Ransomware crisis gets worse, big changes are necessary

The cruel march of ransomware has apparently reached a grim new milestone. In Germany, authorities are investigating the death of a patient during a ransomware attack on a hospital; according to reports, the woman, who needed urgent medical care, died after being re-routed to a hospital further away, as a nearer hospital was in the midst of dealing with a ransomware attack.

Ransomware crisis gets worse, big changes are necessary

Elsewhere ransomware continues to create painful, if less tragic, disruptions. The UK’s cybersecurity agency has just warned that ransomware groups are launching ‘reprehensible’ attacks against universities as the new academic year starts. On a daily basis, companies large and small are finding their business disrupted when they can least afford to have computer systems failing.

And yet, there seems to be a sense in some quarters that ransomware is simply an inevitable consequence of our digital age. That it is something that we just have to learn to accept.

In reality, ransomware exists because of a series of failures. While apparently unrelated, they combine to create the conditions under which ransomware can flourish and become one of the biggest menaces on the internet today. If we want to stop the next decade becoming the decade of ransomware, we need to make some significant changes.

Policing versus politics – Many of these gangs operate from countries where their behaviour is either not considered criminal, or over-looked by authorities (so long as they don’t attack local companies), or even actively welcomed as a source of new funds. That means treating ransomware as a simple law-enforcement issue is never likely to fix the problem: these states will never hand over these gangs to outside justice. This makes ransomware a political issue as much as a problem for police. Politicians should make clear to these governments that by allowing these gangs to flourish on their soil, they are part of the problem.

Increase the pressure – Intelligence agencies also need to make tackling ransomware a priority. While, understandably, they have focused on state-backed espionage and cyberwarfare, ransomware is now becoming such a problem that greater emphasis needs to be placed on identifying, tracking and disrupting these groups. Some efforts, like the NoMoreRansom project, which offers decryption keys, are a good start, but more effort is needed.

Make paying the ransom an absolute last resort – One of the fundamental issues that allows ransomware to flourish is that it remains lucrative for the gangs because victims will pay up. It’s entirely understandable that victims do pay up especially when the alternative is going out of business, or paying much more to restore data and computer systems. 

But there are two problems with paying up. Firstly, it normalises ransomware attacks, and turns them into another business expense. You can even buy insurance that will cover them. Turning these attacks into just another business cost means that they are taken less seriously. There is sense that if data is encrypted – but not stolen – then somehow the breach is less important, and that if the ransom is paid and the data unlocked, then it’s no big deal. This might even make it harder to justify spending money to protect against ransomware.

Worse, paying significant sums is a signal to crooks to move into ransomware, and also strengthens the gangs who can then take on more complicated targets. Paying the ransom makes everyone less safe.

Make security practical – Too much software is shipped with too many holes in it; knitting different systems together, which is one of the inevitabilities of any IT infrastructure, only multiplies those security gaps. Vendors need to fix software before shipping, not after. They need to make it much easier for flaws to be dealt with by their customers, for whom patching is a thankless and Sisyphean task. Equally, users of technology have to make sure they are doing everything they can to make their systems secure, which means spending more time, money and effort on security. In many cases, this effort means patching vulnerabilities and making staff aware of the risks to stop the hackers getting through.

None of these changes are easy; getting politicians to understand the internet is hard, making business execs take cybersecurity seriously is difficult, and persuading tech companies to change their development practices takes time. But it’s necessary if we don’t want the ransomware threat to continue to grow.

Originally published by Zdnet