Why we can’t fix the ransomware problem

Five years have passed since the first widespread ransomware incident; the global WannaCry cyberattack.

You may ask, why are we still trying to solve this problem? And why has the cybersecurity industry not been able to produce the needed technical solutions that will stop similar ransomware attacks from happening in the future?

Ransomware is a concept

One reason is that ransomware is a concept, rather than a single type of attack. It can use any type of attack vector, and any vulnerability in your organisation (whether technical or organisational) to launch an attack against you. Furthermore, in most large-scale ransomware incidents, especially those that make the evening news, the attacks are usually complex, carefully crafted attacks that are tailored for the individual organisation, making use of the weaknesses that exist in that particular organisation.

Any sophisticated attack will consist of a chain of events. It is also worth noting, that whatever solutions and tools the ‘good guys’ have in place to protect themselves; the cybercriminals will also have access to these security measures.

Payments are used to fund more crimes

Another issue has come in the form of paid ransoms. As these payments are used to fund more crimes and expands the gangs’ operations. Today, cybercriminal gangs have already generated so much wealth that they can invest in hiring experienced software engineers for research and development to further sharpen their weapons.

Operating system vendors move slowly

The third reason is that operating system vendors move slowly and their development is not able to keep up with the criminals. The codebase of a modern operating system has become so extensive that it is risky to change or remove anything at all. Yet, every feature in an operating system increases the attack surface against it, and it is very difficult to ensure there are no security holes in these systems.

Worse still, many of these features have been enabled by default, in an effort to make it easier for end users to use their laptops and computers. So, it is left up to the organisations themselves to ensure any undesired functionality is disabled.

Governments have moved slowly in their legislation

The fourth reason is societal - governments have moved slowly in their legislation and regulation. One notable example is the slow progress made with regards to cryptocurrency regulation. For example, cryptocurrency exchanges, which allow criminals to cash in their ransom wins for fiat currencies, are not considered to be financial institutions like banks and insurance companies.

This means that such exchanges are thus rarely required to comply with extensive AML/CTF regulations. This notable loophole has made it easy for cybercriminals to operate freely outside of government-controlled institutions and gain considerable wealth.

Fortunately, there is a glimmer of hope, as intergovernmental action has begun to deliver results. A task force led by the US Federal Bureau of Investigations consisting of 20 countries, recently took down the most prevalent ransomware group, REvil. This successful collaboration could be the start of more concerted actions against ransomware gangs.

In conclusion

In conclusion, it is not a good idea to simply rely on the cyber insurer to cover possible ransom demands. Regulators in many countries have taken action, and for instance the OFAC (Office of Foreign Assets Control) of the US Treasury has issued a guideline warning about the potential sanctions they may levy to “anyone facilitating payments to the organised cybercriminals”.

Effectively, cyber insurance products may have a cover for ransom payments, however they always have a condition that the payment must be legally permissible.


Written by

Mikko Peltonen, If