back to article Would banning ransomware insurance stop the scourge?

Ransomware attacks are costing businesses and governments billions of dollars and putting people's lives at risk – in some cases, reportedly causing their deaths. No one disputes that this particularly heinous brand of cybercrime is a scourge across societies. But eliminating the problem, or even putting a dent in it, has …

  1. Reiki Shangle
    WTF?

    Preemptive strikes with Liberationware (TM)

    1. Find points of entry. Zero-day, social, technical, insider, etc.

    2. Install firewalls, close ports, update passwords after installing a password manager and communicate access to known trusted parties.

    3. Inconvenient? Perhaps, it’s a pain to have to use a password manager. But is it? I’ve used 1Password for more than a decade and it’s essential, simple, and it even makes Passkeys usable.

    Ransomware problems stem from organisation and training failings. There’s no excuse for treating confidential customer and patient data like this.

    And don’t start me on the scam that’s called The Insurance Industry.

    1. IGotOut Silver badge

      Re: Preemptive strikes with Liberationware (TM)

      Congratulations on making your one person experience scale to 100,000 people.

      Oh wait, you didn't.

    2. An_Old_Dog Silver badge

      Why Would I Trust ...

      * A password manager I didn't write myself?

      * A password manager I did write myself, if that code has not been reviewed by knowledgable and competent programmwrs?

      Without you re-reading this post, did you spot the typo above?

  2. LVPC

    Ban paymentz, ends financial incentives for crooks

    This has been obvious for years. The payments fund criminal activity, often fund terrorism, and keep people from having a responsible WORKING back up strategy.

    It would also reduce collecting and storing unnecessary data, making for less desirable targets.

    1. Anonymous Coward
      Anonymous Coward

      Money makes the world go round

      No financial incentive - no criminal action. Why bother.

      In case of cyber terrorism, get compensation by new tariffs, asset freezes, sanctions, or military assistance for their adversaries. There is no other way when someone declares a war.

      Announce the date and ban ransomware payments. Yesterday!

    2. Anonymous Coward
      Anonymous Coward

      Ransomware offers evil countries plausible deniability: "Oh, we are doing it just for money". While it is both: for terror and for money.

      When not from the evil countries, bad actors do simple risk/reward assessment. Why risk, when there is no reward?

  3. Throatwarbler Mangrove Silver badge
    Holmes

    Also ban cryptocurrency

    Or at least put some hefty control around it the way we do with "fiat" currency.

    1. O'Reg Inalsin

      Re: Also ban cryptocurrency

      I think it would be nearly sufficient to disallow banks and brokerages from transacting or managing crypto.

      1. Anonymous Coward
        Anonymous Coward

        Re: Also ban cryptocurrency

        You fools. I'm sure the global drug cartels have enough paper money, of every denomination and national currency to become a shadow world bank for every criminal organisation on the planet.

        1. Throatwarbler Mangrove Silver badge
          FAIL

          Re: Also ban cryptocurrency

          The problem is not the form the money takes, it's how it gets transferred. Paying a ransom in physical currency or currency-equivalents means that there must be a physical transfer of assets which can be surveilled, making it high work. Conventional electronic banking transfers are subject to intense scrutiny when large amounts of money are involved, and banks in first world countries are subject to stringent regulations to avoid funding criminal enterprises and terrorism (which is not to say that "reputable" banks such as Deutsche Bank haven't been caught engaging in shenanigans). This leaves crypto currency as the money transfer medium of choice for the enterprising crook, since it can readily be transferred across national borders with no oversight, allowing criminals to collect their ill-gotten gains without fear of legal consequences.

          From my own experience, it's a safe bet that anyone involved in crypto is engaging or intends to engage in criminal activity or fraud.

          Also: "you fools"? Are you ... are you going to DESTROY US ALL?!

          1. Dimmer Silver badge

            Re: Also ban cryptocurrency

            One of the largest loss I have worked on was due to redirecting payment funds.

            The bank it went to was a US registered internet bank.

            There was no way to contact them unless you had an account with them. No phone numbers anywhere.

            “ it's a safe bet that anyone involved in crypto is engaging or intends to engage in criminal activity or fraud.”

            Sorry, from my experience and the IRS ( that has profited more than anyone ) that is not the case.

            People are sinking money into crypto, gold and silver to hedge against inflation. They are just trying to keep the value that they have earned. May not be the best, but if you can come up with something it will kill crypto overnight.

        2. lglethal Silver badge
          Stop

          Re: Also ban cryptocurrency

          Tell me how a corporation wanting to buy crypto to pay a ransomware demand will contact a drug cartel?

          And since the corporation would be transferring money from a bank with stringent reporting requirements, the transaction would likely be blocked or at the very least reported as highly suspicious to the authorities. The corporation would then likely find itself under investigation for sanction busting and other financial shenanigans, and that's the sort of thing that punishes the C-Suite rather than just the firm. So let's face it, it's not going to happen.

          Your right, blocking Crypto wont stop the drug cartels operating amongst themselves, BUT it will stop regular victims from easily getting hold of the crypto needed to pay the ransomware demands. If victims literally cant pay, then the whole Ransomware scheme falls apart. Then you are forced to go back to Money mules, and high risk local operations. Ransomware would become a shadow of what it is now, if you cut off the easy access to Crypto for the victims...

