Navigating the UK’s ransomware payment ban

Ransomware attacks have cost the UK economy billions of pounds this year. They’ve disrupted food supply chains, caused chaos at airports, and virtually wiped out the country’s GDP growth in Q3. Against this backdrop, the government could be forgiven for wanting to take a hard line on the shadowy groups that continue to profit off sub-par security posture. But is an outright ban on payment the right idea?

 

Instead of criminalising victims, the focus should be on improving prevention, accelerating recovery, and ultimately ensuring that ransomware becomes a losing game.

 

Acting with impunity

Ransomware has for several years been branded by government experts as the biggest serious and organised crime threat facing UK businesses. It helped to ensure that the past year witnessed the highest level of cyber-threat activity recorded by the NCSC in nine years. The agency dealt with a “nationally significant” attack every other day. Even worse, a June report revealed that 70% of UK companies had data encrypted over the past year. That’s way more than their global peers (50%), and even higher than the previous year’s figure for the UK (46%). 

 

Threat groups have the advantage. Protected from law enforcement action by their respective governments, they have evolved into highly scalable, efficient criminal enterprises. They collect payment anonymously through cryptocurrency, and benefit from a staggeringly efficient cyber-crime economy where hacking tools, network access, exploits and knowledge have been largely commoditised. AI promises to lower the bar yet further for would-be adversaries.

 

On the other side, network defenders are struggling with skills shortages, expanding attack surfaces, alert fatigue and traditional patching cycles. Even if CISOs do everything right, they may have suppliers of suppliers who don’t, providing a pathway to their data and networks.

 

To ban or not to ban?

This is why even nominally well-resourced companies like JLR and M&S are being breached with impunity. And when the bill starts to stretch into the billions, policymakers are right to take notice. It’s therefore understandable that the Home Office wants to cut off the cashflow to cyber-criminals by prohibiting public sector and certain critical infrastructure (CNI) organisations from paying their extortionists.  

 

Yet there are several unintended consequences that could arise from such an approach. For some organisations, a ransomware attack can be a near-existential event, where paying is the least bad option. Yet under the proposed regime, those providing critical services would be forced to choose between causing potentially catastrophic disruption, and breaking the law. For NHS organisations this could be a choice with life-threatening implications for patients.

 

There are also understandable concerns that an outright ban on paying digital extortionists would simply push incidents underground, working against the ideals of openness and information sharing that are vital to tackling ransomware at a national level. If a ban were brought in, the UK would also be a global outlier.

 

Detect, disrupt, defeat

The good news is that there’s another way to reduce profitability for ransomware actors — without needlessly punishing victims. To do so, CISOs need to focus on several layers of proactive defence.

 

First, focus on identifying and disrupting the early signs of a ransomware attack before adversaries can cause any lasting damage. This could be detection of malicious executables, brute force attempts and command and control (C2) infrastructure typically used for initial access. And spotting remote access tools, vulnerable kernel drivers and reconnaissance/enumeration efforts that follow exploitation.

 

Controls should also be put in place to detect and prevent credential harvesting, lateral movement attempts and EDR/security bypass. And further on in the kill chain, detection of attempts to exfiltrate large volumes of data. AI and behavioural analytics can play an important role in all of these controls.

 

Next, if threat actors manage to encrypt corporate data, there are solutions available on the market tointercept encryption keys and other cryptographic material. This will help to neutralise the ransomware threat. And third-party warranty services that can help accelerate recovery and support professional incident response without breaking the bank. Take together, these cpabilities can get the breached organisation back to a pre-attack state rapidly, with minimum impact on the business.

 

Destroying the business model

Cyber-defence doesn’t need to be perfect to defeat ransomware. It just has to make attacks expensive and time consuming for our adversaries. In most situations, that will be enough to persuade them to try elsewhere.

 

Government still has an important part to play. Mandatory reporting of incidents and payment amounts will help investigators better understand the scale of the challenge. Education, industry engagement and information sharing initiatives will also help build resilience. And international collaboration and law enforcement efforts can further erode the ransomware business model.

 

This is a fight that we all need to be invested in. And it’s one that we can win. It starts with the UK’s cyber-security leaders. As this landscape evolves, the industry’s job is to keep a clear view of where the genuine risks are and maintain calm, open communication rather than drifting into alarmism.

 

---

 

Oliver Newbury is Chief Strategy Officer at Halcyon

 

Main image courtesy of iStockPhoto.com and bin kontan