may contribute to the problem.  There is definitely an effect of \u201cMay as well pay it\u201d because the insurance does cover it.  Additionally, it\u2019s not uncommon for claims representatives to encourage payment of ransom as the fastest, cheapest way of closing out a claim.
<\/p>\n\n\n\n

Only Receiving Information and Advice from The Ransomware Gang:<\/strong>
It should be noted that most ransomware victims first contact with anyone who can give them advice is directly with the ransomware gang, most of whom now either employ English or use AI to facilitate communications.  They are master manipulators and know the exact words to say that make companies pay ransom.  They instill fear and bluff about the severity of the consequences.  They frequently attack the victims personally, sometimes threatening their family.  Ransomware gangs also have gone so far as to reach out to clients and customers with threats or even engage the news media.  They even will report incidents to authorities.<\/p>\n\n\n\n

These terrorists have all the dishonesty and ruthlessness of the Russian Mafia, because that is who they are.  It\u2019s absolutely chilling to think that organizations are left alone, with no guidance at all and the ransomware gang is the only on doing the talking and calling the shots.  No organization should ever engage in discussions with ransomware gangs without first surveying the damage and considering their options carefully.<\/p>\n\n\n\n

In this unregulated world, many also turn to \u201cRussian Speaking Ransom Negotiation\u201d services\u2026..<\/p>\n\n\n\n

\u2026\u2026lets think about this for a second here.    Yes, of course they are all in bed with the ransomware gangs!<\/p>\n\n\n\n

Bribery and Kickbacks:<\/strong>
This is a very important thing that appears to be completely unknown to insurers, but kickbacks are very common in ransomware negotiations.  When the negotiator is not the actual party paying the ransom, they are almost always offered a cut of the ransom in order to facilitate the highest payment possible.  This is very true in insurance situations, but many seem to be unaware of it.  It\u2019s not uncommon for 1-10% of the ransom to be paid as a kickback to the negotiator who agreed to pay it.<\/p>\n\n\n\n

One classic is a \u201cKeep the change\u201d scheme, which ransomware groups have reported used to sucker in claims staff at insurance companies.  It works something like this: In the process of transferring bitcoins to the ransomware group, the individual is instructed to create several small test transactions between accounts.  After they have transferred most of the money to the gang, they are told that they may keep access to the smaller test transfer account.  Since this is completely unmonitored, it is hard to know how often it happens, but it is very common.<\/p>\n\n\n\n

It is hard to be certain how often the claims staff of insurers receive direct kickbacks. It should be noted that cyber insurance receives almost no supervision by the leadership of insurance companies, and so it’s certain to happen from time to time, and likely with increasing frequency. There is strong circumstantial evidence that it is a regular occurrence with some insurers. The gangs themselves claim to do just that and laugh it off.<\/p>\n\n\n\n

Those who work in cyber insurance are frequently the target of recruitment by ransomware gangs. This is done primarily on Discord, a service used primarily geared toward gamers and online communities, but also used by threat actors.<\/p>\n\n\n\n

Potential Out and Out Fraud:<\/strong>
It is hard to know for sure how often cyber insurance fraud happens, and part of the reason is that insurance companies have done very little to check for it.  What is known is that ransomware organization do offer companies the chance to volunteer to be infected in order to collect insurance payments, with kickbacks up to 50% for those who will submit to it.<\/p>\n\n\n\n

It is also known that there has been a massive influence to recruit insiders and build partnerships with dishonest Americans.<\/p>\n\n\n\n

So while it is certain that insurance fraud happens, it would be especially difficult to detect here, since insurers do not make an effort to verify that data exists before hand or properly qualify insurability.  When protecting something as intangible as data in the cloud, fraud is inherently difficult to detect if you do not take steps preemptively.<\/p>\n\n\n\n

It seems likely that ransomware gangs have staged quite a few cases of insurance fraud, with willing companies.  They may also be doing so with shell companies.  It\u2019s possible they are regularly providing kickbacks to insurance claims staff. The problem is we have no way of knowing this due to the lack of concern.<\/p>\n\n\n\n

Ransomware gangs providing \u201cInsurance consulting service:\u201d<\/strong>
It may shock some, but it is well documented that ransomware gangs offer a kind of \u201cconsulting service\u201d for companies they victimize.  They present themselves as a group that can aid the victim in getting their data back as soon as possible and without pain or cost by working with them to maximize the insurance payout.  This is not only a thing that happens, but it is extremely common. <\/p>\n\n\n\n

The level of disconnect between insurance leadership and ransomware experts is absolutely stunning, because it is unlikely many are even aware of this fact. <\/p>\n\n\n\n

YES YOU READ CORRECTLY!<\/strong><\/p>\n\n\n

\n
\"\"<\/figure><\/div>\n\n\n

This is not at all uncommon.  The hands-off approach and desire to not spend time on cyber insurance has lead to most carriers being completely oblivious to the fact that this happens!<\/strong><\/p>\n\n\n\n