          1. Brad Ackerman

            Re: Also ban cryptocurrency

            It happens more often than you'd think. The Mexican cartels had cash boxes custom made for HSBC's teller windows, and the bank knew since at least 2008. OFAC dicked around until 2012, HSBC eventually paid $2.5B, which although several times their money-laundering profits apparently wasn't enough because they keep getting fined for control deficiencies. Time for DoJ and CPS to get off their asses and put the CEO/CLO/CFO in jail. A few billion dollars of someone else's money may not get bankers' attention, but a few years at FCI Ray Brook or HM Prison Wormwood Scrubs definitely will.

        3. Wang Cores

          Re: Also ban cryptocurrency

          "You fools?" Are you going to declare your allegiance to the dark lord next?

    2. Marty McFly Silver badge
      FAIL

      Re: Also ban cryptocurrency

      How would you ban cryptocurrency? It is designed so that it cannot be banned, controlled, or otherwise manipulated by government. Only way to actually block cryptocurrency is to shut off all computers & dismantle the Internet. A few global EMPs could do that, but that would also send everything else back to the stone age too, so who cares about cryptocurrency then?

      Are you going to try and make it illegal to own cryptocurrency? Maybe try to confiscate it? It cannot be proven that I own any in the first place. My seed phrase is "I forgot".

      Cryptocurrency represents the biggest threat ever to government power because they cannot control or manipulate it.

      1. Yet Another Anonymous coward Silver badge

        Re: Also ban cryptocurrency

        You can make it very difficult to exchange crypto for USD.

        Sure, I can always post $100 bills to a PO Box in the Narnia Virgin Isles and hope to get crypto. But if it's illegal to buy it then it's hard for a public company to pay $M in ransom with Bitcoin

  4. DS999 Silver badge

    I've been saying this ever since I first heard of ransomware insurance

    If they had done it back then, the ransomware industry would have never grown beyond 1% of its current size, and would be almost non-existent today if they followed up the ban on ransomware insurance with a ban on paying ransom. We wouldn't have had all the hospital attacks, because once the funding stream was cut off the ransomware criminals would have found something else to do to get paid.

    1. Anonymous Coward
      Anonymous Coward

      Re: I've been saying this ever since I first heard of ransomware insurance

      "followed up the ban on ransomware insurance with a ban on paying ransom"

      Yeah, sure. In a capitalist society, would the board prefer to pay 10$ million for a decryption tool, or to spend $1.4 billion restoring systems?

      Would a hospital prefer to let 10 people die without surgery?

      Would a casino prefer to stay 2 weeks closed? And loose millions in the process?

      Don't think so.

      1. lglethal Silver badge
        FAIL

        Re: I've been saying this ever since I first heard of ransomware insurance

        It's not an either/or situation. Paying the $10 million MIGHT get you a working Decryption Tool (just as likely not), but you're still going to need to spend an absolute shit ton on completely redoing your system, so that you cant/wont be attacked again. Anyone who doesnt assume that the attackers have left a back door in place so they can come back in in 6 months time (under another name of course) is an idiot of the highest calibre. Therefore, you're hiring a team to come in and a) reinstall every computer from scratch to a new clean setting, b) redesigning your entire security apparatus so that you cant be broken into again, and then c) hiring another team to try and find the backdoors left behind.

        Maybe if you're lucky it's not going to cost you the full $1.4 billion to do all that, but it's going to be pretty close. The only thing the $10 million buys you, maybe, is to get up and running again faster. But you're up and running again faster with a system that has been demonstrated to be weakly secured. Good luck not getting a follow up attack within the first month of being open again...

        1. Anonymous Coward
          Anonymous Coward

          Re: I've been saying this ever since I first heard of ransomware insurance

          "Good luck not getting a follow up attack within the first month of being open again"

          Some business do not have the option to stay closed. Oil pipelines, hospitals, casinos, banks, critical infrastructure in general.

          As to if the decryption tool work or not, provide samples to be decrypted, so you know you are talking with serious businessmen.

          Meanwhile, while up and running, rebuild your infrastructure.

          1. MyffyW Silver badge

            Re: I've been saying this ever since I first heard of ransomware insurance

            Put in place immutable backup, it's way cheaper than paying a ransom.

            1. Yankee Doodle Doofus Bronze badge

              Re: I've been saying this ever since I first heard of ransomware insurance

              And if the attackers are in your network for 6 months before encrypting everything and demanding a ransom (very common)? You have to restore to a backup from 7 months ago (assuming you still have one that old). For many businesses, paying the ransom will be cheaper than losing half a year's worth of data.

              1. Yankee Doodle Doofus Bronze badge

                Re: I've been saying this ever since I first heard of ransomware insurance

                Hmm... One thumb down on my above comment. Did I say something dumb? It wouldn't be the first time, but I'm guessing it's more likely that someone who put all their cybersecurity eggs in the immutable backup basket didn't like my pointing out the flaw in their strategy.

              2. Claptrap314 Silver badge

                Re: I've been saying this ever since I first heard of ransomware insurance

                First, no one would ever pay the ransom, unless it was cheaper than restoring operations. I'll let you figure out why.

                Second, my backups ARE locked for more than six months. When the review completes, it will probably be for six years.

                1. Yankee Doodle Doofus Bronze badge

                  Re: I've been saying this ever since I first heard of ransomware insurance

                  You are ignoring the consequences of losing 6 months of data. Who purchased our products in the last 6 months? Did we deliver? How much did we charge them? Did they pay us? What payments did existing customers make in the last half-year? For some businesses, the cost of losing this data could be WAY more than the ransom.

