In 2015, my team and I attended the government’s Security & Policing event in Farnborough. During the event, we had a thought-provoking discussion with a visitor from the Home Office about the legalities surrounding ransomware fines. At that time, there was little to no guidance from the government on this matter.
This lack of guidance seemed contradictory when compared to the clear guidelines in place for paying physical ransoms, which were and still are illegal. We found it illogical considering the interconnectedness of everything and the significant impact that malware, in all its forms, has on businesses, society, and the well-being of individuals. How could it be illegal to pay or have insurance coverage for a ransom situation?
While the government was focused on closing insurance loopholes for human ransoms, it remained perfectly legal to pay a cyber ransom. This effectively allowed criminals engaged in the business of extorting money from legitimate entities like businesses, public bodies, and charities to continue their activities. They could then use this money to develop even more advanced ransomware and target a larger number of victims. This vicious cycle persisted.
If you doubt this statement, simply look at the increasing average price of a ransom over the past decade. Criminals have meticulously devised their business plans and are now able to target densely populated areas, causing disruptions in public services and demanding higher ransoms from major corporations. Ransom gangs have perfected their software, delivery methods, and chosen targets to ensure maximum payout.
Interestingly, phishing remains the primary method of launching ransomware attacks. While we have come a long way since the ILOVEYOU virus that emerged 24 years ago, we still remain vulnerable to ransomware because of this successful delivery method. This level of carelessness would not be tolerated in the case of physical ransoms, where lack of training or awareness is not allowed to persist. Ransom should not be considered simply a cost of doing business.
However, we have struggled as a society to effectively combat this type of crime. Somehow, ransomware has become semi-legitimate and deemed an acceptable cost of conducting business. This may be partially due to the language we use to describe it. Perhaps it is time to reframe our perspective and stop referring to it as ransomware, but rather recognize it for what it truly is: blackmail and extortion.
We need to address not only the legality of paying digital ransoms but also how we can create effective legislation and punishments for those who carry out these crimes. The ransom gangs are making massive profits, putting us at significant risk as they are often better funded than the efforts to stop them. Correcting this course of action requires a vision, dedication, and comprehensive understanding of the issue at hand.
