The U.S. government is calling for new practices to put an end to the endless cycle of cyberattacks fueled by ransomware payments.

• The government is seeking ways to disrupt ransomware networks that cause thousands of hacks annually, and one of their requests is for cyber insurance companies to stop reimbursing ransom payments.
• In a recent op-ed, a top national cybersecurity advisor warned against a concerning behavior that needs to be stopped.
• According to sources, the FBI advises against paying a hacker's ransom demand, but acknowledges that companies may need to pay to regain control of critical operations.

As ransomware attacks continue to increase, with 2024 predicted to be one of the worst years yet, U.S. officials are exploring new strategies to combat the threat, including urging a different approach to ransom payments.

In a recent Financial Times opinion piece, Ann Neuberger, U.S. deputy national security adviser for cyber and emerging technologies, argued that insurance policies, particularly those covering ransomware payment reimbursements, are inadvertently contributing to the criminal ecosystems they aim to combat. She emphasized the need for stricter cybersecurity requirements as a condition for coverage to discourage ransom payments.

The U.S. government is looking for ways to disrupt ransomware networks as cyber insurance emerges as a key area for reform. A recent report by the Office of the Director of National Intelligence indicates that by mid-2024, over 2,300 incidents had been recorded, with nearly half targeting U.S. organizations. This suggests that 2024 could surpass the 4,506 attacks recorded globally in 2023.

Despite policymakers' efforts to examine insurance practices and implement broader strategies to hinder ransomware operations, businesses continue to face a dilemma when they are targeted: Should they pay the ransom to possibly encourage future attacks or refuse and risk additional harm?

In 2024, I attended a briefing by the FBI where they advised against paying a ransom. However, after making that statement, they acknowledged that it is a business decision and that companies need to consider many more factors than just ethics and good business practices. Even the FBI understood that businesses need to do whatever it takes to get back to operations.

The FBI declined to comment.

According to cybersecurity expert Bryan Hornung, CEO of Xact IT Solutions, there are no clear-cut answers when it comes to deciding whether to pay the ransom in the event of a cyber attack.

The fear of prolonged downtime can force businesses to make hasty decisions, just as the urgency to restore operations can increase the risk of damage. As Hornung put it, "The longer something goes on, the bigger the blast radius." He has seen firsthand how CEOs who swore they would never pay for certain expenses have reversed course when faced with prolonged downtime.

The potential exposure of sensitive data, particularly if it involves customers, employees, or partners, increases fear and urgency, as organizations face immediate reputational damage and the possibility of class-action lawsuits from affected individuals. The cost of litigation and settlements in some cases can exceed the ransom demand, forcing companies to pay just to contain the fallout.

"Hornung stated that there are lawyers who specialize in assembling class-action lawsuits using information obtained from the dark web. These lawyers have teams that search for leaked data, such as driver's licenses, Social Security numbers, and health information, and notify the affected individuals. As a result, these individuals may find themselves defending a multimillion-dollar lawsuit."

Ransom demands, data leaks, and legal settlements

In 2023, Lehigh Valley Health Network refused to pay a $5 million ransom to the ALPHV/BlackCat gang, resulting in a data leak affecting 134,000 patients on the dark web, including nude photos of about 600 breast cancer patients. The fallout was severe, leading to a class-action lawsuit that claimed LVHN is consciously ignoring the real victims while publicly praising themselves for standing up to hackers.

LVHN agreed to settle the case for $65 million.

NPD, a background-check giant, is facing multiple class-action lawsuits and civil rights violations from over 20 states, as well as possible fines from the Federal Trade Commission, following a hack in April that exposed the personal data of 2.7 billion individuals. The stolen data included 272 million Social Security numbers, full names, addresses, phone numbers, and other personal information of both living and deceased individuals. The hacker group allegedly demanded a ransom to return the data, but it is unclear whether NPD paid it.

The NPD's failure to promptly report the incident led to legal issues, which ultimately resulted in Jerico Pictures filing for Chapter 11 on Oct. 2.

NPD did not to respond to requests for comment.

Darren Williams, the founder of BlackFog, a cybersecurity firm that specializes in ransomware prevention and cyber warfare, strongly opposes paying ransoms. In his opinion, doing so only motivates more attacks, and once sensitive data has been exfiltrated, it is irrecoverable, he stated.

Even when companies pay to secure their data, there is no guarantee that it will remain secure. This was demonstrated by UnitedHealth Group when its subsidiary, Change Healthcare, was hit by the ALPHV/BlackCat ransom group in April 2023. Despite paying the $22 million ransom to prevent a data leak and quickly restore operations, a second hacker group, RansomHub, accessed the stolen data and demanded an additional ransom payment from Change Healthcare. While Change Healthcare hasn't reported if they paid, the fact that the stolen data was eventually leaked on the dark web indicates their demands were not met.