                  1. Yankee Doodle Doofus Bronze badge

                    Re: I've been saying this ever since I first heard of ransomware insurance

                    And to clarify, I'm not arguing against banning ransomware payment. I actually think it's a good idea. I'm just pointing out why some businesses would find it cheaper to pay than to lose a bunch of data when restoring a months-old backup.

                  2. LVPC

                    Re: I've been saying this ever since I first heard of ransomware insurance

                    What, you only back up every 6 months?

                    A ransomware attack only makes the data unreadable. If they had been doing significant alterations of data over the last 6 months, there would be signs - payments and receipts not balancing, for one thing. Lost customers, inventory being off.

                    People would notice long before your 6 months was up.

                    1. Yankee Doodle Doofus Bronze badge

                      Re: I've been saying this ever since I first heard of ransomware insurance

                      "What, you only back up every 6 months?"

                      If you had been reading the entire comment thread, you would have seen that 6 months is the time I mentioned that intruders are often in the system before they encrypt and demand payment. If they were in your system 6 months ago, and you restore to a 1 week old backup, THEY ARE STILL IN YOUR SYSTEM.

        2. big_D Silver badge

          Re: I've been saying this ever since I first heard of ransomware insurance

          At a previous place I worked, the Verfassungsschutz (Federal Office for the Protection of the Constitution) turned up and had a word with the IT Director. The details for one of our servers had turned up on a dark web forum.

          Their advice was to remove the server at once and build a replacement, they couldn't guarantee that it hadn't been infected, including not having the UEFI tampered with. They took it for analysis and then shredded it.

      2. Phil O'Sophical Silver badge

        Re: I've been saying this ever since I first heard of ransomware insurance

        would the board prefer to pay 10$ million for a decryption tool, or to spend $1.4 billion restoring systems?

        That's not the only choice.

        Ban the payment of the ransom, make an example of a few companies that still pay, and maybe the rest will finally figure out that paying $100m or so to secure their systems properly is the best option of all.

        1. werdsmith Silver badge

          Re: I've been saying this ever since I first heard of ransomware insurance

          Defintitely not the only choice.

          $10 million for a ransom (with no guarantee of success), or $1.4 billion restoring systems.

          Or $5 million on defensive infrastructure.

          1. Anonymous Coward
            Anonymous Coward

            Re: I've been saying this ever since I first heard of ransomware insurance

            > Or $5 million on defensive infrastructure.

            The predictable (and wrong) response from the Big Wheels: "But what if we aren't attacked? Then we wasted $5M!!"

            Never underestimate the irrationality of the corporate class.

      3. Wang Cores

        Re: I've been saying this ever since I first heard of ransomware insurance

        Good thing we still have some ability to regulate that impulse in. And perhaps if that regulatory power was exercised prior to this we wouldn't need to use it now.

      4. Brad Ackerman

        Re: I've been saying this ever since I first heard of ransomware insurance

        That's $10M of the company's money for (maybe) a decryption tool plus more money than they've got (personally) and five or ten years as a guest of the Bureau of Prisons for conspiracy to finance a designated entity. And if the US administration catches a clue, all ransomware operators will be so designated immediately upon discovery that they exist. (If for some reason one of them consists of US persons, they just need to prove their location to OFAC and the designation will be withdrawn. They'll immediately be charged with all the 1030 violations, but they won't be a designated entity anymore.)

        The people who need surgery will get it. The casino will stay closed and the executives will face a shareholder lawsuit for neglect of duty, but they'll happily take that over jail and personal fines.

      5. DS999 Silver badge

        Re: I've been saying this ever since I first heard of ransomware insurance

        spend $1.4 billion restoring systems

        How far up your ass did you have to dig to pull out that ridiculous number?

        None of those things would have happened if they had banned paying/insuring against ransomware five years ago, because it would earn no profit for the guys doing it. Worst you can argue is that there are some negative effects in the short term, but once no one is paying ransom the scumbags doing it will be forced to give up.

        The situation we have now is as if we had armed gangs walking into a dozen banks a day holding everyone hostage and threatening to either kill the hostages or burn all the bank records unless the bank pays them what they demand in crypto - though sometimes after getting paid off the robbers might still burn the records or even kill a few hostages. The obvious solution to this would be to ban banks from paying ransom, so that type of crime no longer paid. But you'd say "what about the banks that would have their records burnt, and a few hostages that might die?" during the period of transition before the robbers realized things had changed and that type of crime no longer paid.

        You're ignoring that the harm from ransomware will continue (and likely grow) forever if we follow your dumb plan - causing far more economic harm and far more hospital deaths than we'd endure during the transition time before the ransomware criminals realized everyone was obeying the ban and they were no longer making any money.

      6. VicMortimer Silver badge

        Paying should be a CRIME

        What if the choice is pay $10 million and everyone who had the ability to choose not to pay spends a year in prison, is fined $5 billion, and is prohibited from being an executive or board member in a publicly traded corporation for life?

        Paying ransom should be a CRIME. CEOs who pay or contract with 'negotiators' should go to prison.

        And for hospitals - their contingency plan MUST include an "all systems are down" option that allows them to continue to operate. If the compromised systems include patient-contact systems actually in the operating room (which should NEVER happen, why were those not airgapped?!??!!!), then the contingency might be "Call the helicopters and fly these patients out of here!" otherwise it's "Grab a paper notepad and keep the surgeries going!"

        Screw the casino. If they pay the ransom, they go straight to jail.

