27 December 2021

Ransomware To Pay Or Not To Pay Is It Legal Or Illegal.

By Rahul Garg

The large number of cases of victims who decided to pay the ransom after being hit by ransomware do not reflect the best way to use the budgets allocated for cybersecurity or shareholder capital, nor the best way to use the funds provided by the insurance industry. So why have so many companies decided to pay, and what does it take to stop this from happening.

Ransomware: why so many victims decide to pay

In simple terms, it may be, or at least initially seem, that it is more profitable to pay than not to pay. The current ransom-paying behavior likely stems from what happened with the WannaCryptor (also known as WannaCry) ransomware outbreak in 2017, when several ethically courageous organizations set a precedent by refusing to pay. One of them was the UK’s National Health Service, which suffered a significant impact on its infrastructure. The reasons why it was so badly affected are well documented, as are the reconstruction costs: an estimated US $ 120 million. This without considering the costs in human terms due to the more than 19,000 canceled appointments, including cancer consultations.

Then, in 2018, the city of Atlanta suffered an attack by the SamSamransomware that affected the server infrastructure of their smart city and cybercriminals demanded what at the time seemed a huge sum for the ransom: $ 51,000. Several years later, and according to reports, we know that the reported costs for rebuilding the systems are between US $ 11 million and US $ 17 million. This difference takes into account that part of the rebuild included improvements. I’m sure many city of Atlanta taxpayers would have preferred the city to pay the ransom.

With several existing examples of public incidents showing that the cost of rebuilding is significantly higher than the cost of paying the ransom, then the dilemma of whether to pay or not may have more to do with economics than ethics. As the above two examples are from local governments, the moral compass of these victims likely influenced the decision to try not to finance the next cybercriminal incident. Unfortunately, just one year later, the municipalities of Lake City and Riviera Beach in Florida, United States, spent US $ 500,000 and US $ 600,000, respectively, to pay the lawsuits after a ransomware attack.

There is no guarantee that a decryptor will be received or that it will actually work. In fact, a recent Cybereason surveyfound that about half of the companies that paid ransoms failed to regain access to all their critical data after receiving the keys to decrypt the information. So why pay the ransom? Well, the ransomware business became more commercial and sophisticated on both the victim and the attacker side. On the one hand, cybercriminals understood the value of compromised data in an attack by making public the reconstruction costs that victims have to face to recover. And on the other hand, as a result of the emergence of new segments in the industry, as is the case of intermediaries hired to negotiate and insurance against computer incidents.In this way, a new business segment was born, made up of companies and individuals who began to profit by facilitating the payment of extortion demands.

It is also important to remember the devastating effects ransomware can have on a smaller business that is less likely to have access to these resources. Paying the ransom may be what defines the business to survive to keep fighting or close the doors forever, as happened to The Heritage Company, which had to close and for this reason 300 people lost their jobs . In countries where there are privacy regulations, payment can also eliminate the need to inform the regulator; however, I suspect that the infringement should always be reported to the regulator, regardless of whether the payment was made on the condition that the exfiltrated data be removed.

Paying many times is not illegal

In October 2020, the Office of Foreign Assets Control(OFAC) of the Department of the Treasury of the United States, declared in some cases illegal the payment to the attackers. To be clear, it is illegal to facilitate payment to individuals, organizations, regimes, and in some cases entire countries that are on the sanctions list. It is worth clarifying that some cybercriminal groups are on the sanctions list. So, wasn’t it already illegal to send or facilitate the sending of funds to someone on the sanctions list? I think it probably was. So what’s new in this ad? The answer is politics: Voters must think their governments are doing something to stop the wave of payments to cybercriminals.The European Union follows a similar system with a sanctions regime that prohibits making funds available to those on the official sanctions list.

Aside from the OFAC ruling, there is still no clear guide to ransomware payments in the United States and, according to experts, the payment may even be tax deductible. This can influence the decision-making process about whether or not a company allows extortion.

