HIMSS21: To pay or not to pay ransomware payments

LAS VEGAS—A cybersecurity expert at HIMSS21 this week called on the federal government to ban organizations from paying ransom demands to hackers—but not everyone is convinced that would stop attacks.

The Biden administration and Congress have focused on addressing increasing ransomware attacks, as cybercriminals have targeted hospitals, government agencies and schools.

Paying a hacker’s ransom demand is discouraged by cybersecurity experts, including the Federal Bureau of Investigation, who say the practice encourages—and essentially funds—hackers’ future criminal activity. Hackers could also repeatedly target companies that show willingness to pay.

But that hasn’t stopped desperate organizations—recently, Colonial Pipeline paid nearly $4.5 million to a ransomware group—from doing so.

There’s no ban on the practice, although the Treasury Department has said that companies that facilitate ransomware payments—such as cyber insurance firms and incident response groups—could face fines if they send payments to ransomware gangs or nations sanctioned by the department’s Office of Foreign Assets Control.

That needs to change, said Alex Stamos, a founding partner at Krebs Stamos Group, a cybersecurity consultancy.

“We have to outlaw ransomware payments,” he said during a panel discussion on cybersecurity at the Healthcare Information and Management Systems Society’s trade show this week in Las Vegas.

Stamos, a former chief security officer at Facebook and former chief information security officer at Yahoo, suggested President Joe Biden designate the biggest 10 to 20 ransomware gangs as groups sanctioned by the Treasury Department’s OFAC, so that organizations—or even individual executives—who pay ransom demands to such groups would face monetary fines and other criminal penalties.

Although “that technically would not outlaw all ransomware payments, it practically would, because you have no idea if you’re operating with one of those,” he said.

It’s a controversial position.

A top official from the FBI, an agency that discourages ransom payments, during a Senate Judiciary Committee hearing last month told Congress that outlawing ransom payments could create new opportunities for cybercriminals to extort victims, by giving hackers leverage to blackmail organizations for more money after a ransom is paid.

A report from the Institute for Security and Technology published earlier this year emphasized the importance of “disrupting” payment systems so that ransomware attacks are less profitable for cybercriminals, but stopped short of recommending payments be outlawed. Instead, the group suggested the government require companies to review alternatives and report the attack, as well as set up a fund to support those that don’t make payments.

Hospitals, in particular, often feel pressured to pay ransom demands because of the disruption to patient care.

Beyond curtailing access to data, ransomware can pose safety issues as hospitals are forced to delay and sometimes divert patient care—leading the American Hospital Association to call it a “threat-to-life crime.”

If a ransom isn’t paid, hackers may also threaten to sell or publish stolen data on a public website.

Ideally, if a hospital is prepared with back-up data and recovery processes, they shouldn’t have to pay a ransom to retrieve their data, said Greg Vetter, principal and cybersecurity national leader for healthcare at consulting firm RSM, during an interview with Modern Healthcare at HIMSS21 in Las Vegas.

But “bottom line, (hospitals) are here to care for patients,” and make decisions with that in mind, Vetter said.

That’s why, if ransom payments were outlawed, experts say it would be important for the federal government to stand up other programs that help organizations respond to ransomware attacks.

“If there is a law saying you can’t pay ransom, then there needs to be some course of action,” said John Delano, regional CIO for AdventHealth’s Southwest region and healthcare security strategist at cybersecurity consulting firm Critical Insight, on a phone call with Modern Healthcare. “We need the government to step in and help.”

It could be more effective for authorities to take a “carrot,” rather than a “stick,” approach to encouraging organizations not to pay ransoms.

The Senate’s infrastructure bill includes a $100 million fund for the Department of Homeland Security to use to support critical U.S. organizations responding to cyberattacks. That money could go toward helping organizations hit by ransomware recover their services, if they don’t pay the ransom, suggested Critical Insight CISO Michael Hamilton.

While Stamos at HIMSS21 acknowledged there are valid reasons that organizations opt to pay—it’s often cheaper to pay a multi-million-dollar ransom than hiring digital forensic, incident response and legal experts and pausing patient visits, and can be quicker than dealing with other recovery processes—he said outlawing ransoms is “the only way that we can disrupt the economic balance” that today favors hackers.

Paying a ransom also doesn’t ensure a hospital is out of the woods. Hackers could promise to decrypt an organization’s data after receiving a payment, and then fail to do so. The cybercriminals could also leave an organization’s network vulnerable so that it’s easy to get back in for another attack.

But while other cybersecurity experts agreed paying ransoms should be discouraged, they said banning it won’t solve the core issue.

Organizations hit by ransomware should talk to the hackers—regardless of whether they plan to pay—since it can buy time and provide insight into what the hacker wants, said Adm. Michael Rogers, a former director at the National Security Agency and former commander at U.S. Cyber Command who participated in the HIMSS21 panel via video conference.

That might require hiring digital forensic or incident response experts who can talk to or negotiate with the hackers, since most hospitals don’t have that skillset on staff.

But banning payments could push discussions of ransomware further under the radar by dissuading hospitals from reporting ransomware attacks to the federal government or from cooperating with law enforcement if they’re considering paying a ransom to restore services, said John Riggi, senior adviser for cybersecurity and risk at the AHA, on a phone call with Modern Healthcare.

Rather than outlawing ransom payments, Riggi said actions from the federal government like providing support to organizations dealing with a ransomware attack would prove more helpful. Ideally, that would include coordinated support from the FBI, DHS and HHS to prepare against and respond to ransomware attacks.

The AHA has previously called on the federal government to create a “coordinated campaign” against ransomware gangs, many of which operate outside of the U.S.

“If the government (had) a robust and fully coordinated multi-agency response to help the victim independently restore—that would dramatically cut down on ransomware payments,” Riggi said.