  5. Anonymous Coward
    Anonymous Coward

    i guess she's saying that law enforcement is pathetic

    Otherwise, she wouldn't need to suggest this type of change, would she.

    1. doublelayer Silver badge

      Re: i guess she's saying that law enforcement is pathetic

      When you have a plan for having a law enforcement body with the ability and power to find people who are hiding well, whose organization, ringleaders, and many of the participants are in a country that is unwilling to extradite or even investigate them, and who do not need to meet physically, let us know. In the meantime, we will need to plan for how to combat ransomware when you can't catch them. There are only so many of them who will be identified and travel to countries they shouldn't, although when it happens, law enforcement has tended to make them regret doing so.

    2. Anonymous Coward
      Anonymous Coward

      Law enforcement is very expensive and slow. It is not a movie.

      Besides law enforcement does not produce tangible GDP. Jobs? - yes.

    3. katrinab Silver badge

      Re: i guess she's saying that law enforcement is pathetic

      Yes, US law enforcement is pretty useless when the suspect is in Russia or North Korea. That's not news, and it is not something a different US government can change.

      1. Brad Ackerman

        Re: i guess she's saying that law enforcement is pathetic

        One should certainly expect the US government to be working on both; and when POTUS considers the work to be at an acceptable state, you'll know.

    4. Filippo Silver badge

      Re: i guess she's saying that law enforcement is pathetic

      Law enforcement is usually best employed as a last-tier solution to any given problem. It's good at dealing with point events, but it's extremely expensive.

      Because of that, it's smart to deploy other measures to reduce issues in a statistical sense. Use incentives and disincentives to reduce motives. That way, the number of events that has to be dealt with by law enforcement can be minimized.

      That is efficient. For some problems, it's the only way to realistically keep them under control. That is typical of crimes where victims and perpetrators are in collusion, such as contraband, drugs and, yes, ransomware.

      Expecting to solve all problems via law enforcement alone is like allowing everyone to just dump trash in the street, and then having the street cleaning staff deal with it. Sure, it works in theory, if you think it's sane to spend the entire town budget on the cleaning staff.

    5. DS999 Silver badge

      Re: i guess she's saying that law enforcement is pathetic

      Even if you have the most competent IT people in the world helping law enforcement there is only so much they can do. They can only catch the criminals if 1) they make a mistake that reveals who/where they are and 2) they are in a country that allows extradition to the US (or wherever the ransom attack occurred) Since many of them are in Russia or North Korea, that's pretty much off the table.

      I'm no big fan of law enforcement, but saying that not being able to catch ransomware criminals makes them "pathetic" is a ridiculous take.

  6. Anonymous Coward
    Anonymous Coward

    Duty of care

    Most insurance includes a ‘duty of care’, requiring you to take steps to prevent a claim. If ransomware insurance exists, then use it to improve cyber security. No 2FA - no payout. Kept the default admin password - no payout. Failed to train employees to spot phishing emails - no payout. You get the idea. It looks like the politicians are not going to ban paying ransoms, or ban insuring against ransomware, so lets force the insurance companies to make their clients harder targets. Insurance companies love a reason to not pay out for a claim. They could start with the basic stuff and then each time a ransomware attack succeeds, find out how they got in and make securing that way in part of the policy 'duty of care'. Yes I am a hopeless idealist but I'm not the only one.

    1. Sandtitz Silver badge

      Re: Duty of care

      "No 2FA - no payout. Kept the default admin password - no payout."

      Let's keep it simple: If company does not have certification for ISO 27001, NIST, NIS2, or something equivalent - then they are not eligible for cyber insurance in the first place.

      If a cyber insured company is still penetrated and the root cause can be determined to be nonadherence to those requirements, then there could be either no pay or just lower payout, depending on the level of transgression.

      1. HereIAmJH Silver badge

        Re: Duty of care

        Just ban the cyber insurance itself. The cyber insurance allows businesses to normalize the expense and they will do a cost analysis with actually securing their systems. If the insurance is cheaper, that is the choice they will take. Without the insurance. management will be responsible for their neglect of good security practices. Now they just choose cheap options that are Security Theatre and say "see, we did something" while not actually making their business more secure. For example, password rotation, SMS '2FA'.

        1. Sandtitz Silver badge

          Re: Duty of care

          "Just ban the cyber insurance itself. The cyber insurance allows businesses to normalize the expense and they will do a cost analysis with actually securing their systems."

          No.

          You can have very secure systems but it is never 100% secure.

          Should companies be banned from taking insurance against property damage, deaths, transport, liabilities etc? You can minimize the likelihood of them happening but you still can't reach zero.

          "If the insurance is cheaper, that is the choice they will take. Without the insurance. management will be responsible for their neglect of good security practices."

          Take a look at the EU NIS2. With or without insurance the management is responsible for the neglect.

          1. HereIAmJH Silver badge

            Re: Duty of care

            Should companies be banned from taking insurance against property damage, deaths, transport, liabilities etc?

            Then lets create laws similar to Attractive Nuisance laws with statutory damages like copyright infringement. That would make it a tort and the people who are harmed by the breach can take them to civil court.

            https://en.wikipedia.org/wiki/Attractive_nuisance_doctrine

            Take a look at the EU NIS2. With or without insurance the management is responsible for the neglect.

            The problem is, breaches aren't being classified as neglect. The decision makers are rarely held accountable, other than a dip in their stock price.

          2. LVPC

            Re: Duty of care

            Nothing is ever 100% secure. Such is life. Insurance doesn't change that.

