In May 2021, North Carolina became the first state to ban ransom payments. The ban prohibits official government organizations (public sector) from paying ransom in response to a ransom attack. The goal for the state of North Carolina was to make the state less lucrative to attackers and thus deter ransom attacks for targeting businesses and individuals in the state.
3 other states have drafted legislation. Texas, Pennsylvania, and New York have all drafted legislation to outlaw ransom payments but only New York has drafted legislation banning both the public and private sector businesses from paying ransom.
State governments all over are considering legislation to protect businesses against ransom attacks and prevent ransom payment. And lobbying efforts have heated up in support for laws at the federal level. They all have the same goal, make it so ransomware isn’t profitable because criminals wont get paid.
Here’s How Ransomware Works
A ransomware attack seeks to encrypt files and important data until a ransom payment is made. Software takes legible data and turns that data into a jumbled mess of letters, symbols, and numbers. Encrypted files and encrypted data are completely illegible for both users and software. In this way, criminals lock access to critical data.
The only way to restore data is to obtain a decryption key which re-transcribes the data to be legible again. Normally, a decryption key can only be obtained from the criminal that coded (or purchased) the ransomware. Payments are almost always made in crypto currency such as bitcoin.
Criminals provide a time window to submit crypto payment to the criminal’s wallet. Ransom can be as inexpensive as a few hundred dollars, or a fortune like the $40 million paid by CNA in 2021. That number may sound too high to be true, but ransoms often cross well over a million dollars. If ransom is not paid criminals will either leave the data encrypted, renegotiate the amount, leak the data online, or sell it on the dark web if the data is valuable enough.
Here’s Why Anti-Ransom Legislation is Unlikely to Curb Ransomware Attacks
Criminals Don’t Follow the Law
Ransomware attacks are illegal activity, and criminals do not care about laws as long as they are being paid. Especially if cyber criminals launching attacks are located in different countries.
The assumption from government passing anti-ransom laws is that criminals won’t attack or make ransom demands from businesses because it simply isn’t profitable due to businesses not being able to pay legally. But criminals typically don’t take laws into account when acting.
Ransomware spread most commonly through phishing scams, RDP infiltration, and obtaining credentials directly. Laws can potentially thwart direct social engineering attempts to get credentials directly, but RDP and phishing attacks (which are a wide cast net) are more common. During a phishing campaign, hackers will send malicious emails to various random emails they obtain. RDP attacks look for open networks with RDP connections the attacker can then get direct access into the system and encrypt files. Attackers aren’t going to waste time to stop and consider whether the victims they are targetting are legally able to pay ransom or not.
The result will likely be that many of the same institutions are hacked for the same reasons as before. The only difference is whether or not the victims will pay, which brings up the issues with anti-ransom laws themselves.
The Laws Have too Many Holes
The only victims bound by the anti-ransom laws passed so far are in the public sector. And while its true that government and other public institutions are some of the most heavily impacted by ransomware, the law leaves the private sector wide open.
There are also provisions that make the law relatively toothless for public institutions.
In the case of North Carolina’s recent law, the law states that ransom can be paid by state institutions if its an “emergency”. This emergency provision hearkens back to the Colonial Pipeline attack early in 2021. The government of North Carolina realizes that inactivity or recovery can cost more than the ransom and cause societal damage. And that’s all hackers need to hear.
Hackers can still go after critical targets because the ability to pay in case of emergency means the legislation is relatively toothless for many critical government targets. And even if there isn’t a provision to pay during emergencies, governments are almost guaranteed to pay in “emergency” situations regardless of the law.
Emergencies and only holding government and public companies to anti-ransom laws limits their ability to deter attackers from the state. While many ransom attacks are starting to target systems and entities with more prejudice, wide net phishing attacks and RDP breaches are still very common ways of infiltrating victims. This means that in a market like the US where most institutions are private (including critical infrastructure like healthcare, and energy), the most profitable targets in each state are still fair game. This means public and private institutions in states will continue to be targeted.
The Law Doesn’t Consider Costs Beyond Ransom
Many victims choose to pay ransom because the cost of downtime and or time to recover the data would be far more costly that simply decrypting it.
Decryption keys and tools are far and few between for novel ransomware, meaning the only way for many victims to recover data is to actually pay criminals to provide a decryption key. The option to pay for a decryption key is also usually the most timely and convenient (saving in downtime costs). All a victim needs to do typically is look for a link to pay on the ransom note.
Put into numbers, according to Sophos the cost to recover from ransomware on average was $1.85 million in 2021. This is in contrast to an average ransom payment of only $170,404 in 2020 (Sophos). To learn more about the specifics of what goes into ransomware recovery, you can ready this article from backblaze.
