Ransomware: A Perfect Storm
James Sullivan and James Muir
Emerging Insights, 29 March 2021
This Emerging Insights paper calls for a new set of policy interventions to reduce the threat from ransomware. Options range from introducing legislation to prevent ransom payments, to tackling the use of penetration testing tools used in ransomware attacks, to national-level mechanisms to bolster preparedness for a ransomware attack. This paper intends to be a platform for further debate on global ransomware policy choices.
The research for this paper highlights how ransomware attacks continue to have a significant impact on businesses and organisations across the globe, resulting in high levels of cost and disruption. Using BAE Systems’s threat intelligence capability, this paper explores the methods, impact and mitigation of ransomware attacks in detail. Case studies reveal the success and popularity of ‘double extortion’ ransomware attacks which include data theft. The research also describes the range of attack vectors and exposed attack surface available to ransomware operators and reveals how different criminal ransomware operators collaborate and learn from each other. In the context of a global pandemic, the paper shows how cyber criminals continue to exploit victims and cause disruption with impunity.
The paper underlines the complexities that businesses and governments face when deciding whether to pay a ransom following a ransomware attack. Complications include paying criminals that are subject to indictments or sanctions, the potentially questionable role of ransomware recovery negotiators, and the arguably misunderstood role of cyber insurance companies. Further research is needed to determine the true impact of these auxiliary complexities.
Finally, the paper urgently calls for a new set of policy interventions based on the ‘Prevent, Pursue, Protect and Prepare’ approach to tackling cybercrime. In doing so, this research highlights a type of cybercrime that is spiralling out of control and requires urgent policy intervention.