        2. Anonymous Coward
          Anonymous Coward

          Re: Duty of care

          The other issue with the "... then no payout" idea is the other side of the coin: it creates a window for the insurance companies to collect the insurance premiums and then dodge having to pay claims, perhaps on impossible or unsustainable conditions.

          This already happens today with homeowners insurance and others, where the insurance companies reject or weasel out of paying claims wherever they can get away with it.

      2. Anonymous Coward
        Anonymous Coward

        Re: Duty of care

        Like 2FA is a silver bullet. Sorry to disappoint you guys, it's not.

        Remember the RSA token seeds being taken? Yeah...

    2. Anonymous Coward
      Anonymous Coward

      Re: Duty of care

      Insurance does not prevent cyber terrorism. And it is the terrorism that is of the greatest concern.

      Neither insurance produces tangible GDP. Jobs? - yes.

  7. Groo The Wanderer

    I'm surprised they pay out ransomware fees - that's like paying the drug dealers who kidnapped someone. Can't say I've ever heard of an insurance company paying an illegal expense.

    1. Yet Another Anonymous coward Silver badge

      Kidnap insurance is standard across a lot of industries that have to do business in interesting parts of the world

    2. oldandgrey

      Have a look at: https://nl.wikipedia.org/wiki/Slavenkas_van_Zierikzee

      An insurance company founded in 1735 to pay the ransom for sailors who were enslaved by Barbary pirates.

  8. Lee D Silver badge

    Tell me how paying software ransoms isn't money laundering.

    You're paying large sums of legitimate money to an unknown, undiscoverable entity, deliberately and knowingly.

    How are you accounting for this on your accounts and auditing? How are these third-parties who do it on your behalf?

    I had this come up at a workplace (registered charity) that was infected and they wanted to pay a third-party company to pay the ransomware for them, and then bill them (plus some commission, plus zero guarantees anything would actually be fixed by doing so). I queried how we can knowingly contribute to money-laundering given that we'd spent the past year telling customers that we couldn't accept anonymous cash for payment any more because of anti-money-laundering rules. I asked what we tell the auditors about this not-insignificant sum we're paying to this company. I asked how the charity administrators could account for it, and the gambling with that kind of money.

    There are literally companies that exist to do this... they take your money, issue a legitimate receipt / invoice, convert it to Bitcoin, pay the ransomers, and then... they don't care what happens beyond that. If you're not committing money laundering yourself, they certainly are, and doing it with your knowledge (so now not only are you money-laundering, but you're trying to obscure your accounting to hide the tracks of that very money-laundering by converting currency, sending it abroad, washing it through another company, etc.).

    I think government should crack down and make it clear... if you pay a ransomware author, you're money-laundering unless you can identify the person or organisation that's receiving that money. And if you can identify your ransomer... well... shouldn't you be telling the police?

    1. Yet Another Anonymous coward Silver badge

      >There are literally companies that exist to do this..

      Yes, they are called "banks", often with the name of the country in front of the word "Bank"

    2. doublelayer Silver badge

      I don't think money laundering means what you think it means. Laundering money is when someone takes money from an illegal source and hides it to appear legal again. If you pay a ransom, the criminal who received it is likely going to launder it so they can buy stuff with it. You are not laundering it because the money concerned was provably yours. You have not laundered any money, just given it to a criminal, which is not currently illegal.

      There are a few crimes which come into play just by giving money to someone. Those include funding terrorism or evading sanctions. However, there are a few provisos that you should consider before you take your comment and do a "s/money laundering/funding terrorism/g" on it. First among those is that, to be a crime, a specific entity must be on a list set by your country. If it's not on that list, those crimes do not apply. They would still apply if you specifically requested use of your funds for terrorism, but you didn't. You may also be off the hook if you can convincingly demonstrate that you did not know they were going to a sanctioned person or group. No, that doesn't mean that you have to show proof that you know who it is going to. For instance, North Korea is under sanction, and if I send any money to them, I've committed a crime. They get around this by operating some businesses internationally, for instance several restaurants, mostly in southeast Asia. If I'm traveling in southeast Asia, I don't have to question and record all the restaurants I visit for their ownership. If I pick a North Korea-run one by accident, that's unfortunate. Only if I pick it on purpose is it sanctions evasion. That is why ransomware is a popular way of evading sanctions, because the current laws do not forbid it.

      If you don't like how the current legal situation works, that situation must be changed. It is not money laundering to pay a ransom, and it will never be, but we could easily make it a crime anyway. Doing that would likely help quite a lot. I support doing it. We can't pretend that it is already done.

      1. Lee D Silver badge

        "In UK law money laundering is defined in the Proceeds of Crimes Act 2002 (POCA) and includes all forms of handling or possessing criminal property, including possessing the proceeds of one's own crime, and facilitating any handling or possession of criminal property."

        https://www.ifa.org.uk/technical-resources/aml

        Everyone in the chain that touches, facilitates, authorises, allows or processes money that is the proceeds of a crime (a ransom is literally a proceed of a crime, you don't get much more smack-bang inside the definition) knowingly is allowing money-laundering. Obscuring the path of supplying those proceeds is fraud.

        This is why banks and charities are required to know both the source and the destination of funds now. You can't just drop £10k on your kid's private school in cash anonymously... they have to identify you before they can accept it. And your own bank wants to know why you're trying to draw out £10k in cash.