The possibility of funding hostile organizations or violating sanctions through ransom payments, given the links between many cybercriminals and geopolitical enemies of the U.S., makes the decision to pay even more risky. For instance, when LoanDepot was attacked by the ALPHV/BlackCat group in January, the company refused to pay the $6 million ransom demand, opting instead to pay the projected $12 million to $17 million in recovery costs. The decision was primarily driven by concerns about funding criminal groups with potential geopolitical ties. The attack affected around 17 million customers, leaving them unable to access their accounts or make payments, and in the end, customers still filed class-action lawsuits against LoanDepot, alleging negligence and breach of contract.

Richard Caralli, a cybersecurity expert at Axio, stated that regulatory scrutiny adds another layer of complexity to the decision-making process.

While the recent SEC reporting requirements mandate disclosures about cyber incidents of material importance, ransom payments, and recovery efforts, companies may be less likely to pay due to the fear of legal action, reputational damage, or shareholder backlash. However, some companies may still choose to pay to prioritize a quick recovery, even if it means facing those consequences later.

"Organizations must expose their weaknesses and lack of preparedness when dealing with ransomware, as the SEC reporting requirements have made it challenging to navigate the consequences with customers, business partners, and other stakeholders."

The Cyber Incident Reporting for Critical Infrastructure Act, set to take effect in October 2025, will put pressure on non-SEC regulated organizations. Under this ruling, companies in critical infrastructure sectors, often small and mid-sized entities, will be required to disclose ransomware payments, making it even more challenging to handle these attacks.

Cybercriminals changing nature of data attack

As fast as cyber defenses improve, cybercriminals are even quicker to adapt.

Underwood stated that training, awareness, defensive techniques, and not paying all contribute to the reduction of attacks. However, it is highly probable that more advanced hackers will discover alternative methods to disrupt businesses.

Ransomware patterns are shifting, according to a recent report from cyber extortion specialist Coveware.

Hackers are increasingly using data exfiltration-only attacks to steal sensitive information without encryption, allowing victims to still access their systems. This tactic is a response to companies' improved backup capabilities and better preparation for encryption-based ransomware attacks. The ransom demanded is not for recovering encrypted files but to prevent the stolen data from being released publicly or sold on the dark web.

Following the collapse of ALPHV/BlackCat and Lockbit, new attacks by lone wolf actors and nascent criminal groups have emerged, according to Coveware. These two ransomware gangs were among the most prolific, with LockBit believed to have been responsible for nearly 2,300 attacks and ALPHV/BlackCat over 1,000, 75% of which were in the U.S.

The BlackCat ransomware group executed a planned exit after stealing the ransom owed to its affiliates in the Change Healthcare attack. Meanwhile, Lockbit was taken down after an international law-enforcement operation seized its platforms, hacking tools, cryptocurrency accounts, and source codes. However, even though these operations have been disrupted, ransomware infrastructures are quickly rebuilt and rebranded under new names.

"Ransomware has a low barrier to entry for any type of crime," said BlackFog's Williams. "Other forms of crime carry significant risks, such as jail time and death. Now, with the ability to shop on the dark web and leverage the tools of some of the most successful gangs for a small fee, the risk-to-reward ratio is quite high."

Making ransom a last resort

Cybersecurity experts unanimously agree that prevention is the key to solving cybersecurity issues.

To avoid being in trouble, businesses should allocate between one percent and three percent of their top-line revenue toward cybersecurity, with sectors like health care and financial services at the higher end of this range. Hornung emphasizes that until businesses take the necessary steps to protect, detect, and respond to cybersecurity events, they will continue to be vulnerable to hacking.

To minimize damage when an attack occurs, Underwood recommended implementing proactive measures such as endpoint detection and response, as well as ransomware rollback, a backup feature that undoes damage and restores files.

A comprehensive plan can minimize the likelihood of resorting to paying the ransom as the initial course of action.

To prevent organizations from panicking and reacting impulsively to ransomware attacks, Caralli emphasizes the need for a detailed incident response plan that outlines specific actions to take during an attack, including measures such as regular data backups and drills to ensure that recovery processes work in real-world scenarios.

Ransomware attacks and the pressure to pay will continue to be high, according to Hornung. He emphasized that prevention is more cost-effective than cure, but businesses are not taking the necessary precautions.

We collaborate with numerous small- and medium-sized enterprises, and I inform them, 'You're not insignificant to be targeted. You're simply too small to make headlines.'

If no organization paid the ransom, the financial benefit of ransomware attacks would decrease, Underwood stated. However, he emphasized that it wouldn't stop hackers.

"If organizations do not pay, attackers may stop trying or switch to alternative methods, such as stealing data, searching for valuable assets, and selling it to interested parties," he said. "Frustrated hackers may give up or switch to alternative methods. They are generally on the offensive."