Ransomware gangs are ruthless Russian criminals with no morals at all and bribery and kickbacks are part of the Russian way, so this should not actually be surprising.<\/strong><\/p>\n\n\n\n

Ransom gangs preferentially targeting those with cyber insurance should be unsettling.  In many cases, insurers require that the insured do everything possible not to disclose that they have cyber insurance or what its limits are.  This is unlikely to do much to resist risk.  The extorsion gangs already have access to volumes of data from third parties, which will help them determine which companies have cyber insurance.<\/p>\n\n\n\n

Since  some organizations and industries now see it as mandatory, it\u2019s not hard at all to figure out who has cyber insurance.  In some cases it may be necessary to disclose things like insurance in regulatory filings or public audits, so trying to keep coverage under wraps is not a feasible way of reducing the risk of attack,<\/p>\n\n\n\n

It known that cyber insurance is something that ransomware gangs are actively exploiting as a means of increasing profits.  Some have given interviews, including the mastermind of the LockBit gang, who says his gang prefers targeting the US, where all large companies are fully insured.  In a similar anonymous interview, this is what Revil (another notorious gang) had to say:<\/a><\/p>\n\n\n\n

\n

Do your operators target organizations that have cyber insurance?<\/strong><\/p>\n\n\n\n

Yes, this is one of the tastiest morsels. Especially to hack the insurers first\u2014to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.<\/em><\/p>\n<\/blockquote>\n\n\n\n

But does it actually benefit anyone to pay ransom?
<\/strong>Addressing the cases of data leaking, but not necessarily data loss to encryption, which can always be avoided by backing up data properly.<\/strong><\/strong><\/p>\n\n\n\n

Believe it or not no.  Almost never does it benefit anyone to pay ransom and it certainly does not protect people\u2019s privacy!  Most data breaches involve extortion over the threat of releasing PII (Personally identifiable information) but the harm causes by this is badly overstated and the perceived safety of paying ransom is a false narrative.  There are times when more sensitive information, such as trade secrets or sensitive medical or legal information.  Perhaps the most dangerous is when the data breach contains login information, such as passwords, encryption keys or other security-related information, which can be leveraged to cause much more harm than the initial breach, multiplying the damage.<\/p>\n\n\n\n

It is very important to note one thing: Ransomware gangs to no delete your data, no matter what.  They keep it.  It\u2019s used for whatever they want and potentially to facilitate other ransomware.  Gangs are not disciplined, and it\u2019s not unusual for one of the gang members to go rogue and demand more money to avoid releasing data.  In many cases, having data released is less harmful because it gets it over with and at least then we can tell whose identity might be at risk and financial institutions can actually flag it as higher risk.<\/p>\n\n\n\n

Any data that can be used for getting into more systems will be used. It may be aggregated with other data and it may be traded between gangs.  It may also still be sold as private information, though the source where they got the data will not be disclosed.<\/p>\n\n\n\n

One thing is more important to understand:  If you pay ransom and your data is not released, it probably will be when the gangs finally run out of victims. <\/strong> <\/p>\n\n\n\n

In a future post, I will better explain why it is so useless and harmful to pay ransom. NO, it does not protect anyone. NO, it does not mean that it is over faster. NO, it is not cheaper. What actually happens is that the thugs who perpetrated the crime will never delete the data and use it for their own purposes, trading it and frequently releasing it anyway.<\/strong><\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

It is rarely in the best interest of the victim to pay ransom! Although the narrative often is “Because they have no choice” or “It is to protect people from the leak.” This is a complete myth, and it tends … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[6,26,31,3,5],"tags":[52,7,49,9,23,51,50,20,37,53],"class_list":["post-413","post","type-post","status-publish","format-standard","hentry","category-cyber-insurance","category-justice-system","category-loss-control","category-politics","category-ransomware","tag-crime","tag-cyber","tag-extortion","tag-insurance","tag-moral-crisis","tag-pay","tag-ransom","tag-risk","tag-risk-management","tag-victim"],"aioseo_notices":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/cybersecuritysanity.com\/index.php?rest_route=\/wp\/v2\/posts\/413"}],"collection":[{"href":"https:\/\/cybersecuritysanity.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecuritysanity.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecuritysanity.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecuritysanity.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=413"}],"version-history":[{"count":20,"href":"https:\/\/cybersecuritysanity.com\/index.php?rest_route=\/wp\/v2\/posts\/413\/revisions"}],"predecessor-version":[{"id":456,"href":"https:\/\/cybersecuritysanity.com\/index.php?rest_route=\/wp\/v2\/posts\/413\/revisions\/456"}],"wp:attachment":[{"href":"https:\/\/cybersecuritysanity.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=413"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecuritysanity.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=413"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecuritysanity.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}