        And just because you're at the start of the chain doesn't exempt you (and the act of "wanting" to pay the ransom isn't illegal in itself). But the second you reward someone for committing a crime, by paying a ransom, that becomes proceeds of a crime and ... oh... look... you handled it.

        The law in this circumstance has always been enough to make it convictable, but PoCA *literally* makes it explicit.

        Equally, the third-party in my example (the company that acts as a middle man) is a prima facie example of a money-launderer. It doesn't get much clearer.

        “a person commits an offence if he enters into or becomes concerned in an arrangement which he knows or suspects facilitates (by whatever means) the acquisition, retention, use or control of criminal property by or on behalf of another person.”

        1. doublelayer Silver badge

          Before you hand it to a criminal, it is not the proceeds of a crime. It is your money. You may read that law again, looking for the part where it defines any payment to a criminal as money laundering, but you won't find it. The rest of the chain, yes. Your end of it, no. In fact, the criminal hasn't done any money laundering until they try to obscure the source of that money. If they go out and say "I have some ransom money and I want to buy something with it", they've only committed the original offenses.

          Your overeager interpretation is incorrect in several other ways. Yes, I can get £10k of cash and buy something with it anonymously. The bank will record that I withdrew it. The other bank will likely report that they deposited it. However, purchasing something expensive anonymously with cash is not illegal. Buying something with stolen cash is, and if I am a criminal, I might be charged with money laundering as well as whatever crime gave me the cash. The person I bought the expensive thing from is not required to verify my identity. If they too know that I am a criminal, they are guilty as well. If they do not know that, they are not guilty. Some institutions have a requirement to verify identities first, but not to verify the source of my cash. They too are not guilty, because they have complied with their requirement to have a record of the identity of the payer. Law enforcement may ask them for that information during the investigation, but even if it turns out I am a criminal, they were not supposed to identify that before allowing me to complete a purchase. Even more businesses are not required by law to verify identities and do it anyway.

          Your page makes that clear (emphasis mine):

          Criminal property (defined in POCA) constitutes or represents a person's benefit from criminal conduct where the alleged offender knows or suspects that the property in question represents such a benefit.

  9. lglethal Silver badge
    Go

    Cyber Insurance?

    I'll be honest, I've never understood the business case behind Cyber Insurance. The costs involved for the insurer are massive and usually pretty open ended (how much time to rebuild systems from scratch AND update so that you are better protected from last time?). Now Insurers are usually very good at working out the risks of events happening and forcing people to make sure that things are as good as they can be before the event for which they will have to payout. Door locks not up to standard, no payout. Electrical wiring not up to code leading to fire, no payout. The insurance company will force those things to be checked and approved for you get your coverage. And if you have high risk items, you are going to pay through the nose to cover them.

    And yet here they are offering Cyber Insurance to corporations who clearly didnt have security up to scratch, and they are paying out. The risks involved in anything IT are massive. I think we would all agree there is no online service that is unhackable. So the firms are providing insurance for something that is constantly under attack? And when a firm does get breached, was it because their security wasnt up to scratch? Did the Insurer check the security beforehand? Did they require regular security audits, from external firms, with a clear fail and no payout clause? I've not heard of that or anything remotely like it.

    And for the corporations, the fees for the Cyber Insurance must be through the roof! Wouldnt it be better to put that money directly into your IT team for improving your security in the first place? Oh wait, insurance comes from a different cost centre, so we cant do that... Sometimes I despair for the modern world...

    1. FILE_ID.DIZ

      Re: Cyber Insurance?

      Without wading into whether cyber insurance specifically is valuable or a hindrance or an indirect facilitator in the furtherance of crime, let's discuss insurance in general.

      So, first issue I'll point out is the assumption that the insurance company is exposed to open-ended costs. All policies have maximums, period. Maximums, per individual policy can vary, but is proportional to the policy's premium paid.

      Tangentially, unlike a physical property insurance carrier as a counter-example, who may have hundreds or thousands of claims during a specific weather event over a specific geography (think tornado, severe hail storm, hurricane and the like), one cyber insurance claim likely has nothing to do with the next claim. Therefore, a single cyber insurance issuer is likely to experience a claims due to a single catastrophic event.

      And while I'm no expert in insurance (or really anything), there's insurance for insurance companies, called reinsurance - further distributing the financial burden beyond the insurer. And beyond that, there's a whole bond market colloquially called "CAT" bonds, or Catastrophe Bonds that helps further distribute exposure from any event across even more entities.

      At the end of the day, there's not too many insurance companies that go out of business (at least those that are well run - and that's not the topic of this response). That's because they know how to manage risk [0] and adjust their exposure and premiums appropriately.

      [0] There's been a whole bunch of insurance companies who did property and casualty insurance over the past half-decade who have gone bankrupt. While I haven't dug into the specifics of any one company - I'd suspect that some of those failed insurance companies fell into the same rising interest rate trap that caught a few banks who failed during the same time frame. Insurance companies, if properly run, bank a crap ton portion of their money in various investments and other hedges against inflation.

      1. Anonymous Coward
        Anonymous Coward

        Re: Cyber Insurance?

        Yes. We already see situations where it is very difficult, if not impossible to buy insurance due to prevailing conditions.

        E.g. in the US, it can be prohibitively expensive to buy earthquake or fire home insurance in areas of California, if a provider can even be found. In some cases the government underwrites a bond(?) or some sort of arrangement like it.

