Paying Ransomware is Financing Crime, How Organisations Can Break the Cycle

Ransomware attacks have dominated the headlines over the last two years and will continue to control the cybersecurity agenda in 2023 and beyond. While ransomware gangs continue to be successful in extorting money from businesses, those that do pay demands are financing the ransomware industry and further crime. With increasing attacks on areas like critical infrastructure and healthcare, it’s now become more than just a business issue. So how did we get here, what are the implications beyond the business world, and what do organisations need to do to break the cycle?

How Ransomware democratised data theft 

Cybercrime has existed since the 1980s, and since then the cybersecurity industry has been constantly evangelising (or “fear-mongering” depending on who you ask) over cyber threats. In the last five years, however, things have really ramped up, with reportedly a staggering 90% of organisations being affected by Ransomware in the last year alone. While the world becoming increasingly digitised has been a key contributor, I’d suggest the biggest driver is bad actors finding an effective way to monetise cybercrime: ransomware. Essentially just a more “commercial” form of malware, the methods of installing ransomware on a device, such as phishing or malicious URLs, haven’t changed much.

But financial gain has always been one of the leading motives for cybercriminals, so why did it take so long to reach this point? The answer highlights the darker implications of new digital innovations, as new digital technologies have given hacking groups the perfect getaway car for their crimes. Cryptocurrencies like bitcoin, and the blockchain technology that secures them, provide a reliable and almost untraceable method of extorting money. This has turned cybercriminal groups into money-making machines – businesses in their own right. The term ‘gang’ hides just how sophisticated these organisations can be, leaked documents  showed how Conti, one of the most notorious ransomware groups on the planet, has an HR department, performance reviews and even an “employee of the month”.

The bigger picture

Beyond the first-hand financial and reputational damage caused by ransomware attacks, there is a bigger picture to consider. Cybercrime is an industry – it comprises experienced specialists and dedicated vendors of tools and services, it has even modernised to the point where RaaS (Ransomware-as-a-Service) products can be bought on a subscription basis. Like any industry, it needs profits to grow, expand and develop. Paying Ransomware demands adds fuel to the fire, and it’s not just businesses that will get caught up in the flames.

Governments, hospitals and critical infrastructure like transportation and schools are increasingly falling victim to ransomware attacks. Attacks on hospitals are becoming alarmingly common across the US and in Europe, and the US government convened over 30 countries to come together to address ongoing ransomware attacks on critical infrastructure. This isn’t just nation-state cyberattacks (a separate issue, yet the lines are becoming increasingly blurred) but the same cybercriminals who attack businesses. Two affiliate gangs of Conti, the group previously mentioned, have attacked critical infrastructure sectors in Europe including energy and pharmaceuticals.

Even though many groups say they don’t target critical infrastructure due to ethics or fear of diplomatic repercussions, ransomware is indiscriminate – the methods used can be far-reaching, and public services can easily be caught up in it.  In fact, the volume and severity of ransomware attacks are now reaching a crisis point. As they affect organisations large and small, public and private around the world, protecting yourself and not paying the ransom are critical steps to ending the crisis. It’s also a fair argument to say that organisations have a corporate responsibility to avoid paying ransomware demands and funding further crimes. But how can businesses approach this?

What businesses need to do 

It might sound like the weight of the world is on the shoulders of an organisation’s cybersecurity team, and while there’s no denying that they are under a huge amount of pressure due to ransomware, we cannot stop it at the source. Instead, organisations need to protect themselves and help stop the (crypto) cash flow of this criminal industry.

Preventing ransomware takes a combination of people, processes and technology. It’s also important to stress that, despite what people may think, the digital world and the real world are not that different. Open windows need to be locked at night (patching systems) double locks are better than one (multi-factor authentication), vital items or information needs to be locked away in a safe (data protection) and the biggest security risks are often people and staff (insider threats or failure to follow processes).

However, while prevention is a key element in this mission, and preventing an attack altogether will always be cheaper than dealing with one, it is also unrealistic to expect businesses to prevent all attacks at scale. The responsibility is not for businesses to eliminate successful ransomware attacks entirely but to reach a point where even in the case of a successful attack, the business is in a position where it doesn’t need to pay demands – they can say ‘no’ to ransomware.

This last line of defence is the backup and recovery processes in place. Ransomware demands can be ignored when an organisation has a backup of critical data with which to restore the encrypted system. All backups are not created equal, however. As ransomware and cybercriminals have become more sophisticated, cybercriminals now actively target backup repositories. According to a study this year, backup repositories were targeted in 93% of ransomware attacks, with 75% of these being successful.

The old rule for backups was to keep three copies of data, on two different types of media, with one stored offsite – known as the 3-2-1 rule. That offsite copy was in the case of a physical disaster, like a fire or a flood. Ransomware is however far more common than these nowadays, so in addition to a copy being offsite, modern backup strategies should include having a copy either offline, air-gapped (unreachable) or immutable (unchangeable). With this and a robust recovery process (design for recovery) in place, a business can reliably withstand and recover from ransomware attacks without even considering paying a ransom.

Ending the cycle   

Ransomware has democratised data theft and turned cybercrime into a profitable, developing industry as we’ve never seen before. While it’s not the responsibility of businesses to actively deal with or solve this problem at the source, enterprises do have a duty of care to other organisations and critical infrastructure around the world to not fuel the fire. Government bodies are now working towards finding solutions to the problem (if one can be found) but businesses need to invest in ransomware prevention to protect themselves from huge financial damage and the possibility of financing further crime.