Paying money to criminals is not an ordinary business transaction
Public authorities must step up their game to help SMBs
Ransomware has been on the radar with cyber security professionals for a number of years. At Corix Partners, we wrote about it for the first time 3 years ago in the summer of 2016 following a conference in London at the Institute of Directors hosted by Beazley and the topic was already quite well established as a pillar of cyber-crime. We facilitated a panel discussion on the theme at the FIC in Lille in January 2017 where law enforcement officials around the table made it clear that the problem was widespread and that they were already deeply involved in fighting it.
Amongst other recommendations, the representants of the forces and cyber-crime agencies insisted on the need to report ransomware attacks, so that they can be tracked, monitored, and — as much as possible — dealt with.
Paying the ransom was strongly discouraged for a range of reasons which we highlighted at the time:
- Several ransomwares are well known, and their keys are available to law enforcement officials: The #NoMoreRansom project and its portal nomoreransom.org — set up by Europol and others — claim to have avoided USD 108M in ransom payments during their three years of existence
- At the other end of the spectrum, some other ransomwares are known for not being “trustworthy” and paying the ransom may not result in the release of the encrypted data or may lead to a bidding game where the victim would only lose.
- Finally, paying the ransom could also be seen as a plain criminal act if it could be established that the proceeds of the ransom could be used to fund terrorism.
At the excellent conference hosted in Paris by IRT SystemX, I was shocked to see how the situation has evolved over the past few years.
The extent by which the problem has developed was not the most surprising: At the end of a piece of unprecedented field research, IRT SystemX, a leading digital engineering research institute, estimates that, out of the 5 million of French micro, small and medium enterprises, approximately 4 to 5% are now falling victim to a cryptovirus attack every year, with the total internal costs associated with dealing with the attacks in the region of EUR 700M, for an average individual ransom in the region of EUR 1,000.00 to EUR 2,000.00 (and growing).
But it was incredible to see how freely participants spoke about paying the ransom. The fact that they were financing and consolidating a criminal activity seemed totally lost.
For the SMBs in the audience, the dominant factor was a real sense of being overwhelmed by the technological problem the ransomware attack presented them with, the absence of practical support from the authorities or other bodies, and in the end, the payment of the ransom appearing like the only realistic option to SAVE their business from bankruptcy in the face of days or weeks of business paralysis, staff incomprehension, and looming clients problems.
Paying the ransom appeared to them like THE RIGHT MANAGEMENT DECISION TO MAKE in the face of a business-threatening situation, and the real shocking fact of the day that it was literally presented as a BUSINESS transaction and not a potentially criminal act. The common-sense message of the authorities — which was still resonating 3 years ago — appeared to be completely lost.
This type of normalisation of a criminal activity is highly dangerous.
Good cyber security practices protect against ransomware (strong, up to date, anti-virus; email filtering; regular backups; targeted awareness campaigns) and they need to be promoted in meaningful ways towards small businesses.
Many of the French participants to the IRT SystemX conference reported cases of SMBs simply not knowing who to talk to in the face of the problem, banks being unwilling to help around cash flow issues, and their local police authorities literally sending them away.
In many cases, it fell down to professional bodies (chambers of commerce and the like) to relay a message for which they were not prepared, and which — in some cases — was also alien to them (at least to start with).
But fundamentally, that sense of isolation felt by many SMBs in the face of the attack was a key factor in many decisions to pay the ransom.
This has to stop: The #NoMoreRansom projects shows that collaboration across the cybersecurity industry can disrupt the criminal business model behind ransomware but it is now down to public authorities to step up their game and reach out to SMBs in a more effective way, so that they can feel adequately supported in the face of cyber threats.
Paying good money to criminals cannot continue to be seen as an ordinary business transaction.