Push to ban ransomware payments admirable, but success lies in the details

Earlier this week, Latitude Financial announced that the company would not “reward criminal behaviour” by paying a ransom to the cyber criminals that stole client data stored by the company in mid-March.

According to a company statement, it is expected that some 7.9 million driver’s licences from Australia and New Zealand and 53,000 passport numbers were taken during the breach.

To the company, paying the ransom would serve to entice further criminal activity and only put Australian businesses at risk.

“In line with advice from cyber crime experts, Latitude strongly believes that paying a ransom will be detrimental to our customers and cause harm to the broader community by encouraging further criminal attacks,” the company outlined.

Latitude’s approach is consistent with Australia’s top lawmakers, with Cyber Security Minister and Home Affairs Minister Clare O’Neil outlining the risks associated with companies paying ransoms in exchange for the destruction or decryption of data.

“The idea that we’re going to trust [hackers] people to delete data that they have taken off and may have copied a million times is just frankly silly,” said Minister O’Neil.

“We’re standing strong as a country against this, we don’t want to fuel the ransomware business model.”

Data on the efficacy of ransomware payments indicate that both the Minister and Latitude’s logic is correct.

VIEW ALL

Research from cyber security company HYCU in December illustrated that only 60 per cent of businesses regain access to their data following their first ransomware payment.

The same study found that 32 per cent of businesses had to pay additional ransoms and 8 per cent “never regained their stolen information”.

Not only is there no guarantee that businesses will receive their compromised data or have it decrypted, but additional research by Cybereason indicated that ransom payments signal to the vast interconnected mesh of cyber gangs that you and your organisation are target rich.

“This research found that it clearly does not pay to pay. Of the organisations that chose to pay a ransom demand, the vast majority (nearly 80 per cent) indicated they were victims of at least one subsequent ransomware attack,” a 2022 report from the company read.

“Of those who were hit a second time with ransomware, nearly half (48 per cent) indicated the attack was perpetrated by the same attackers.”

It is clear then that just paying a ransom is in and of itself a corporate risk.

However, making the payment of ransoms illegal — either through criminal liabilities for financial directors or fines aimed toward the business — may not be the remedy to stifle the uptick in ransomware attacks.

According to a blog by the Australian law firm Lander & Rogers, civil penalties may still be cheaper for some firms than the business cost of stolen and encrypted data.

“However, the effectiveness of civil penalties of this quantum in deterring the payment of ransom is debatable,” the blog read.

“When the very survival of a business is at stake, a cost-benefit analysis could reveal it is in the interests of the business to pay the ransom and simply absorb the civil penalty.”

Further, the criminalisation of ransoms may also disproportionately impact smaller businesses who are ultimately the primary victims of the attack.

“Such a law presupposes that all organisations are able to recover without paying a ransom, which is simply not a realistic assumption at this stage of Australia's cyber security maturity,” the Lander & Rogers blog proposes.

“In actual fact, it is perhaps more likely that a ban on ransom payment would hurt these organisations the most, rather than the cyber criminals themselves.”

Harsher deterrents including holding individuals criminally liable would also force the practice of ransomware payments further underground, compelling some companies to cooperate with cyber criminals away from the watchful and supportive eyes of the Australian Federal Police, Australian Signals Directorate, and the Australian Cyber Security Centre.

Such a move will not only benefit the cyber criminals but will deprive our law enforcement agencies of much needed information regarding hacking trends which can be used to inform best practice for keeping businesses safe in the future.

Speaking to the committee on the judiciary of the US Senate in 2021, assistant director of the FBI’s cyber division, Bryan Vorndran, recommended against making ransomware payments illegal for these reasons.

“[If] you ban ransom payments, now you are putting US companies in a position of another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities,” he said.

So where does the government go from here? The data is clear — paying ransom won’t necessarily secure your data and will likely make you a target for future breaches. But criminalising the process will punish victims who may not have recourse to re-establish their business operations and even potentially force collaboration underground.

First, the government should consider stricter guidelines around the use of cyber insurance in ransomware attacks to cauterise the money available to cyber attackers.

According to Jeffrey Foster, associate professor in Cyber Security Studies at Macquarie University, and Jennifer Williams in The Conversation, “it’s a common tactic for cyber criminals to demand a ransom equivalent to the insurance reimbursement [for a ransomware payment]”.

Such insurance mechanisms, though derisking businesses, provide a large financial pool from which cyber attackers can draw.

Second, the government should investigate establishing regulations which ensure that ransom payments are restricted to “the most exceptional of circumstances”. This concept was examined by Lander & Rogers.

“If the goal is simply to reflect the public policy of discouraging the payment of ransoms, rather than personal criminal liability, a more appropriate approach would perhaps be to regulate such conduct through the directors’ duties provisions, to ensure that any decision to make a ransom payment is in line with those duties,” the law firm wrote.

“This would ensure that any decision to pay a ransom would be limited to the most exceptional of circumstances and where it is, on balance, likely to be reasonable or in the interest of the company.”

But finally, the simplest way of ameliorating the risk of ransomware is simply to increase the barriers to entry for cyber criminals by introducing more stringent cyber security guidelines for businesses.

These can include business continuity plans which reduce the need for ransom payments by enabling businesses to continue some of their business operations. It could also include public-private partnerships between cyber security agencies and providers of decryption services to reduce the financial benefits for cyber criminals who are using older and more outdated encryption tools and looking for a quick win against uninformed businesses.

While the recent push towards banning ransomware payments is truly admirable and marks an inflection point with the government taking ransomware seriously, the success of new legislation and regulation won’t be in the broad brush strokes — but in the structural details that make businesses more resilient and government agencies more adaptable.

Liam Garman

Liam Garman is the editor of leading Australian security and defence publications Cyber Daily and Defence Connect. 

Liam began his career as a speech writer at New South Wales Parliament before working for world leading campaigns and research agencies in Sydney and Auckland. Throughout his career, Liam has managed and executed a range of international media and communications campaigns spanning politics, business, industrial relations and infrastructure. He’s since shifted his attention to researching and writing extensively on geopolitics and defence, specifically in North Africa, the Middle East and Asia. He holds a Bachelor of Commerce from the University of Sydney and a Masters of Strategy and Security from UNSW Canberra, with a thesis on postmodernism and disinformation operations.