        You can imagine that hurricane activity has caused a similar situation on the other coast in Florida, with flood insurance and related. Some homes probably can't be insured at all, and some insurance companies have simply vacated their business from the state.

        If "cybercrime" continues to rise, we might see a similar reaction in those insurance policies.

        After all, insurance companies don't profit from paying out too much or too often.

    2. Sam not the Viking Silver badge

      Re: Cyber Insurance?

      I've often wondered why insurance companies aren't more 'hands-on' when it comes to reviewing the company they are covering. Just asking: "What happens if your systems/storage/data are lost/stolen/destroyed?" should prompt a clear plan.

      If not, why is the company insurable at all? Playing the odds on it not happening is a loser's game, but perhaps not in this financial/bonus year.

      1. Yet Another Anonymous coward Silver badge

        Re: Cyber Insurance?

        Because the insurance industry is slow and conservative. In the past, compared to fire/flood/public-liability etc the risk/cost of cyber-attack is probably low for some random chemical plant in middle-America.

        They are probably just catching up with "#metoo" liabilities

  10. FILE_ID.DIZ
    Holmes

    What about China or Russia with respect to compromised companies?

    While hacks and breaches are published far and wide from companies based in the US/Canada and Western Europe, what's going on with companies that are big in China or Russia with respect to their users and the like?

    Is the lack of news because there are no breaches, or because it's not as well publicized here?

    Not for the fact that misery likes company, but misery DOES like company.

    1. lglethal Silver badge
      Go

      Re: What about China or Russia with respect to compromised companies?

      As a general rule, the Number 1 rule for Russian Hackers is that they shall under no circumstance attack Russian interests (if they enjoy the use of their legs). There's also the unwritten 2nd rule that if you go after Putin's opponents (for example the West) rather than those who are somewhat friendly (think Iran), then you'll be looked after. Break those rules and you will be in trouble.

      Chinese state hackers are primarily aimed at obtaining secrets and information and much less on Ransom interests. Regular Chinese Hackers are as likely to go after Chinese people as anyone else. However, there are rules about who you go after, i.e. No one in the Party, no company being championed by the Party, nothing big (such that it would embarrass the Party), etc. Also, just dont get BIG.

      There's a reason so many of the scam centres (which predominantly attack the regular Chinese people) are setup in Myanmar, Cambodia, and the Philippines. It puts them at arms length from the Chinese authorities, and after greasing the correct palms, those at the top can sidle away before the big raids come and shut them down. A large part of the fact that the Myanmar military is now losing significantly in the civil war there, is that the Scam centres run by those friendly to the Military got too big, and it became a source of embarrassment to the Party. When the Myanmar Military refused to shut them down. China withdrew their support, let the rebel groups they controlled off the leash (who had previously been keeping out of the civil war at the behest of China), and they quickly overran the areas where the Scam centres were run.

      So I guess to summarise, the Chinese Hackers can go after Chinese people so long as they dont do anything large enough to generate headlines. As such, far easier (and more lucrative) for them to turn their attention to the West...

      (Note: I am not an expert, but the above seems to be the accepted wisdom from various sources, including El Reg)

  11. StrangerHereMyself Silver badge

    Never

    This will and never should be allowed to come to pass. A company could literally go broke if it loses access to its data.

    The government may not care too much if a mom & pop operation goes belly-up, but what if a billion dollar company threatens to go bust? This is simply a bad idea. Let companies decide for themselves if they want to pay.

    1. Brad Ackerman
      FAIL

      Re: Never

      We already allow C-suites of billion dollar companies to run them into the ground in hundreds of different ways. What's so sacred about allowing C-suites to run their companies into the ground with the help of the FSB?

      We don't allow Nike to assassinate people trying to buy their latest intentionally supply-limited sneaker to make it appear even more desirable; allowing them to fund the Russian invasion of Ukraine or the North Korean nuclear weapons program is no different.

    2. Sok Puppette

      Re: Never

      If it is known that the company will NOT pay, because doing so is illegal, the law is enforced, and paying will probably mean life-changing personal consequences for all the decision makers, then NOBODY WILL MAKE THE DEMAND TO BEGIN WITH. There's no point in doing a lot of work attacking somebody if you're not going to get paid.

      This is trivially simple game theory.

      Anyway, there are a fair number of billion dollar companies that would improve the world by going bust.

      1. StrangerHereMyself Silver badge

        Re: Never

        How do you know? Maybe they're Russian government-funded operations which make money on the side by taking companies hostage. Maybe it's their aim to destabilize the West by bankrupting its billion dollar companies.

        People will be out in the streets if some billion dollar company goes bust because they can't access their data and thousands become jobless. I'm convinced the government will make an "exception" if that happens whilst at the same time allowing SMB's to go bankrupt.

  12. Filippo Silver badge

    >"A payment ban will backfire because it doesn't address the root cause of our national problem: widespread digital insecurity."

    Okay, but that "widespread digital insecurity" also has root causes of its own, and they're all about money.

  13. Blackjack Silver badge

    Ransomware insurance is not making things better that's for sure.

  14. Marty McFly Silver badge
    Go

    The ransomware solution....

    Whenever a company buys a decryption tool, they issue a press release saying the tool didn't work.

    Once the general belief changes to 'Decryption tools do not work', then the industry will stop paying the ransom.

    1. VicMortimer Silver badge

      Re: The ransomware solution....

      Nope.

      When a company buys a decryption tool, the CEO goes to prison.

      Once the general belief is "If I pay a ransom, I'm going to prison" THEN companies will stop paying ransom.

