Why our government should make paying ransoms to cyber criminals illegal

Justice Minister Kris Faafoi has been in the headlines lately defending the proposed new hate speech laws. The laws sparked opprobrium from both the left and right, critics citing the limits on freedom of speech.

But in May, as staff at Waikato Hospital fished out pads and pencils to work and surgeries were cancelled as a result of a ransomware attack, a spokesperson for the Minister told the Herald that “The Minister of Justice is not considering making it an offence to pay a ransom or facilitate payment of a ransom in the event of a ransomware attack.”

The reasoning? 

“While the Government understands that making payments may be perceived to encourage further attacks, criminalising the victim of a ransomware demand raises issues of fairness about making a victim a criminal if they are trying to protect their business and livelihood… by making such a payment.”

A short-sighted view of the situation, but one echoed by governments across the globe.

But for a government that has been celebrated internationally for its forward-thinking policies on climate change, its pandemic handling and its response to the 2019 mosque massacre – the issue should be seen as an opportunity.

As New Zealand reels again from the recent Kaseya ransomware attack, that saw high schools and kindergartens struggle as their IT systems were held hostage by suspected Russian-affiliated hackers, the government should take a stand and make the payment of cyber ransoms illegal.

Earlier this month JBS, a major meat processing company in the US, suffered a crippling ransomware attack that threatened to compromise US meat supplies. Pretty much immediately the company ponied up 11 million USD to get their meat plants working again. 

They were up and running within days.

“It was very painful to pay the criminals, but we did the right thing for our customers,” a spokesperson from JBS told The Wall Street Journal.

Clearly JBS wrote it off as a business cost (possibly tax deductible and likely covered by cyber insurance), and Americans had their meat back in time for bbq season.

But that pragmatic, business-first thinking – I’m not so convinced about the “customer” part – sets a dangerous precedent as ransomware attacks ramp up across the globe.

Ransomware a great business model

Expect the attacks to continue because, at the moment, if you’re running a criminal gang, ransomware is a great business model.

But it shouldn’t be.

If the attacks took a different profile – a workplace held hostage by a gunman for example – and not an anonymous figure behind a keyboard on the other side of the world – the public would be horrified if a ransom were paid and the perpetrators allowed to escape with the proceeds.

But that is exactly what paying a ransomware attack allows and, as hackers increasingly see utilities and public sector institutions like hospitals as fair game, the risk that human lives will be lost as a result of these attacks grows.

Just last year German police launched a “negligent homicide” inquiry after a woman died as a result of a ransomware attack that disrupted emergency care at the hospital she was in.

There’s also a political element. 

Many ransomware groups are dominated by Russian-speaking cyber criminals that are shielded — and often employed — by Russian intelligence agencies and its allies. 

Do we want our businesses empowering those entities?

Payment might seem prudent if, as in the case of JBS, your only focus is on the bottom line; but businesses should see the issue more in terms of their Corporate Social Responsibility policy. Paying only emboldens criminal organisations, makes attacks more likely and helps fund other illegal activities.

Of course most businesses – like Fisher & Paykel – do the right thing and refuse to pay and do the hard yards of restoring data and putting robust cyber security protocols in place. 

When attacked in 2020 marketing and digital transformation head Rudi Khoury said the company never had any intention of paying. 

“Our decision was absolutely not to pay, regardless of the amount.” 

Government needs to get involved

While NZ has laws in place to stop the financing of terrorism, and money laundering, the government seems happy to keep the ransomware loophole open.

This hands-off approach – “don’t do it, but, if you do we won’t do anything about it”- is a large part of the reason ransomware attacks are flourishing around the world. 

Our government doesn’t even want to introduce a law demanding mandatory reporting, something Australia is considering. Digital Economy and Communications Minister David Clark believes that – “There’s always a risk where there is mandatory reporting of those kinds of things that people shy away from engaging with official agencies if there’s a risk to them.”

Does that make sense to anyone?

And it’s not only ransomware attacks – New Zealand has been the target of a slew of DDoS attacks on the NZX, Lion, the Reserve Bank and MetService.

None of the victims would comment on whether a ransom had been demanded, nor is there any indication that any was paid, but these were clearly profit driven attacks on some of our most important institutions.

Unsurprisingly CertNZ – the government’s cyber-security portal – recommends businesses don’t pay a ransom. Paying doesn’t guarantee victims will get their data back and could also put victims at risk of further attacks — “if an attacker sees that you’re willing to pay them, they could simply target you again. Paying ransoms supports this kind of criminal activity.”

Although it’s difficult to get data on the matter – it appears that a range of New Zealand companies have shelled out cryptocurrency to hackers in order to keep their businesses running.

Campbell McKenzie, founder of forensic technology and cybersecurity company Incident Response Solutions, told RNZ that some of his clients were so paralysed by ransomware attacks they felt they had no choice but to pay, with some shelling out “hundreds of thousands of dollars”.

Of course passing a law won’t solve the problem. 

It won’t guarantee that businesses might still choose to pay and keep this confidential; and much work has to be done to ensure businesses upgrade their IT management, run regular back-ups and educate their staff.

But a clear steer from the government will set a precedent we can be proud of and send a clear message to this new breed of terrorist – extortion doesn’t pay in Aotearoa.

LEAVE A REPLY

Please enter your comment!
Please enter your name here