But paying the attackers risks encouraging even more ransomware assaults by demonstrating just how lucrative the business model can be. The FBI confirmed on Monday that the pipeline hackers are a criminal group originating in Russia named DarkSide.
One of the ways to discourage cybercrime and ransomware attacks is to “make it a less profitable endeavor,” according to Josephine Wolff, assistant professor of cybersecurity policy at The Fletcher School at Tufts University. “These groups will not continue to [launch attacks] if it’s not a viable business model,” she added.
DarkSide has already posted a notice on the dark web that their motivation was “only to make money,” according to Binary Defense, a cyber counterintelligence firm. The group offers “ransomware as a service,” said Wolff.
“They essentially sell ransomware attacks to customers,” she explained. “That’s a pretty strong signal that this is a profitable business.”
A thriving industry
And it will take a lot more than a handful of companies refusing extortion payments to deter cyber criminals.
“They’ll find another victim, another way of making money,” said Peter Yapp, the former deputy director of the UK National Cyber Security Centre and now a partner at Schillings.
“What will stop this is much higher levels of [cyber] security,” he told CNN Business. “Instead of putting money into paying people after the event, we should be putting money in ahead of the event and making sure we batten down the hatches,” he added.
“Cybercrime appears unstoppable … The risk of cybercrime to operations and profits continues to grow for many organizations,” it added.
That’s become a growing opportunity for insurance companies, with global cyber insurance premiums expected to increase from around $2.5 billion today to $7.5 billion by the end of the decade, according to PwC.
Cyber insurance policies typically cover ransom payments where they are legally permissible and if no sanctioned entities, such as terrorist organizations, are involved. But there are signs that this may be changing.
In a statement, the insurer said that it is “waiting for the decision of the public authorities.”
“The subject of ransom reimbursement has become a key issue for cyber insurance … It is essential that the public authorities give concrete expression to their position on this subject in order to enable all market players to harmonize their practices,” the company added.
“Of course, this has its limits when peoples’ lives and health are at risk,” he added.
How governments can help
While the US and UK governments provide advice and guidance to companies on how to handle cyberattacks, there is no official policy when it comes to ransomware payments.
For example, the FBI’s standing guidance is that victims should not pay a ransom in response to an attack in order to discourage perpetrators from targeting more victims. But multiple sources have previously told CNN that the FBI will, at times, privately tell targets that they understand if they feel the need to pay.
Asked on Monday whether Colonial had paid a ransom, senior White House officials demurred.
“That is a private sector decision, and the administration has not offered further advice at this time. Given the rise in ransomware, that is one area we’re looking at now to say what should be the government’s approach to ransomware actors and to ransoms overall,” said Anne Neuberger, the top official responsible for cybersecurity on the National Security Council.
According to Wolff of Tufts, governments need to provide greater clarity to businesses on what kind of resources and assistance is available to them if they don’t pay a ransom.
In extreme cases, companies could go under if they don’t pay a ransom and the wider impact on the economy could be huge. That’s why it’s not enough for law enforcement to simply say, “don’t pay … you’re fueling an industry,” added Yapp.
While it is not the job of governments to look after commercial entities, the growing wave of ransomware attacks suggests it may be time for law enforcement officials to step up efforts to go after cyber criminals, Yapp said.
“Commercially, it is having a huge drain on companies right across the world,” he added. The threat of “being found out and prosecuted” could in itself act as a strong deterrent, he said.
As critical national infrastructure networks become increasingly connected with other devices and systems over the internet, the danger posed by these attacks will only increase.
“Attacks targeting operational technology — the industrial control systems on the production line or plant floor — are becoming more frequent,” Algirde Pipikaite, cyber strategy lead at the World Economic Forum’s Centre for Cybersecurity, said in a statement.
“Unless cybersecurity measures are embedded in a technology’s development phase, we are likely to see more frequent attacks on industrial systems like oil and gas pipelines or water treatment plants,” she added.
— Zachary Cohen, Geneva Sands and Matt Egan contributed reporting.