IT security experts fear that payouts from insurers may be fueling ransomware attacks as more and more critical infrastructures across the United States fall victim to ransomware operators.
A recent spate of ransomware attacks across government and educational institutions in the United States may be correlated to payouts from insurance policies, according to a report by the Associated Press citing various experts.
Tens of municipal systems across the US have been breached this year by ransomware operators, and the number is climbing every week. While some administrators denied hackers their prize, most haven’t. To cut the losses resulted from downtime, victims prefer to use their insurer to pay attackers ransom in exchange for the decryption keys, according to reports. The practice, however, seems to be fueling a vicious circle.
"Once a cybercriminal finds a formula that works for them, they're going to stick to it," said Tyler Moore, a cyber security professor at the University of Tulsa. "If you're a company or a city that has this coverage, the decision of whether to pay is quite clear. It gets more difficult when you take a step back and look at the societal view."
Josephine Wolff, a professor of cybersecurity policy at Tufts University, is also against ransomware payouts from insurance.
"By saying, 'Oh, this is just something my insurance covers,' they're forgetting that is contributing direct financial resources to future criminal operations," Wolff said.
Brandi Simmons, a spokeswoman for the governor's office of technology, agrees.
"We don't know what that ransom payment is going to fund," said Simmons. "As a state government, we don't want to be in a position of funding cyberterrorists."
But according to Michael Tanenbaum, head of the Cyber North America division for Chubb insurance, things aren’t always so black and white. Depending on the data held at ransom, pay attackers may be the best option. A delicate issue like a ransomware attack may require consideration of practical questions, the report says:
“How long can they operate without access to the data? Do they have functioning backups to use while experts try to get the data back? What if the stolen data can't be recovered?”
Even the FBI, which urges victims of ransomware not to pay the ransom to cyber criminals, agrees that certain situations may call for nonconventional measures that may not agree with your own principles. The Bureau says critical systems like those used by police departments are the perfect example of that:
One of the reasons they can extract such large ransoms is they often target entities whose data is either a critical part of their business or that entity provides critical services, like emergency services,” according to Cyber Section Chief Herbert Stapleton. “So, a police department is a really good example of that. If a police department can’t access the necessary data and systems that they have, then there is a potential public safety risk. And so, as a result, the criminals have found that, often, these entities are willing to pay high ransoms to get their data back.”
However, the agency’s stance on ransomware payouts remains the same.
“Instead of paying the ransom, contact your local FBI field office and report it to ic3.gov as soon as possible,” the Bureau states. “When we get a ransomware complaint, we will respond to that. We will contact the victim company and work with them to determine what the best course of action going forward is.”
According to the EY Global Information Security Survey 2018-19, one of the most important areas where more organizations now need to optimize their capabilities is better incident-response planning and execution. Another weakness identified by EY researchers is forensics, which undermines organizations’ ability to understand what has gone wrong and to improve protections.