Introduction
Ransomware attacks are currently a major cybersecurity threat for many companies. This type of cybercrime is the cause of billions of dollars in losses every year, and its scale only increases. The main reason for the spread of fraud is the incentive in the form of ransoms that most organizations pay to criminals. It is more profitable for most commercial firms to pay money than to incur significant material and reputational losses during data recovery. However, even paying the ransom is not a guarantee that access to all files will be returned. Due to the increasing number of victims, the government must respond to this threat, which can result in outlawing payments in ransomware attacks. However, this measure, without the support of other tools, may cause greater losses than benefits.
Ransomware as a Cyber Security Threat
Ransomware is a type of malware that currently poses a threat to many organizations. This prevents the use of the computer system by “locking the system’s screen, locking the users’ files or using cryptographic techniques to encrypt affected systems” (Irwin and Dawson, 2019, p. 112). To restore access, the victims of such an attack are often forced to pay to obtain a decryption key, which is the target of the hackers. Dey and Lahiri (2021) note that ransomware inflicted $ 7.5 billion in losses on various organizations and institutions in 2019 in the US alone (p. 6609). Moreover, each victim incurred an average of $ 3.6 million in damage, which is critical for many companies (Dey and Lahiri, 2021, p. 6609). Thus, dealing with ransomware is an extremely important aspect to ensure Internet security.
Despite the increased attention to this type of malware at the present time, they have a long history of development. The first ransomware incident occurred back in 1989 when the AIDS Trojan was spread via floppy disks (Bambenek and Bashir, 2020). After receiving the malware, the victims were forced to send the ransom to the hackers’ post office box. However, in 2013, attackers gained access to encryption technologies for large-scale use of ransomware. Earlier versions of malware targeted individual computers and demanded low ransoms.
With the advancement of modern technology, ransomware has acquired more distribution channels and has also been able to be used to block access to entire systems, which often completely halts an organization’s operations. Distribution occurs through compromising unpatched systems or phishing attacks, after which the program begins to encrypt the user’s files. Thus, after the end of the encryption of the files, the victim is notified of the impossibility of using them and the need to pay the ransom. These advancements allowed hackers to demand much higher ransoms, which brought the issue to the attention of the government.
By 2016, ransomware had become a major cyber threat to both organizations and individuals. The US Department of Justice reported that in 2015 the number of attacks using this type of malware reached 4,000 per day (Irwin and Dawson, 2019, p. 113). The situation is complicated by the reluctance of victims to declare that they have become affected by malware publicly. The popularity of malware among hackers can be attributed to the spread of the use of Bitcoins for payments.
Most ransoms are paid with cryptocurrency, which makes tracking transactions impossible (Dey and Lahiri, 2021). While transferring money to hackers is often the cheapest and fastest way to regain access, this practice encourages further growth in the number of such attacks. IT management specialists recommend organizations and individuals use data backup, which in most cases protects against ransomware (Kharraz and Kirda, 2017). However, the growing number of victims suggests that this measure is not common among users.
While the financial side of ransomware’s harm is clear, there are other critical implications. For example, the application of malware to healthcare organizations prevents them from providing emergency care, which can lead to deaths in the population (Bambenek and Bashir, 2020).
Government agencies are also less likely to pay ransoms compared to commercial organizations because they have different sources of income and stakeholders. However, often the amount of money that hackers require is several times less than the estimated cost of data recovery, which makes payment the preferred option. Many companies also have the ability to hide the fact of a ransomware attack in their organization to avoid reputational losses. Thus, this type of malware not only poses a significant threat but is also difficult to track and systematically respond to. Moreover, hackers are constantly improving ransomware, making it harder to implement relevant cybersecurity measures.
The higher cost of data recovery versus ransom is the main reason why the number of ransomware attacks continues to grow. In 2020, more than half of the users who became the target of the attack transferred money to hackers (Over half of ransomware victims, 2021, para. 1). However, regardless of paying the ransom or not, only 29% of victims fully recovered their files, while 13% lost all data, and the rest of the users partially regained access (Over half of ransomware victims, 2021, para. 5). Another reason for this type of cyber fraud to thrive is the impossibility of collecting evidence of such crimes (Bambenek and Bashir, 2020). Hackers can operate from another region or country, as well as use off-bank transactions, which makes traditional tracking tools inapplicable.
Benefits and Critical Evaluation of the Outlawing
Outlawing of payments in ransomware attacks is motivated by the desire to eliminate financial incentives for cybercriminals. Policymakers are counting on the fact that, without receiving an adequate response to their actions, attackers will stop spreading malware due to the lack of benefits. Nevertheless, Bambenek and Bashir (2020), using the example of such a ban on ransom in kidnapping, emphasize that the measure does not have sufficient effect.