The issue for businesses and governments passing anti-ransom laws is that often, a ransom payment is the least expensive way to get up and running again. And if they want to make paying ransom illegal, the government will need to financially assist businesses (especially SMBs). A criticism of anti-ransom laws is that they lack provisions for tacking the issue of non-ransom payment costs and which parties are responsible. Nor do the laws create funds for ransomware recovery.
Unless the issue of non-ransom money expenses is resolved in anti-ransom legislation, many businesses will continue to pay ransom, further encouraging attackers.
Laws Do Not Mandate Basic Security Measures
The most successful way to avoid paying ransom is to prevent a ransom attack in the first place. And technologies like 2FA, password managers, DKIM, active directory, etc has provided businesses a lot of tools to combat ransomware.
If governments want to require businesses to not pay ransom money, they also need to establish guidelines for security, especially for public sector businesses they have more direct control over. For example, an official government organization like a school might be required to have 2FA enabled to access student grades. Or perhaps require a VPN connection for students to access any files stored on their school accounts. Tools like these allow those accessing important data to be safelty connected while thwarting attackers.
Businesses can also use tools like Zebra Ransomware Stopper to prevent ransomware from activating on already infected systems.
Questions Remain on What To Do About Leaks
The laws that target ransomware are only considering the legacy cyber crime practice of encrypting files and then asking for a ransom to decrypt those files. But modern ransomware criminals are smarter than that, and if they gain access to the system they will often leak data to the dark web if a ransom isn’t paid. This complicates matters because not only might the data be unrecoverable, but institutions that suffer from data leaks might face severe lawsuits.
Ultimately the best solution is to prevent hackers from obtaining data by establishing good security practices. But if criminals already have your data, really the only solution is to pay the ransom and hope the data isn’t leaked.
Government will need to think about how to adjust their law for data leaks. An example would be a cyber criminal syndicate hacking a school and getting every student and their parents’ social security numbers. Does the government still say the school can’t pay? Or do they make an exception?
It Will Be Difficult to Know Who Paid Ransom
The common practice for organizations affected by ransomware is to either stay silent about paying ransom or refute it. The government is going to have a difficult time ascertaining which organizations have, or have not paid ransom.
The US government is now forcing many businesses in critical sectors to report attacks within a certain window of time. And from that the government will likely also learn about any ransom demands. But other than simply reporting a breach, businesses can remain mum on specific information related to the attack. Organizations are very unlikely to share sensitive information with the public or government.
Big organizations that are in the government’s eye might deny paying ransom or remain ambiguous. But the bigger challenge is smaller organizations and SMBs that the government isn’t monitoring.
Ransom payments are made directly to crypto wallets. They do not pass through the US financial system the way a PayPal payment might. Crypto is blockchain-based and meant to be anonymous. if the government is not actively involved or monitoring the particular organization attacked, they will be non-the-wiser if a ransom payment has been made.
Organizations will be even more incentivized to remain secretive about ransom payments in fear of retribution from the government.
How Will Tax Payers Respond?
If organizations public organizations cannot pay a ransom and instead must endure the more costly process of recovering data (and facing other costs like lawsuits) those costs may eventually come back to tax payers.
Paying more for data recovery means less money in the budget for other services. And if there is a new tax to help businesses and government entities to recover from ransom, that extra tax might not be well received by the public.
And like most policies that require taxes, there will be disagreement amongst different governments whether or not to financially assist organizations in recovering from ransomware. This could fracture policy involving ransom payment in different locations and at different levels of government, undermining the overall effort to ban ransom payments.
How to Defend Against Ransomware
The government effort to ban payments has good intentions, but these new laws will not solve ransomware attacks. The reality is ransomware is a crime, and like other crimes, it still happens even if its technically illegal to pay the criminal.
Instead, both public and private organizations need to invest in proper defensive measures so that the issue of whether to pay a ransom does not come up.
Assess Current and Needed Security Measures
Before organizations are able to defend themselves, they need to understand where they are regarding prevention and recovery. Using a Framework like NIST can help with this. Essentially the NIST framework divides all aspects of the organization and assigned responsibility to different individuals or departments. Those responsible must make sure they understand where the organization is currently, and know what action to take to recover from an attack.
An example would be that the organization has identified that their file servers need protecting. So they assign a team to research what needs to be protected, how it needs to be protected, how to respond in the event that the file servers are breached, and what the best way to recover is.
Once a plan is put in place, the organization can invest in technology and talent to make sure that plan is carried out.
You can read more about the NIST framework and how it works in our blog article here.
Invest in Technology
Depending on the organization, cyber security doesn’t need to be insanely expensive. Some of the most effective technologies include secure passwords, 2FA, and email with DKIM. Those with sensitive data should also incorporate other technologies though like Active Directory to control employee credentials, firewalls, and email encryption tools.