  15. mark l 2 Silver badge

    "The US government has long had a policy, we don't negotiate with terrorists," Hahn told The Register.

    In the real world governments including the US do negotiate with terrorists if that is the only solution to resolve a problem.

    Most police forces have specially trained negotiators whose job it is to get hostages freed unharmed (and they are government employees). And even if we discount those situations as not 'terrorism' then there are the negotiations that went on between the Reagan administration and Hezbollah in the 1980s to get hostages freed in return for arms sales. Or for more recent example when the Democrats were in power. In 2014 the Obama administration released 5 Taliban prisoners held at Guantanamo bay in exchange for an American soldier held hostage in Afghanistan. Both of these groups were deemed to be terrorist groups by the US at the time of the negotiations.

    These are just the ones general public know about, I suspect there are many others that we won't be privy to what negotiations have gone on over the years, probably as negotiations broken down or they were able to use other means to achieve a resolution.

    And besides are ransomware scumbags terrorists? Probably not by the definition as they aren't using violence or instilling fear in their victims, they are just to line their own pockets. So they are really just old fashioned crooks.

    1. Sok Puppette

      Those negotiators exist because a lot of people who take hostages are irrational. Taking hostages isn't typically a profit-motivated activity undertaken out of self interest, let alone one where there's any kind of vaguely sane cost-benefit analysis.

      Ransomware IS a profit-motivated activity undertaken out of self interest with an at least mostly sane cost-benefit analysis.

  16. cookiecutter

    Make the board responsible

    We all know that a large part of the problem is the board refusing to pay for the staff or the kit or the training.

    Make the board legally responsible. Ban ransomware payments completely.

    Insist on fully staffed departments. Compulsory staff training where your top trader can't just turn around and say "I'm too busy for this!"

    Ideally I'd love to return to a time when stock buybacks were illegal, but put in a rule.....pay a ransomware ransom....no share buybacks for 5 years. That alone would mean the collapse of company share prices so deep that even the dumbest CEO should understand the risk

    1. Brad Ackerman

      Re: Make the board responsible

      Buybacks function the same as dividends; they're just preferred because the shareholders are only taxed when they sell the stock. If you want to make boards accountable, banning multiple-class stocks would be more useful.

  17. Pete 2 Silver badge

    Clink

    > in addition to the extortion payment itself

    Nothing focuses the mind more than the prospect of confinement.

    It is not much of a stretch to consider paying ransomware to be a voluntary act, paid to criminals or terror organisations. Or in the case of NK gangs, to illegal trading with an outlawed state.

    Since these large payments would have to be approved at a high level within an organisation, it is easy to identify the individuals who approved it and those who actually made the payment.

    If the preceding words seem like a long sentence, they would pale compared to what those individuals should receive.

  18. Anonymous Coward
    Anonymous Coward

    WORM

    Write once read many https://en.wikipedia.org/wiki/Write_once_read_many

    Append only https://en.wikipedia.org/wiki/Append-only

    Sounds like this could, at least in theory, protect old pre-ransomware data safe from being encrypted.

  19. JWLong Silver badge

    Just like any other problem.

    Companies don't like to pay for things. C-suits that only worry about next quarters dividend paid to stockholders(themselves), and board members that that only suck owners dicks for a living. Insurance companies don't like paying out for ransom cost, well here's a fucking idea, stop writing the policies for this shit, otherwise just STFU!

    Take away the the tax write offs for being lazy, cheap, stupid, or just for being a thief. Make the assholes in charge pay resitution out of their own pockets because they didn't want to pay for proper network building and maintenance.

    All these whinners that get hacked are the sameones making their wall street forcast come true buy cutting cost and budgets for a system responsible for most of their business. If they are so fucking blind they can't see the problem there, why are they in charge in the first place. Just more butt sucking is all.

    These corporations post billions of dollars in profit every quarter, and yet the can't seem to afford to have proper staff or resourses to allow IT to do it's job. They are fucking liars and theivies and need to be convicted and spend a lot of time in prison for their bullshit.

    You want to stop ransomware, start where the problem is in the corporation itself. Always follow the big money, it will lead you to right where the main problems are, the C-suit offices and the boardrooms.

  20. -tim
    FAIL

    The ransom isn't that much of a burden

    The amount of the ransom tends to match the CEOs compensation for a year most of the time. Many companies don't seem to have a problem with that level of expense so it will continue.

    1. VicMortimer Silver badge

      Re: The ransom isn't that much of a burden

      Which is why paying ransom should be a crime that puts the CEO (and whoever else approved the payment) in prison. That'll stop it.

  21. An_Old_Dog Silver badge

    Easy "Solutions", Banning Ransomware Payments

    Companies, and the boards of directors which run them prefer buying insurance over improving their info systems' security, because buying insurance is an easy, simple solution. True info systems security is complex and "hard."

    If ransomware payments and ransomware insurance is banned, I'm sure it will continue in some plausibly-deniable, underground way.

  22. Anonymous Coward
    Anonymous Coward

    Just bankrupt any company whose security is bad enough to get attacked

    If you can't do security properly, you don't deserve to be in business.

    (If you're a hospital and you're not doing security properly, then whoever you outsourced your security to doesn't deserve to be in business.)

    That's the level of threat that might make them take security seriously.

    1. VicMortimer Silver badge

      Re: Just bankrupt any company whose security is bad enough to get attacked

      Good, but insufficient to stop them.

      There should be prison time attached to paying ransom.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like