Ransomware gangs get paid off as officials struggle for fix

Cybersecurity Ransomware Banning Payments

BOSTON (AP) — If your business falls victim to ransomware and you want simple advice on whether to pay the criminals, don't expect much help from the U.S. government. The answer is apt to be: It depends.

“It is the position of the U.S. government that we strongly discourage the payment of ransoms,” Eric Goldstein, a top cybersecurity official in the Department of Homeland Security, told a congressional hearing last week.

But paying carries no penalties and refusing would be almost suicidal for many companies, especially the small and medium-sized. Too many are unprepared. The consequences could also be dire for the nation itself. Recent high-profile extortive attacks led to runs on East Coast gas stations and threatened meat supplies.

Although the Biden administration has made battling ransomware crime a national security priority, public officials are fumbling over how to respond to the ransom payment dilemma. In an initial step, bipartisan legislation in the works would mandate immediate federal reporting of ransomware attacks to assist response, help identify the authors and even recoup ransoms, as the FBI did with most of the $4.4 million that Colonial Pipeline recently paid.

Without additional action soon, however, experts say ransoms will continue to skyrocket, financing better criminal intelligence-gathering and tools that only worsen the global crime wave.

President Joe Biden got no assurances from Russian President Vladimir Putin in Geneva last week that cybercriminals behind the attacks won't continue to enjoy safe harbor in Russia. At minimum, Putin’s security services tolerate them. At worst, they are working together.

Energy Secretary Jennifer Granholm said this month that she is in favor of banning payments. ”But I don’t know whether Congress or the president is” in favor, she said.

And as Goldstein reminded lawmakers, paying doesn’t guarantee that you’ll get your data back or that sensitive stolen files won’t end up for sale in darknet criminal forums. Even if the ransomware crooks keep their word, you’ll be financing their next round of attacks. And you may just get hit again.

In April, the then-top national security official in the Justice Department, John Demers, was lukewarm toward banning payments, saying it could put “us in a more adversarial posture vis-à-vis the victims, which is not where we want to be.”

Perhaps most vehement about a payment ban are those who know ransomware criminals best — cybersecurity threat responders.

Lior Div, CEO of Boston-based Cybereason, considers them digital-age terrorists. “It is terrorism in a different form, a very modern one.”

A 2015 British law prohibits U.K.-based insurance firms from reimbursing companies for the payment of terrorism ransoms, a model some believe should be applied universally to ransomware payments.

"Ultimately, the terrorists stopped kidnapping people because they realized that they weren’t going to get paid,” said Adrian Nish, threat intelligence chief at BAE Systems.

U.S. law prohibits material support for terrorists, but the Justice Department in 2015 waived the threat of criminal prosecution for citizens who pay terrorist ransoms.

“There’s a reason why that’s a policy in terrorism cases: You give too much power to the adversary,” said Brandon Valeriano, a Marine Corps University scholar and senior adviser to the Cyberspace Solarium Commission, a bipartisan body created by Congress.

Some ransomware victims have taken principled stands against payments, the human costs be damned. One is the University of Vermont Health Network, where the bill for recovery and lost services after an October attack was upwards of $63 million.

Ireland, too, refused to negotiate when its national health care service was hit last month.

Five weeks on, health care information technology in the nation of 5 million remains badly hobbled. Cancer treatments are only partially restored, email service patchy, digital patient records largely inaccessible. People jam emergency rooms for lab and diagnostic tests because their primary care doctors can't order them. As of Thursday, 42% of the system’s 4,000 computer servers still had not been decrypted.

The criminals turned over the software decryption key a week after the attack — following an unusual offer by the Russian Embassy to “help with the investigation” — but the recovery has been a painful slog.

“A decryption key is not a magic wand or switch that can suddenly reverse the damage,” said Brian Honan, a top Irish cybersecurity consultant. Every machine recovered must be tested to ensure it's infection-free.

Data indicate that most ransomware victims pay. The