Cyber security software is its own niche of technology, but includes technologies like anti-malware (Malware Bytes), anti-ransomware (Zebra Ransomware Stopper), software firewalls, and generic anti-virus. Many of these technologies are either inexpensive or priced reasonably enough to the point they should be strongly considered by SMBs. Zebra Ransomware Stopper (ZRS) is only $5/endpoint/month for example.
Most ransomware is easy to prevent if cyber security technology is properly implemented and maintained.
Invest in Employee Education
Many ransomware attacks happen because of human error. To prevent cybercrime, its imperative that organizations train employees to protect themselves while using the internet. For example, if a suspicious email comes with an attachment, the employee should never download the attachment without asking for clarification.
Make sure employees have proper training when they first begin so that they can identify malicious websites and emails. Also make sure they understand common ways hackers infiltrate the business and the importance of keeping unique, complex passwords that are changed often.
Businesses should also make sure training is regular and continuous. Like having a once a quarter meeting alerting employees of new scams and re-training them to spot malicious content. Ransomware and other threats like malware change often, so training will need to be refreshed.
Have a Plan B for Infection
Even if your business has invested in the proper talent, technology, and training to defend against ransomware it can still happen. All it takes is someone forgetting an open port, or lazily not verifying an email to infect and entire network.
Ransomware can slip through the racks so its important that you have a last line of defense in case ransomware starts encrypting your files.
Zebra Ransomware Stopper provides businesses a method to protecting systems, even if they’ve already been compromised by ransomware.
Zebra Ransomware Stopper deploys decoy files that sit between ransomware and your important files. When a ransomware script begins to encrypt files on an affected device, it trips over the decoy files. Each decoy file then contributes to slowing, and eventually stopping the encryption process, saving your valuable files.
Finally, to avoid further damage to your network, ZRS can be setup to automatically shutoff your system.
To see a demonstration of Zebra Ransomware Stopper take a look at this video of ZRS stopping a piece of live ransomware.
Remain Skeptical
To prevent ransomware, both your team and technology need to remain skeptical of everything. Never assume any outside network connection is completely safe.
Businesses have turned to a security strategy known as zero-trust in recent years. The philosophy is that technology employed within the organization and its partners shouldn’t ever assume those accessing critical systems are to be trusted. For example, a zero trust system would require an authenticated network connection through something like a VPN and require two-factor authentication to login. Once the user wants to access those same files, they would have to also login again. During the time they are working in the system, all actions are logged and monitored. The goal is to have users be safely connected, while all possible threats are blocked.
Know Some Experts
Depending on your industry, your business maybe at greater risk to a ransomware attack. In these cases, often times its not enough to trust only your internal staff for security preparation. Instead, you should get to know some experts. And these experts don’t all have to be expensive pen testers, they can be:
People from a Cyber Security Networking Group
Even just going to local cybersecurity networking events can help you thwart ransomware attacks. You will network with individuals in the field of cyber security, learn the latest ransomware news, and maybe meet contractors that can help you if you need extra help outside your internal team.
A Cyber Security Firm
There are many cyber security firms, large and global and small and local. A cyber security firm can audit your business and make sure you have strong security practices in place.
A Pen Tester
If you are in a business like finance or healthcare, you may find value in knowing a pen tester. A pen tester will essentially hack into your systems and expose weaknesses in your security. This service is expensive (often running between $10K and $30K) but is worth its weight in goal for businesses subject to intense regulation. After all, if a pen tester can find a hole, so can a ransomware hacker.
Support Team at Your Cloud Provider
If your business hosts data off-site and in the cloud, speaking to the technical support team at your cloud provider can help. They can point out resources that may already come with your services.
And if your cloud provider offers personalized solutions like ZebraHost, they can find technology or experts that can you defend against ransomware.
Keep Backups
Still the most effective way to recover from ransomware is to keep backups. A frequent, consistent backup schedule can be the difference between a ransomware attack being just a security slip up, or becoming the downfall of your business.
We recommend snapshots be taken at least daily. You should also seek out how to implement immutable backups which are backups that cannot be altered once created.
If your business must backup data for a long period of time like HIPAA mandates, you may also want to consider offline backups kept on a medium like tape. Offline backups are a part of a zero-trust strategy and data is never more safe from ransomware than if it is off the network and disconnected from your systems entirely.
Summary
Government laws that prohibit public (and sometimes private) institutions from paying ransom have good intentions, but are unlikely to deter ransomware. Ransomware is difficult for law enforcement to counteract and if an official government organization or other public institutions is attacked, there are serious questions about how data will be recovered and what costs might be incurred.
The provisions also fail to require basic security requirements for public entities.
More anti-ransomware legislation is going to be proposed by government across the world. The European Union is also trying other creative ways to deter ransomware such as making bitcoin traceable.
Only time will tell if these laws are effective at deterring ransomware. But until then, don’t wait to protect yourself against ransomware. Use the tips provided in this article to make sure your business doesn’t fall to the next big ransomware attack.