The first known cyber extortion attack dates back to 1989, a decade before the invention of bitcoin. Targeted at the healthcare industry, AIDS researchers fell prey to a social engineering tactic involving a Trojan virus on 20,000 floppy disks which were distributed to them at the World Health Organisation AIDS conference.
With data now perceived as more valuable than oil and possibly human lives, were criminals quick to see through human frailty as an easy gateway to data? Or was being “Rick-rolled” in the late 2000s the light bulb moment for cyber criminals?
The turn of the decade saw a spike in cyber hacking that had even led to the shutdown of national healthcare systems and endangering lives for such illegal money-making.
The growing use of bitcoin and other cryptocurrencies has further emboldened these criminal activities. Ransomware has proliferated and has become a substantial drain on business resources.
With the pandemic-induced spike in the use of digital platforms, it is no surprise that the incidence of ransomware has been on a steep incline both globally and in Singapore. According to the Sophos’ State of Ransomware 2022 report, 65% of Singaporean organisations surveyed were hit with ransomware in 2021, up from 25% in 2020.
To make matters worse, the average ransom paid by organisations in Singapore that had data encrypted in their most significant ransomware attack increased by more than sixfold from US$187,500 in 2020 to US$1.16 million in 2021.
Regulators have preached “never pay the ransom” to ransomware victims, and some have legislated a ban on paying ransom in any circumstance. That said, this may not have drilled into enterprises and our society at large on the implications of this faceless crime. Does stopping ransomware payment just boil down to regulations?
Does it pay to pay?
The issue of paying the ransom to recover your files, especially customer and employee data, and proprietary information presents a moral dilemma for many.
The ransom could be used to fund terrorism and perpetuate other criminal activities, and paying up does not guarantee that your data will be decrypted or will not be published by the threat actors. Ironically, those who pay up may suffer repeated attacks as it reinforces the perception that they are a “soft” target.
According to Cybereason’s 2022 study on ransomware’s true cost to business, 80% of organisations were hit by ransomware again after paying up. 68% reported that the second attack with higher ransom demand took place less than a month later.
Organisations covered under a comprehensive cyber insurance policy could seek reimbursement for the costs associated with rectifying the network disruption caused by the malware. The decision to pay any ransom payment would rest with the insured.
For the insurer, reimbursing these funds to stop a cyber extortion event is a double-edged sword. While it could reduce the overall financial losses and the cost of an insurance claim, it also brings up moral and ethical issues where the reimbursement is seen to be directly and indirectly funding illegal activities by the perpetrators. Such reimbursements could therefore trigger regulatory concerns and would require a sensible review from the insurers.
Targeting the insured
For many of these affected companies, paying these hefty sums is seen as the only way to protect their business. Even if they have data backed up elsewhere, they may feel obliged to give in to the hackers’ demands to prevent confidential information from being exposed.
The same Sophos study found that 48% of the organisations that had data encrypted paid the ransom to get their data back, even if they had other means of data recovery, such as backups.
Bad actors are now using a form of “double extortion” where data is taken out and the system is locked up; so even if data is backed up else, companies are incentivised to pay. They are also getting smarter, searching for those who are insured to demand a higher payout.
Building on the same methodology as of double extortion, the hackers have recently added another layer to ransomware attacks – “triple extortion” – in which they attack or extort from a victim’s clients and even suppliers.
The ethical dilemma of paying the piper
While paying the piper may seem like the path of least resistance for nearly half of the affected organisations, acting for the greater public good by deterring criminal activities remains the moral imperative for businesses.
Businesses and insurers can also face substantial reputational risks from fuelling the ransomware business with the payment and reimbursement of ransoms respectively.
Some insurers have taken a hard stance against reimbursing ransomware payments. Over at MSIG, we believe that the payment of ransomware does not sit within our broader mission of developing a sustainable and vibrant society, and we do not encourage our policyholders to succumb to cyber extortion.
Regulators need to send a strong message
On the regulatory front, legislators could double down on the repercussions of paying ransomware and consider tightening laws against paying cyber extortion ransoms.
While it is not illegal to pay ransoms in Singapore, authorities generally do not recommend that victims of ransomware pay the threat actors. This is because the payment does not guarantee that the perpetrators would provide decryption and may even increase the likelihood of more ransomware attacks.
Ransomware attacks are unfortunately not going away and are only becoming more common. The need for a more effective response to these threats is no longer a priority for businesses alone. Our society at large needs better defences against these criminals before the cyber threat turns into far-reaching systemic problems. Rather than kicking the can down the road, the public and private spheres should work together to navigate the ransom payment dilemma and the conflict of values.
