While ransomware will likely continue to plague the United States and other countries for decades, policymakers should expand incident reporting around ransom payments and other data, while providing targeted tax breaks to the small and medium-sized businesses that make up the majority of victims.
That’s the conclusion of a new report released Tuesday by the Atlantic Council’s Cyber Statecraft Initiative. The findings were borne out of research and interviews with 55 experts in ransomware, cybercrime and law enforcement.
While ransomware observers debate whether the problem has gotten better or worse over the past year, there is little question that the problem has metastasized over the last decade. Citing data from Coveware, the report notes that from the summer of 2018 to 2020, the average ransom payment grew from less than $6,000 to nearly $240,000, while the median payment ballooned to more than $100,000.
“It should not take another shock like the Colonial Pipeline attack for the US government to realize that ransomware has spiraled out of control. It is time to start investing in a more secure future,” the report concludes in its introduction.
The research highlights three factors driving the ransomware problem, none of which will be surprising to long-time observers.
First, many organizations — especially small- and medium-sized businesses — continue to have bad security programs that provide ransomware actors with plenty of easy targets to choose from. Second, the rise of underregulated cryptocurrencies that allow for quick and (pseudo) anonymous payment to criminal groups.
Finally, these groups have increasingly taken advantage of the protections that come from operating from within countries that are hostile or indifferent to U.S. and Western law enforcement priorities. These days, that usually means Russia, and research from companies like Chainalysis have concluded that about three out of every four dollars paid in ransoms in 2021 went to organizations that operated in or were aligned with Moscow. Before that, half of all funds traced from cybercriminals to exchange hosted wallets ended up at two cryptocurrency exchanges based in China.
Any effort to further regulate cryptocurrencies would likely require the cooperation of Russia or China, two countries that have geopolitical or financial reasons to undermine or sabotage any U.S.-led efforts. For these countries, cryptocurrencies is “a market where low regulations is a competitive advantage,” said John Sakellariadis, a Fullbright scholar, researcher and author of the report, in an interview.
All U.S. organizations should report ransomware incidents, other report recommendations
The report makes three primary recommendations to policymakers: Congress should extend incident reporting mandates around ransomware to all U.S. entities, not just critical infrastructure entities or publicly traded companies that are already being subjected to regulation by CISA or the SEC. These requirements should include — at minimum — the size and date of the payment and sending and receiving addresses for the transaction. Other details, like the size of the organization and its industrial sector, may also be helpful to agencies like CISA.
Unlike critical infrastructure or publicly traded companies, the connection between government oversight and public interest is not as clear-cut in the case of private businesses, nonprofits and some other sectors. Getting Congress to consider incorporating these entities into incident reporting on ransomware would probably mean “you have to make a lot of concessions to industry.” While CISA officials have been keen to highlight their willingness to share incident reporting data with the FBI and law enforcement, there would need to be significantly stricter guardrails around how they share similar data for private companies or non-governmental organizations.
“A, the reports would not go to a regulator or a law enforcement agency like FBI, they would go to CISA; and B, the government cannot take the information in the reports and use them as predicate for an investigation,” Sakellariadis said as he described some of the conditions that would likely need to be met to push a law through.
The other recommendations urge policymakers to build in tax relief for small- and medium-sized organizations, the most likely victims of ransomware and the most likely to underinvest in security. These tax breaks could be tied to the implementation of basic best practices that are known to cut down on ransomware risk, such as developing backups for your data, implementing multi-factor authentication for remote access and developing proactive incident response plans.
It also suggests creating a vehicle similar to the Work Opportunity Tax Credit that offers tax breaks for organizations that hire outsider cybersecurity expertise or have meaningful programs to develop employees from within.
“One of the big challenges here is thinking about how to get ‘left of boom’ interventions to help these companies take [a mindset of] an ounce of prevention is worth a pound of cure,” said Sakellariadis.
None of the recommendations touch on further regulation of cryptocurrency, a space he said turned out to be more much more complicated and rife with unintended consequences than he initially thought.
Although companies like Chainalysis and others have had some success monitoring ransom payments on the blockchain through their tracking technologies, interviews Sakellariadis conducted with ransomware negotiators, victims, law enforcement officials and cybercrime left him realizing that even on the cryptocurrency side, further regulations or interventions at the monetization layer probably aren’t going to be a silver bullet.
“If law enforcement started intervening on the cryptocurrency side and interdicting payments … it’s possible that criminals won’t keep up their end of the bargain with victims,” he said, noting that incidents like law enforcement retrieving $2.3 million in Bitcoin from the Colonial Pipeline hackers is still rare and far from the norm. “So you’re risking harm to the victim and if there is this risk that the payment won’t go through because of law enforcement actions, the victims begin to say to themselves, ‘OK, we’re not going to inform law enforcement of the payment, at least until after we get the decryptor.’ If it makes it them less inclined to cooperate with law enforcement, that becomes very difficult to enforce at scale.”