Just a recap - Trustwave in no way endorses ransom payments. We believe the best way to deal with a ransomware situation is to:
A: Create a strong defensive posture that will deter, if not stop, an attack.
B: Have in place a solid and well-practiced incident response plan that includes backups so an organization can quickly recover from any attack.
With that noted, discussing the usefulness of current and proposed legislation that would require organizations to report to their government when a payment is made can be insightful.
Please also read the Part 1 overview and Craig Searle, Director of Consulting & Professional Services in the Pacific at Trustwave, viewpoint.
Many governments, including ours here in the UK, are leaning towards making it mandatory to report ransomware payments. There are many reasons why I feel this is a solid idea with the potential to generate worthwhile and useful information. Think of it like this:
- Intelligence: They want to know what's hitting us – who's doing it, how they're getting in, and how much they're raking in. This helps them understand the big picture.
- Fighting Back: If they know where the money's going, it's easier to track down and disrupt these cybercriminals.
- Better Defense: The more data they have, the better they can advise everyone on how to protect themselves and respond when an attack happens.
However, there are downsides to this requirement. It could be an extra headache for companies already reeling from an attack, or it might even push some payments underground if businesses want to avoid scrutiny, thus defeating the purpose of the regulation.
Even if reporting a ransom payment is not legally required, there are good reasons why a victim should call this activity to the attention of the authorities. I think it actually makes sense for several reasons.
Here's why.
When a ransomware attack is successful, it puts an incredible amount of pressure on the victimized organization to resolve the problem and return to normal operations. Unfortunately, paying the ransom may appear as the only route available.
However, law enforcement might be able to offer not only guidance on what to do in this very unusual circumstance, but may also have resources and tools at its disposal that you are not aware of, which could help recover without paying or claw back an already made payment.
A great example of this is what happened with the 2021 Colonial Pipeline attack.
The U.S. Justice Department recouped $2.3 million of the $4.4 million ransom Colonial Pipeline Co. paid following the May 7, 2021, DarkSide ransomware attack. The DOJ's Ransomware and Digital Extortion Task Force coordinated the effort, in which the FBI tracked part of the payment to a Bitcoin wallet it controls, enabling law enforcement officials to recover the money.
This recovery would not have happened if Colonial Pipeline had not reported the event.
Then, there are more practical reasons, such as insurance coverage. Your cyber insurance probably requires you to report incidents to the authorities to even process a claim.
One can also look at reporting a payment as part of being a good corporate citizen. By sharing what happened, you're helping build a bigger picture that can protect other businesses, maybe even your competitors!
Being a good citizen also shows that you're acting responsibly, which is beneficial for any organization's reputation and may help counter any bad press received due to the ransomware attack.
One of the primary reasons these laws are being put on the books is the amount of information the government can glean from an incident; this is essentially gold for fighting future attacks.
The first fact learned is who was behind the attack. Governments and security firms maintain playbooks of active threat groups, which contain their Techniques, Tactics, and Procedures (TTPs). The government will learn details such as how attackers move through networks, steal data, and deploy ransomware, which are crucial for developing more effective defenses.
A constant flow of new information related to ransomware attacks will reveal the weak spots threat actors use to gain initial access, such as phishing emails, old software, etc. This will help them tell others how to defend themselves.
Other interesting details will be a better understanding of the going rate for ransoms and how the criminals handle their cash.
Other key details government investigators would likely ask for:
- When it happened and how: The dates, how you found out, and how they got in.
- What was hit: Which systems were affected, and what data was messed with or stolen?
- The ransom details: the amount requested, the crypto wallet addresses, and whether you paid.
- What you did: How you responded, if you had backups, and who helped you.
I absolutely believe this information can help build better defenses or responses.
Knowing the latest tricks helps security companies update their tools, and businesses know what vulnerabilities to patch first. It's like building a better fortress when you know the enemy's attack plans.
It will help create better plans for when an attack happens, making it easier to contain the damage and get back online. Sometimes, it even helps create decryption tools so victims don't have to pay.
Finally, it can lead to catching criminals. Financial trails from payments can help law enforcement track down and arrest these cyber thugs, disrupting their operations.
Basically, every bit of info helps paint a clearer picture, making us all better equipped to fight back against ransomware.
