With an increase in ransomware attacks and 2024 projected to be a particularly challenging year, U.S. officials are exploring various strategies to combat these threats, including advocating for changes in how ransom payments are handled. Anne Neuberger, the U.S. Deputy National Security Adviser for Cyber and Emerging Technologies, has argued in a Financial Times opinion piece that insurance policies, especially those reimbursing ransomware payments, contribute to supporting criminal networks. She called for implementing stricter cybersecurity requirements as a condition for coverage to deter ransom payments.
The focus on reforming cyber insurance policies coincides with the U.S. government’s efforts to disrupt ransomware networks. A report from the Office of the Director of National Intelligence indicates that by mid-2024, over 2,300 ransomware incidents had already been recorded, with nearly half targeting U.S. organizations. This suggests that 2024 could surpass the 4,506 global attacks documented in 2023.
As policymakers examine insurance practices and other measures to counteract ransomware operations, businesses continue to face the critical decision of whether to pay ransoms. Paul Underwood, Vice President of Security at IT services company Neovera, noted that the FBI advises against paying ransoms but acknowledges that it is ultimately a business decision involving numerous factors beyond ethics and best practices.
Experts like Bryan Hornung, CEO of Xact IT Solutions, highlight the complexities involved in deciding to pay a ransom, often pressured by the urgency to restore operations and avoid further damage. The potential exposure of sensitive data heightens the fear and urgency that organizations face, as such breaches can lead to reputational harm and costly class-action lawsuits.
Incidents such as the Lehigh Valley Health Network’s refusal to pay a $5 million ransom in 2023 illustrate the severe consequences of data leaks, leading to a class-action lawsuit and eventual settlement for $65 million. Similarly, National Public Data faced multiple lawsuits and civil rights violations after a hacked database was posted on the dark web, with unclear details on whether a ransom was paid.
Darren Williams, founder of BlackFog, strongly opposes paying ransoms, arguing that it encourages further attacks and that once data is stolen, it is irrecoverable. The complexities of ransom payments are further compounded by the potential funding of hostile organizations or the violation of sanctions.
Regulatory scrutiny also influences decision-making in ransomware situations. Richard Caralli, a cybersecurity expert at Axio, pointed out that new SEC reporting requirements may make companies less likely to pay ransoms due to potential legal, reputational, or shareholder repercussions, though some may prioritize quick recovery despite these risks.
Cybercriminals are adapting quickly to evolving defenses, increasingly relying on data exfiltration-only attacks, stealing sensitive information without encrypting it. This shift is a response to companies’ improved recovery capabilities from encryption-based attacks. High-profile gangs like ALPHV/BlackCat and Lockbit were disrupted, but new criminal groups are rapidly emerging.
Experts agree that prevention is the best solution, recommending that businesses invest between one and three percent of top-line revenue in cybersecurity measures. Preventive actions can minimize damage from attacks and ensure that ransom payments are a last resort.
Finally, the risk from ransomware is not only limited to large enterprises but also affects small- and medium-sized businesses. If ransom payments cease, the financial incentive for attackers may decrease, but alternative criminal methods could arise.