First of all, such bans affect victims more than criminals. Paying the ransom is often much less expensive and time-consuming than the data recovery process. Given the fact that it can take months and cost millions of dollars to regain access, many companies have to pay criminals. This step, at least with some degree of probability, returns them to normal activity, while the refusal to pay the ransom is often the reason for exiting the business. The situation is different with government agencies, which are not under pressure from the market and can opt for data recovery. However, in general, ransomware is a threat to social welfare.
Thus, in most cases, paying the ransom, especially for commercial entities, is the preferred choice. Dey and Lahiri (2021) also note another problem that points to the ineffectiveness of outlawing such payments. Most transactions are conducted in small parts and in cryptocurrency, making it impossible to trace. Thus, even with a ban, government agencies cannot properly regulate execution, which proves these policies to be excessive. The adoption of bans on ransom payments to cybercriminals is extremely ineffective. The only likely benefit of this policy may be the desire of the victims to comply with the law. However, in cases where the well-being of the company or human lives are at stake, most will still choose to pay.
The most damaging consequence of the outlawing of paying for ransomware will be the shift in the focus of cybercriminals to types of institutions that cannot afford long-term inactivity. Such organizations include hospitals, schools, water-treatment plants, energy providers, and other similar companies (Tidy, 2021). Thus, hackers can increase the damage they can inflict on society through the suspension of vital institutions. This strategy is likely to be extremely effective, as it results not only in material losses. Moreover, cybercriminals are often protected from prosecution due to the anonymity of their activities, which will make such solutions preferable for them.
Possible Alternatives
This strategy is not working in connection with such a threat as cybercrime. It is evident that “reducing incentives of this behavior likely will not work unless they are targeted at increasing consequences to the ransomware operators as opposed to their victims” (Bambenek and Bashir, 2020, p. 22). Effective policies should not be directed against attackers but rather to support their targets. If companies are confident that refusing to pay the ransom will not end their business, they will no longer provide incentives to criminals. An effective policy in this regard would be to provide financial support to affected organizations.
The government should help companies to survive the data recovery period. This initiative may also contain a number of conditions, according to which the company can receive assistance only once. Additionally, it may be obligated to make investments in projects engaged in the development of anti-malware programs or training of employees in cybersecurity. Therefore, organizations will be motivated not only to refuse to pay the ransom due to the reduction of possible costs but also to invest in the development of global cybersecurity.
Another more effective alternative would be to tax ransoms, which will increase the costs and motivate victims to refuse to comply with the demands of the criminals. This measure is still associated with the problem of the inability to track transactions, which makes it challenging to monitor the implementation of this policy. However, the government can combine subsidies and taxes to achieve the most positive impact of the implemented policies. A combination of these two approaches will make ransomware the least profitable choice in the eyes of victims, which can significantly reduce the number of attacks.
Combined with the approaches described, a ban on ransom payments can also be an effective measure. However, its application is possible only in those areas where the state can control and track such transactions. Thus, with sufficient investment in anti-malware technologies, cryptocurrency accounting, systems for preventing and responding to attacks, it is possible to introduce outlawing for targeted companies. Most importantly, the government must provide organizations with the resources to restore access to data so that they can later collectively build the infrastructure to combat cybercrime effectively.
Conclusion
Ransomware is the most serious cyber threat to both businesses and government agencies. A hacker attack can lead to the loss of all data and, in the long term, the inability to continue commercial activities. Outlawing ransom payments is not an effective measure to combat this type of crime, as transactions are often impossible to trace. However, by providing support to organizations in the form of subsidies, the government can motivate them to forgo payments to criminals in favor of data recovery. Moreover, such measures will stimulate investment in the development of cybersecurity technologies, as well as prevent attacks on socially significant institutions.
Reference List
Bambenek, J. C. and Bashir, M. (2020) ‘Ethics, economics, and ransomware: how human decisions grow the threat’, in Corradini, I. and Nardelli, E. (eds.) Advances in human factors in cybersecurity. New York: Springer Publishing, pp. 17-22.
Dey, D. and Lahiri, A. (2021). Should we outlaw ransomware payment? Web.
Irwin, A. and Dawson, C. (2019) ‘Following the cyber money trail: global challenges when investigating ransomware attacks and how regulation can help‘, Journal of Money Laundering Control, 22(1), pp. 110-131. Web.
Kharraz, A. and Kirda, E. (2017) Redemption: real-time protection against ransomware at end-hosts. Web.
Over half of ransomware victims pay the ransom, but only a quarter see their full data returned (2021). Web.
Tidy, J. (2021) Ransomware: should paying hacker ransoms be illegal? Web.