Britain’s former cybersecurity chief issued a stark warning this weekend: hacked businesses who pay off their ransomware attackers are inadvertently funding organized crime.
Ciaran Martin, who previously led the country’s National Cyber Security Centre, told The Guardian the ransomware situation is “close to getting out of control” and blamed the UK’s lack of suitable laws.
The problem lies in British legislation, which forbids businesses or individuals from paying ransom money to terrorists.
However, the majority of cyberattacks aren’t explicitly terror-related, so there’s not a lot stopping hacked companies from paying ransoms — often in Bitcoin or other cryptocurrencies — to retrieve data.
Those companies can then freely claim back losses in cash via their insurance.
But while Martin and others sympathize with organizations, which say there’s often no choice, there are fears the approach only sends the wrong message and funds the next wave of attacks.
Recent years have seen a marked rise in ransomware incidents and, according to Martin, the issue is only getting worse with high-profile companies like foreign exchange giant Travelex falling victim.
Martin emphasized that it’s hard to follow up on ransomware cases, as the perps take extra measures to cover their tracks. However, he posited laws could be passed to limit insurance providers from paying out ransomware payments on behalf of hacked companies.
“I see this as so avoidable,” Martin told The Guardian. “At the moment, companies have incentives to pay ransoms to make sure this all goes away.”
“You have to look seriously about changing the law on insurance and banning these payments, or at the very least, having a major consultation with the industry.”
Some fear cyberattacks could soon move beyond demanding Bitcoin ransoms and evolve into something more sinister — like the WannaCry attack on the UK’s National Health Service in 2017 which caused serious disruption to the country’s entire healthcare sector.