Attribution of the location or people behind a cyber attack is complex to prove and technology generally helps many of these groups manage to remain anonymous and nomadic, or at least in part. However, knowing who is being paid could be critical when deciding whether or not to pay, as inadvertently paying a person or group on a sanctions list could result in the beneficiary falling on the wrong side of the law. Remember that some people on the list may take the opportunity to hide within a group, and still share in the profits, possibly making the payment illegal.

The recent payment of 75 bitcoins (US $ 4.4 million at the time) by Colonial Pipeline , despite the FBI’s recovery of 63.7 bitcoins (which at the time of the recovery of the money was equivalent to US $ 2, 3 million, but $ 3.7 million when the ransom was paid), shows that using the sanctions list to prohibit payment is ineffective. Darkside, the group behind the attack on the pipeline company and believed to be based in Russia, had been careful to avoid the sanctions list by ensuring, for example, that the data they stored was not hosted in Iran, keeping in this way the “business” in regions that are not on the sanctions list.

Ransomware as a Service (RaaS) as a business model

The group of cybercriminals behind Darkside disbanded due to the unwanted attention caused by the Colonial Pipeline incident. Were you on the sanctions list and is your closure having to do with the fact that your anticipated revenue would be impacted because of this? “No and no”. I don’t know why all known cybercriminal groups are not on the sanctions list, but maybe that makes a lot of sense. These groups are usually service providers and are not the ones behind the attacks or looking for potential victims; Rather, they provide the infrastructure and services to other attackers and then split the profits. This is often referred to as “ransomware as a service” or RaaS, and the actual attackers are commercial affiliates of the ransomware group.

Attackers identify targets, somehow infiltrate their networks, identify sensitive information, and then exfiltrate copies of confidential data, then drop malicious code from their RaaS provider – such as Darkside – on the victim. RaaS providers make it easy to attack their affiliates by providing backend services and the profits, once the victim pays, are split, usually 75/25. When Darkside decided to go out of business, other RaaS providers likely benefited from new affiliates.

This could raise the question of who is really responsible for an attack: the affiliate or the service provider? In the media, the attack is usually attributed to the service provider, which is identified by the type of malicious code, payment details and other characteristics of each group of ransomware. What is rarely heard of is the person initiating the incident, the affiliate; which could perfectly be from an unreliable looking person on the side of the road or of course a cybercriminal who is exploiting unpatched vulnerabilities or using targeted phishing attacks and operating a well-resourced cybercrime industry business and it is scalable.

The current trend is to exfiltrate data and prevent access to files by encrypting them; therefore, attacks now commonly involve a data breach.

Is it illegal to pay to prevent data from being published or sold?

The risk that personal or sensitive information may be disclosed or sold on the dark web could be seen as yet another form of extortion, allowing attackers to profit through coercion, which in most jurisdictions is a criminal offense. In the United States, where the highest number of ransomware attacks are being recorded in recent times, extortion includes both the hijacking of private information, as well as the intention to provoke fear by threatening the victim that something may happen to him if he does not comply with the demands of the extortionists. Data encryption and access limitations to their systems in the event of ransomware is something that has already happened to the victim,But the fear that the extracted data will be sold or published on the dark web is what provokes the installation of fear in the victim.

While I am not a lawyer, as far as I know it is illegal to ask for a ransom payment, but it does not appear that it is illegal to make the payment if you are the victim. So this is another scenario where paying cyber criminals appears not to be illegal.

Are negotiators and cyber insurance causing or solving the problem?

The current trend of paying attackers and the attitude that “it’s just a cost associated with doing business” is not healthy. The question that senior managers must ask themselves should focus on how to make the organization as safe as possible, taking all possible precautions. With insurance, there is likely to be a kind of complacency, since by complying with the minimum requirements established by the insurer, some organizations may continue to carry on the “business as usual”, knowing that, if an unfortunate incident occurs, the company may resort to insurance. The two incidents that affected the cities of Riviera Beach and Lake City were covered by insurers, as was the payment of $ 475,000 made by the University of Utah. Reportedly,Colonial Pipeline was also partially covered by cyber insurance, although it is unclear whether it made use of this.

