Disrupting the Ransomware Industry

On a weekly basis our team perform Rapid Response to help breached organizations who fall victim to major ransomware and/or extortion campaigns to get their business back up and running quickly.

Mature Enterprises and Government Departments

In nearly all cases where there are multi-million dollar ransoms, we have found that if the organization is large enough to afford to pay a multi-million dollar ransom then they already have a Business Continuity Plan, Disaster Recovery Plan and also a solid backup and recovery solution in place where around 97% of systems and data can be restored. In this case, there is no need to even consider paying a ransom. This makes the concept sound feasible to deem ransomware payments as illegal.

Immature Startups and SMBs

The problem arises with smaller companies with limited security or backups where their entire business and their family life (losing their sole income to pay their house repayments, petrol, kids schooling, food, clothes, etc) is being held to ransom with no other option than to pay.
When looking at it with a personal lens on where people will lose their house if they don’t pay a $700 ransom, it’s not feasible to expect them not to pay. This is likely to force them to pay in an “underground manner” to avoid detection whilst getting their business and life back on track.
In this case, the only feasible option for these businesses is to pay the ransom. This suddenly puts a question mark over making ransomware payments illegal, or at least makes it a more complex proposition.

Immature Enterprises and Government Departments

Now here is where we get to a really interesting situation. Large organizations who have limited security and no backups.
This is the major concern that we are really talking about since these organizations are forced into paying multi-million dollar ransomware payments to keep their business alive and keep hundreds or thousands of staff employed.
In industries like Critical Infrastructure, this can have major effects on the wider community or even the country. This was seen with the US pipeline being affected, as well as the JBS meat processing and distribution, both of which affected multiple countries.
These multi-million dollar ransomware payments inject a significant amount of revenue into the ransomware campaign, which funds the next round of campaigns to scale up the attacks even further that then have a knock on effect to hundreds of other businesses.
In this case, we have a conflicting situation where we need to recover the large organization but we are also funding future attacks.
So what is the greater good?

Negligence and Ransomware Payment Fines

Unfortunately, and apologies if this offends some readers in the above situation, but an enterprise without sufficient security or backups can be classified as negligence. Don’t get me wrong, I understand the challenges and I am sympathetic to your situation.

When we start throwing around the term “negligence” then we start talking about breaching criminal laws. This introduces the option of introducing major fines if you make a ransomware payment. Let’s say for arguments sake that the fine is 3 times the ransomware payment. What this does is significantly increase the cost of paying the ransom and acts as a significant deterrent. This is also an automatic sliding scale where SMBs don’t go under but are likely to then invest in security moving forward, and major enterprise breaches that provide significant funding to ransomware gangs are hit harder and so are deterred from paying the ransom.