New guidance on ransomware payments issued by the Counter Ransomware Initiative (CRI) strongly discourages negotiations with attackers and advises victims to carefully consider all options, but does not rule out the possibility unless it is illegal in that jurisdiction.
The guidance looks to reduce the frequency and size of ransomware payments, rather than pursuing the dream of eliminating them entirely. CRI notes that though one cannot trust attackers to keep their word about providing decryption keys or disposing of stolen data, organizations may face such a devastating operational disruption that they are essentially forced to try making a payment as a near-term solution to the problem.
CRI guidance generally accepted by national governments, cyber insurance providers
The advice is philosophically nothing new, as it reflects the longstanding policies of the 38 countries that promote CRI’s guidance. Of these, only Australia has come substantially close to passing legislation banning ransomware payments. For the most part nations have settled on strongly discouraging payments but not punishing organizations that feel they have no other viable option, and much focus has been put on bolstering law enforcement cyber capability to shut down the flow of funds after the fact and claw back as much as possible for victims.
The CRI guidance does not really focus on whether or not to make ransomware payments, instead stressing that victims should make early contact with law enforcement (regardless of their ultimate decision) and that they have many options to explore before pulling the trigger on a payday for cyber criminals. The main thrust of the guidance is to incorporate these options into business continuity and communication plans, policies, procedures, and frameworks ahead of any ransomware incidents.
The guidance also does provide something of a step-by-step process for making this evaluation, which begins with being clear about the applicable legal and regulatory environment around ransomware payments. While the countries that subscribe to this guidance are generally permissive of payments, they may well have notification requirements that differ between industries. Critical infrastructure firms are usually under the tightest requirements.
The second step is to involve law enforcement as early as possible. This may put off some organizations that are seriously considering making ransomware payments, particularly if the criminals make threats about breaking off contact if they detect law enforcement involvement. However, these agencies are well-versed in dealing with cyber criminals at this point and can generally be relied upon to move discreetly even as negotiations proceed. Early involvement also ups the chances of money being clawed back at some point if a payment is made.
The guidance also urges due diligence and evaluation of all options at this point, something that should be baked into recovery plans so there is no confusion in a moment of potential panic. This includes having a short list of experts to consult, such as contacts provided by insurers or cyber incident response partners. Consideration of alternatives to paying should then begin, informed by exploring a number of key factors: Does the threat actor have a history of keeping their word when paid? What will the recovery look like in terms of timetable based on current technical capacity? How bad will business disruption be, and can elements of it be managed with alternate processes temporarily? And what will the overall impact to the organization be in both payment and non-payment scenarios?
Organizations must also not just consider business impact, but also potential damage to life and limb (in an industrial or hospital scenario for example) and damage to customers and employees from the public leak of personal data. Some, again particularly the critical infrastructure industries, must also weigh national security concerns.
Finally, organizations should involve all necessary stakeholders and decision-makers and record decisions to facilitate future audits. Post-incident the root cause should be investigated to avoid a repeat breach of the same type.
Average ransomware payments up even during periods of slower overall activity
Though overall ransomware activity has slowed somewhat as compared to the frenetic period during the height of the Covid-19 pandemic, the average size of ransomware payments only continues to rise. Ransomware gangs collected over $1 billion in payments in 2023, a record year for them.
The ransomware payment totals in the last few years have largely been accounted for by the largest gangs, with whom international law enforcement continues to play whack-a-mole. They will have runs of anywhere from several months to two to three years in which they are among kings of the mountain, before some sort of large international law enforcement effort critically disrupts them somehow. Evil Corp, yet another Russian outfit, seems to currently be in the crosshairs with the UK sanctioning sixteen individuals as part of a joint investigation with the US and Australia. It appears this group may have absorbed some refugees from previous giant LockBit, who were badly shaken by a disruptive operation earlier this year.