While cyber insurance can fund the ransom payment and this minimizes the impact of the incident, there are other costs involved after a ransomware attack. The company’s Norsk Hydro insurers paid US $ 20.2 million after the company became a victim of ransomware in 2019, with a total cost estimated between US $ 58 and $ 70 million . The additional amount was likely covered by the insurance company as well. Surely, if the Norsk Hydro company or any other company that was a victim of ransomware had the opportunity to turn back time, they would decide to invest that additional money to pay the ransom in improving security and not to cover the expenses after an attack.

If I were the cybercriminal, the first thing I would do would be to find out who has a cyber insurance company to put together a list of those targets that are most likely to pay. After all, it’s not their money, so why wouldn’t they? This may be why the CNA Financial insurance companywas attacked and paid $ 40 million to regain access to their systems, and I assume to recover the data that was stolen. As a company offering cyber insurance, the payment could be seen as an attempt to prevent CNA clients from being attacked, as the insurer would end up paying for each attack. This assumes that the cybercriminals accessed the customer list, which is not clear. On the other hand, if the insurance company itself pays the ransom it would be difficult for them not to pay if one of their insured clients were attacked; therefore paying in this case could send the wrong message.

Cyber ‚Äč‚Äčinsurance is probably here to stay, but the conditions that insurance should require from a cybersecurity perspective – a recovery and response plan – should set extremely high standards, thus reducing the possibility of any type of claim being made.

Time to ban ransomware payments?

The Conti ransomware attack in May this year on the Irish National Health Service(HSE) could highlight the reason not to prohibit the payment of a decryptor to cybercriminals, but to prohibit the payment so that they do not publish the data they have exfiltrated. As in the case of the Colonial Pipeline attack, no government wants to see long lines form at gas stations and if not paying means not being able to provide a service to citizens or that they are limited, this could be politically damaging. In this sense, there is a moral dilemma when an attack on critical infrastructure occurs, especially because when paying, it is known that with that money future attacks are being financed. Therefore, the decision to pay or not is difficult, especially when it comes to a health care service.

Paying the ransom to ransomware groups also appears to open the door to a second attack on cybercriminals: According to the Cybereason survey mentioned above, 80% of companies that pay the ransom subsequently suffer another attack, and 46% of companies that pay the ransom. companies believe that it is the same attacker. If the data shows that the payment triggers additional attacks, banning the first payment would significantly change cybercriminals’ opportunity to make money.

I appreciate the argument not to prohibit payments after a ransomware attack due to the potential harm or risk to human life; however, this opinion appears to contradict current legislation. If the group that launches the next attack on a major health service is on the sanctions list, paying is already illegal. This means that organizations can pay some cybercriminals, but not others. If the moral dilemma is to protect citizens, then it would be legal for a hospital, for example, to pay for any ransomware attack regardless of who the attacker was identified with.

The selection through the sanctions list created by the United States government to determine which cybercriminals can be paid for a ransom and which cannot, seems, in my opinion, not to be the correct course of action.

The enigma of cryptocurrencies

As those who know me know, this is an issue that leads me to rant and agitate, both due to the lack of regulation and the extreme consumption of energy used to process transactions. Most financial institutions are regulated and required to meet certain standards that prevent and detect money laundering, that is, money obtained through criminal activities. Opening a bank account or investing in a new financial organization requires the person to prove their identity beyond all doubt, requesting passports, utility bills, and much more personal information. In some countries, this extends to the need to retain an attorney for a real estate transaction and many other types of services and transactions.And then there are cryptocurrencies, with great appeal for brave investors and the type of currency chosen by cybercriminals to request ransom payments.

The levels of anonymity that cryptocurrencies provide made it the method of choice for attackers to request payment of ransoms from victims without revealing who is receiving the payment. However, this is not the same with all cryptocurrencies, as some provide certain information about the receiving wallet, but not who is behind the wallet; while other coins even hide the wallet itself.

