Are Ransom Payments Supporting Terrorists?

by C. Warren Axelrod on September 23, 2019

Organizations,
particularly those that recognize that they don’t have essential security and
data recovery measures in place, have taken out cyber insurance, which they are
regularly using to pay off ransomware attackers. I find it curious that these insurance
companies seem to be willing to pay out these claims so readily, as there are clear
indications that other insurance companies are fighting cyber claims where the
attackers appear to be nation states, as described in my May 6, 2019 BlogInfoSec
column, “Cyberwarfare—Yes? Cyber Insurance—No!” It will be interesting to see
how these new ransomware claims are handled longer-term and whether insurance
companies will backtrack based on evidence that attacks were in support of
terrorist groups or acts of war. If they do, then the whole game will change.

There is an outstanding
article, dated August 27, 2019, by Renee Dudley for Pro Publica
with the title “The Extortion Economy: How Insurance Companies Are Fueling a
Rise in Ransomware Attacks,” available at https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks
Dudley’s article provides an excellent chronology of ransomware attacks and
whether organizations paid up or tried to recover on their own. There is also a
suggestion in the article that some ransom monies are being used to finance
terrorists! If I read that correctly, then these municipalities and insurance
companies, which decide that paying up is their most cost-effective approach, are
in fact funding terrorism. Is that legal?

However, business and
government organizations are in a quandary. Insurance companies are incented to
pay the ransoms since the cost to them of recovery from a ransomware attack can
be orders of magnitude greater than the ransoms themselves. On page 127 of the
book “The Fifth Domain” by Richard A. Clarke and Robert K. Knake, the authors
take both sides. At the top of the page, they “often tell [their clients] to
pay up,” whereas towards the bottom of the page, they “think that it is time to
remove the incentive for cyber criminals to use ransomware by having a
government law or regulation that bans paying the ransom or institutes a fine
in addition to whatever ransom is paid.” So, which is it? You can’t have it
both ways. Well, OK, I understand that, during any such transitional period,
there is little incentive for those who have been attacked not to have their
insurance companies pay, and that, based on typical experience with government,
passing the requisite laws and regulations can take what seems like forever.
But we did it for Y2K, when senior executives and Boards were held criminally
liable if they didn’t remediate their systems. Why can’t we likewise accelerate
the process of holding organizations’ senior executives and Boards to account
for creating the resiliency needed to combat ransomware and other present and
future malware? Perhaps having backups in the Cloud is part of the answer,
except that Cloud services also get attacked, as in the recent Capital One
case.

Another point to consider
… If you pay the ransom, that money is going to adversaries, who may well be located
within a hostile nation. If you don’t pay, then the money to recover will
likely go to domestic companies and consultants, which generates income and
helps the home economy, even though that money is likely to be considerably
more than paying the ransom. From a national perspective also, not paying the
ransom is better than paying.

What it comes down to is the
“all for one and one for all” argument in my September 9, 2019 BlogInfoSec
column. Clearly, paying up is cheaper for those attacked, but only encourages
more attacks that, in aggregate, could cost society more than the refusal to
pay and then recovering the lost files by means other than decryption. Clarke
and Knake happen to give good advice on saving multiple generations of data and
gold copies of application software.

Sponsorships Available

If no one paid the
ransom, then the incentives of attackers would go away. The problem that
remains is that some unlucky bodies, such as the cities of Baltimore and
Atlanta, will have already had to pay for the recovery and reconstitution of
their data, systems and networks. Perhaps they are the ones who should be
remunerated for their costs since the benefits of discouraging ransomware will redound
to the overall economy. But it will only work if everyone supports the
arrangement, and that is only likely to happen with government intervention.

Clarke and Knake
specifically accused two Iranians of launching ransomware attacks against “some
two hundred networks in the United States over two years” from the safety of
their location in Tehran. If that is indeed the case, what we have here are possible
acts of terrorism and cyberwar, and government action is needed.