Comparing US And EU Approaches To Paying Cyber Ransoms
More and more organizations are responding to such attacks by paying the ransom demand, often because payment seems the fastest, most cost-effective route to recovering their data and resuming normal business operations. CrowdStrike Holdings Inc.’s 2019 Global Security Attitude Survey found that the number of global organizations paying ransoms has more than doubled from 14% to 40% over the last year.
Some commentators have suggested that an uptick in cyber insurance covering ransomware may be a factor fueling the rise in ransomware attacks. We disagree with this view and offer as an example the fact that while the cyber insurance market continues to grow across both the U.S. and Europe, European companies seem to be paying disproportionally fewer ransoms, preferring to restore from backups or rebuild entirely, notwithstanding the comparatively high restoration costs.
For example, in 2017, when multiple National Health Service bodies in the U.K. were affected by WannaCry (a ransomware strain associated with low three-figure demands), no ransom was paid, and the NHS is estimated to have spent approximately £92 million/$121 million in cleanup and upgrade costs.
And, when Norsk Hydro ASA was attacked in early 2019, 22,000 computers were hit across 170 different sites in 40 countries, but Norsk Hydro reportedly did not even contact the hackers to ask for the demand, despite having robust cyber insurance in place, instead electing to restore data from backups, at a reported cost of at least £45 million/$59 million.
While there is limited data available regarding the number of ransom payments made per location, global cyber incident response experts such as Ankura and Kivu Consulting Inc. currently see disproportionately few European companies making ransom payments, compared to those in the United States.
There does not seem to be a single explanation for the apparent cultural distinction. Certainly, the legal position on ransom payments is similar on both sides of the pond. For example, in England and Wales, while there is no broadly applicable legislation that makes payment of a ransom illegal, Section 17 of the Terrorism Act 2000 provides that any person who enters into a funding arrangement and knows or reasonably suspects that it will or may be used for the purposes of terrorism is guilty of an offense, and Section 17A provides that it is illegal for insurers to indemnify an insured where they have a reasonable belief that funds have been paid to terrorists.
Likewise, in the U.S., while there also is no generally applicable law against the payment of ransoms, the federal government prohibits financial transactions (including ransom payments) with governments, organizations or individuals on the U.S. Department of the Treasury’s Office of Foreign Assets Control sanctions list, which can include hackers, hacking groups and governments known to support hackers. Increasingly, terrorists also use hacking schemes to generate funds or collect sensitive information.
One commentator has suggested that European companies may simply be better informed regarding alternative options. As highlighted by the New York Times in August 2019, the FBI currently does not promote alternatives to ransom payment, outside of preventive measures, such as patching, training, etc.
By contrast, the EU law enforcement agency, Europol, offers more than 90 freely available online decryption tools to tackle over 100 different strains of malware, via the No More Ransom initiative, which is promoted on the Europol website. This initiative is estimated to have helped 200,000 ransomware victims recover their files since 2016.
Another possible factor is contrasting technologies. Steve Sandford of Ankura highlights that European companies tend to have more stringent backup and disaster recovery procedures in place than their U.S. counterparts, enabling them to ignore ransom demands and recover data from backups.
Additionally, and somewhat counterintuitively, Winston Krone of Kivu suggests that U.S. technological advancements often can be an Achilles’ heel in a ransomware situation, since synchronized real-time backups are more likely to be infected in a ransomware attack, or if online, deleted altogether, while many European companies and entities are still able to restore from old-school magnetic backup tapes, kept safely offline, out of the hacker’s reach.
Cultural differences aside, it is clear that ransomware attacks on both sides of the pond increasingly are being deployed by organized criminals demanding higher amounts (recently starting to reach eight figures in some cases) than traditional hackers, but often lacking the technical capabilities to provide effective decryption keys once a ransom is paid.
As such, while it may be tempting to view payment of a ransom as a quick-fix solution, victims of ransomware attacks in all jurisdictions are encouraged to explore all alternative options in order to avoid longer-term potential risks of repeat attacks, higher financial costs and impact to reputation.
If payment proves to be the necessary course of action, then victims and their insurers must first conduct due diligence on the attacker’s identity in order to comply with government prohibitions and to mitigate the risk of incurring possible civil and criminal penalties.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
This article originally appeared in Law360 on January 23, 2020.