During the last month it became clear that there is confusion on the part of politicians about how to regulate cryptocurrencies. El Salvador announced its intention to accept bitcoin as legal tender within three months of the announcement; this would be in conjunction with the US dollar, which is the current legal tender. However, the World Bank has rejected a request from the country to help with implementation, citing concerns about transparency and environmental issues. Cryptocurrency mining uses significant energy consumption and, in a world concerned about the environment, this is by no means ecological: currently the energy consumption by Bitcoin is the same as that of the whole of Argentina.

Sichuan Province in China also referenced power consumption issues and recently issued an order to stop bitcoin mining in its region. Subsequently, the Chinese state ordered banks and payment platforms to stop supporting digital currency transactions. Confusion will undoubtedly continue, with countries making unilateral decisions attempting to react to the relatively new world of digital currencies.

Cryptocurrency has solved a big problem for cybercriminals: how to get paid without revealing your identity. It also caused the demand for cryptocurrencies: for each victim who pays, a demand is generated to acquire the currency to make the payment. This demand raises the value of the currency and the market appreciates it. When the FBI announced that it had managed to seize the crypto wallet and recover 63.7 bitcoins (US $ 2.3 million) of the Colonial Pipeline payment, the general cryptocurrency market declined at the news. As the market is a roller coaster, this may just be a coincidence.

Interestingly, if you tend to invest in cryptocurrencies and accept that the demand for the coins is created in part by cybercriminals (which in turn increases the value), then in part you are indirectly benefiting from criminal activity. I recently shared this thought in a room with law enforcement professionals, with some of those present admitting to investing in cryptocurrencies. This created a moment of silence in the room.


This disregard for those who prefer to behave correctly and not finance cybercrime by paying the ransom to ransomware groups contributes to a belief that financing criminal activity is acceptable. And it is not.

The right thing to do is to make funding cybercriminals illegal and lawmakers should take action and act to prevent payments from being made. There may be an advantage for those countries that decide to pass laws prohibiting payments. If a country or region passed legislation that prohibits any company or organization from paying a ransomware ransom, cybercriminals will tailor their business and focus their campaigns on the countries that have yet to act. If this view makes sense, then now is the time to act and push for this to be illegal.

However, reality indicates that there may be a middle ground to ensure that companies that consider paying (considering that it is the easiest option) do not do so. If the cyber risk insurance includes a cap or deductible to be paid by the insured, of 50% of the cost of the incident, and can only be invoked when the police or a regulator is notified to be able to make the payment, then the will to pay can change. If there were a regulatory body for these types of incidents that required payment, we would better understand the magnitude of the problem, since a body of these characteristics would provide a more complete view of all incidents. The regulator could also function as a repository for decryptors, knowing who is on the sanctions list,involving the relevant security agencies, notifying privacy regulators and they would know the scope and outcome of previous negotiations.

It is worth noting that a recent memorandum issued by the US Department of Justice establishes requirements for notifying the Computer Crimes and Intellectual Property section of the Criminal Division of the US Attorney in cases involving ransomware and / or digital extortion or in which the infrastructure used for ransomware and extortion schemes is being used. While this centralizes knowledge, it is only for those cases that are being investigated. There is no mandatory requirement for a company to report a ransomware attack, at least as far as I know. However, all victims are encouraged and urged to connect with the security forces.

If you consider that the revenue generated from the payment of a ransomware ransom is illicit proceeds from criminal activity, could cryptocurrencies in their entirety be responsible for money laundering or be providing a safe harbor for funds attributed to cybercrime? Despite its popularity, governments do not recognize cryptocurrencies as a currency; Instead, they see them as an investment vehicle that is subject to capital gains tax, should you be lucky enough to invest and make money. Any investment company that receives funds obtained directly from criminal activity must be committing a crime, so why not the entire cryptocurrency market until it has full transparency and regulation?

In short, make paying the ransom illegal, or at least limit the role of the cyber insurance market and force companies to report incidents to a cyber incidentregulator , and regulate cryptocurrencies to eliminate the pseudo right to anonymity. . They could all make a significant difference in the fight against cybercriminals.

Please follow and like us:
Pin Share