A pipeline CEO paid $4.4 million in bitcoin to ransomware pirates. How should such piracy be dealt with? And by whom?
Half the U.S. Held Hostage
The Colonial Pipeline provides about 45% of the U.S. East Coast’s fuel.
Soon after ransomware pirates breached and froze pipeline operations on May 7, gas pumps throughout the Eastern U.S. began running dry. Shortages particularly hit southeastern and mid-Atlantic states.
Unsure of the attack’s extent or Colonial’s prospects for recovery absent ransom payment, the CEO, Joseph Blount, transferred $4.4 million to the pirates via Bitcoin.
Even after release by the pirates of the software “keys” to unlock Colonial’s system, restarting operations took time. The pipeline was shut for a total of six days. As of the date of this column, supply disruptions still ripple throughout the distribution system.
Federal law enforcement frowns on paying ransom to pirates. This begs the question of who should pay, and how payment should be meted out.
Ransomware: A Growth Industry
According to Chad Pinson, President of Digital Forensics and Incident Response with Aon, “Our research suggests that the total number of global ransomware reports increased by 715.8% from 2019 to 2020. Ransom payments have risen as well, making a reported 60% leap in payment value since last year. Some of the most sophisticated ransomware attack groups and malware variants are now averaging over $780,000 per payment….[P]redicted damages from ransomware are expected to be $20 billion in 2021.”
Numbers like these roil insurance markets that have traditionally provided ransomware insurance as part of cybersecurity policies. Prices for coverage go up. So do retentions (i.e., deductibles). Meanwhile, limits go down, or must be augmented through standalone policies and/or excess-coverage.
The availablity of insurance can create moral and morale hazards. The coverage itself can attract pirates, while also impacting security diligence and readiness to pay.
In the present case, for example, Colonial acknowledged that its insurance covers ransomware, but provided no policy details.
Federal Law Enforcement’s Advice On Ransomware: Shoot the Hostages
Ransomware piracy’s success attracts “the worst and the brightest” to the business.
With pirates harbored by friendly foreign governments, how has federal law enforcement responded?
Telling Someone Else To Fall On The Grenade
According to press reports, “The Federal Bureau of Investigations has advised companies not to pay when hit with ransomware….Doing so, officials have said, would support a booming criminal marketplace.”
What would we do without government experts?
Several problems arise from advice which government officials give but will never themselves have to take.
First, in many cases, the choice for managers is to pay ransom or to close up shop. Second, sensitive customer data may also be at risk, magnifying the scope and degree of victims and damage.
Third, while an individual soldier might, for example, choose to sacrifice himself for his comrades, professonal managers owe a duty to their companies to safeguard their companies’ interests.
A manager voluntarily sacrificing his or her company’s existence for the greater good might be acting both unethically and actionably.
Shooting The Hostages
Managers therefore feel extraordinary pressure to pay.
And ransomware appears so profitable that pirates will continue pillaging even if only a modest percentage of hostage companies pay up.
Faced with this logic, the federal government has chosen to threaten the victimized companies.
On this point, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued an advisory to alert companies that engage with victims of ransomware attacks of the potential sanctions risks for facilitating ransomware payments.
Pay ransomware to a “designated malicious cyber actor” and the U.S. Government may come after you.
Great.
On the bright side, a “malicious cyber actor” capable enough to warrant designation should be clever enough to operate under a name not on the designated list.
Colonial’s ransomware perpetrator, DarkSide, for example, recently stated that it had lost access to its infrastructure and was shutting down. It remains unclear whether law-enforcement pressure closed the group down, or whether DarkSide will merely regroup and resurface under another name.
Pirates And Slavers: Hostis Humani Generis
For millenia, customary international law has treated pirates (and later, slavers) as hostis humani generis: “enemies of mankind.” A ship of any country coming upon them in national waters or the high seas had the right to capture and punish them.
Ransomware pirates represent the modern equivalent and deserve comparable treatment.
The feebleness of U.S. law enforcement’s response springs from the challenge’s relating not to law enforcement, but to national defense. In dealing with Barbary Pirates over 200 years ago, Thomas Jefferson did not send a representative of the Attorney General, or Secretary of State or Treasury. He sent the U.S. Navy.
The U.S. response to ransomware piracy must come from defense, intelligence, and security assets, rather than law enforcement. It takes little imagination to suss out how the Chinese or Russians or Israelis would respond to a ransomware attack on key infrastructure.
No matter where the pirates tried to hide, it would be they who paid — and paid dearly.
To address the ransomware piracy, we have to properly define it, and bring to bear the right assets.