You pay the ransom
In October of 2020, the Treasury Department issued a warning to domestic financial institutions that facilitating ransom payments on behalf of ransomware victims could be an Office of Foreign Asset Control (OFAC) violation. The warning noted that many ransomware attackers are seated in countries that are on the OFAC sanction list. These countries include North Korea, Russia, Ukraine, Iran, and Syria. Shortly after that warning was issued I published an article titled “Ransom and Rats” where I explained why law enforcement strongly discourages ransom payments. Paying the ransom perpetuates and broadens the crime by rewarding the bad guys for their criminal conduct. I likened the ransomware actors to the rats used by psychologist B.F. Skinner. If every time the rat hits the bar it gets food then it is going to keep hitting the bar. If ransomware actors continue to get paid they are going to keep spreading ransomware!
Of the classical criminological theories that can be applied to cyber-enabled crime, the Rational Choice Theory fits perfectly when applied to ransomware actors. The theory holds that people are free to choose their behavior and makes these choices based on the avoidance of pain and pursuit of pleasure. People choose to commit crime because it is in some way rewarding, either mentally, physically, or financially. Offenders will commit a crime when it is fun, satisfying, easy, and financially rewarding. Crime is discouraged through the fear of punishment. If offenders believe they will be identified, captured, and punished, they are less likely to engage in a given criminal activity. People consider the cost to benefit factors when deciding to commit a crime and act accordingly in their own best interest. They make a rational choice.
This is the basis of the current ransomware epidemic. Ransomware attacks are easy to facilitate, there is a low likelihood of identification or capture, and it is profitable. If you have no moral convictions prohibiting you from engaging in criminal activity there is no reason to not give ransomware a try. It is a rational choice.
Did I mention that ransomware attacks are profitable?
Emsisoft estimates the total ransomware demand cost to the United States at greater than 1.3 TRILLION dollars. Coveware estimates the average ransom payment made in Q3 2020 was $233,817. The University of Utah admitted to paying a $457,000 ransom payment in July and it is reported that Garmin paid ten million dollars to get their GPS services back online. The group responsible for the Maze variant claimed to have made enough money to “retire”.
The rise of the cyber-insurance industry is inevitable.
The decision whether or not to purchase insurance to hedge against cybercrime is a non-decision for business. If you operate a car dealership in the mid-west you are going to have severe weather insurance because the tornado is eventually coming. If you own a building along a river you get flood insurance because the high waters are eventually coming. And if you own a business that requires an Internet connection you need insurance because eventually the Phish/DDOS/InsiderThreat/Ransomware attack is coming!
The decision for insurance companies is also a non-decision. Cyber attacks on well-known businesses, schools, and health systems regularly lead news headlines. Insurance companies see the opportunity to make a lot of profit. Every big cyber event stokes fear in business owners, big and small, which has them throwing money at you.
Likewise, if you are a criminal with some technological know-how, the decision to get into the ransomware trade is a non-decision. It is a simple avoidance of pain and pursuit of pleasure calculation. Ransomware is easy, fun, and very profitable. And it is certainly safer than breaking into people's homes, selling drugs on a street corner, or physically robbing a bank. Those crimes will get you arrested and possibly killed.
So it seems like a win for everyone right? The business owner can be flippant with the security of their enterprise and get bailed out by the insurance company. The insurance company can make enough money from the premiums to still be profitable even when they need to cover the occasional ransom payment. The ransomware runners are raking it in hand over foot.
Oh, there is one more group killing it in this travesty. The security companies. Who do you think acts as a middleman between the insurance companies and the cybercriminals? The broker. The showrunner. The fixer.
The loser in this game? The average consumer. You and me. Retail business covers shrink, AKA shoplifting losses, by raising prices across the board. Lowes doesn't eat the loss when Heroin Henry walks out the door without paying for a Dewalt drill kit. A few pennies are added to the price of every other drill for sale. The business that adds a cybercrime rider to their insurance policy doesn't take the loss out of their bottom line. They raise the prices of their goods and services and pass the costs along to the end consumer.
Ransomware is a problem that affects all of us. Even if you don't own a business. Even if you don't own a computer. I wonder if there is an insurance policy to cover us?