Why "don't pay ransom" pledges are so hard to implement

A government pledge to not pay ransoms will prove difficult for companies and private organizations to replicate.

Driving the news: A group of 48 governments, as well as the European Union and Interpol, signed a pledge last week to not pay hackers if their systems are hit with a ransomware attack.

• The commitment, which was made as part of last week's U.S.-led Counter Ransomware Initiative meeting, also strongly discouraged "anyone from paying a ransomware demand," including private sector organizations and organizations responsible for critical infrastructure.

Why it matters: Government officials are showing a growing appetite for banning ransom payments and cutting off the financial incentive cybercriminals have for launching these attacks.

• But the Counter Ransomware Initiative's decision to focus solely on government ransomware victims underscores how tough the choices are for private sector victims weighing how to respond to such attacks.

The big picture: Ransomware gangs typically demand their victims send a payment to either regain access to their networks or keep hackers from leaking sensitive data stolen during the attack.

• When deciding whether to pay, victims will weigh everything from potential service disruptions to class-action lawsuits if sensitive customer information is leaked.
• Some critical services, including hospitals and water companies, also face life-or-death consequences if certain online systems are locked up for too long.
• In many cases, paying up appears to be cheaper (and safer) than spending days rebuilding key systems and networks.

What they're saying: "There's a lot more to it than just saying we're not going to do it," John Dwyer, head of research at IBM's X-Force threat intelligence group, told Axios. "Faced with the reality that a lot of these organizations are faced with, you realize that there's a lot more in the decision."

• "It's not as black-and-white as I think the public probably appears that it is," he added.

By the numbers: Despite concerted government efforts, the number of ransomware attacks has continued to grow this year.

• The number of ransomware attacks in the third quarter nearly doubled compared to the same period last year, according to cyber policy underwriter Corvus Insurance.
• "The data shows the number of attacks are going up and, frankly, [so is] the disruptive impact," Anne Neuberger, deputy national security adviser for cyber and emerging tech, said during an event Friday.

Meanwhile, the number of companies paying ransoms is starting to drop, by some accounts.

• Both Dwyer and Kurtis Minder, CEO of ransomware negotiation firm GroupSense, told Axios that, anecdotally, they've recently seen fewer victims paying up post-attack.
• Cyber risk group Resilience also estimates that only 15% of its clients paid a ransom in the first half of 2023 — tracking downward from 21% in all of 2022.

Between the lines: Historically, the incentive structure of a ransomware attack has favored those who quietly paid a ransom — but that's slowly starting to change.

• For instance, cyber insurers have started mandating companies meet basic security requirements before approving them for a new policy.

The intrigue: In some cases, the larger ransomware volumes are working to victims' advantage, Minder said.

• In a handful of cases, Minder said, he's seen some ransomware gangs target so many companies that they forget who they're extorting and never return to negotiations over a payment and never leak the data they stole.

Yes, but: Without some larger enforcement mechanism or incentive program, banning ransom payments across the private sector is never going to work, Minder said.

• "Even if you made this illegal, the ransom would still be made," he said. "They just would be largely swept under the rug, or underground. It wouldn't achieve your goal."

Be smart: The best way to avoid ransom payments and cut down on the number of ransomware attacks is for organizations to practice good cyber hygiene, such as implementing multifactor authentication, Dwyer said.