The largest ransomware attack of 2021 has further fueled a debate among policymakers, cybersecurity experts and corporate leaders over whether, as part of an effort to counter the growing cyber threat, businesses should be barred from paying off cybercriminals.
Businesses and other organizations caught in sophisticated hackers' crosshairs typically must choose whether to reward criminals for their malicious work in return for regaining control of their computer networks, or to refuse to pay at the cost of losing irreplaceable data and the ability to resume operations.
With pressure growing on the administration to find ways to contain the threat, President Joe Biden met with top national security officials and experts Wednesday to discuss new tactics and policies.
White House press secretary Jen Psaki later told reporters that the officials provided Biden with "an update on their ongoing work: surge capacity, resilience and reporting, addressing payment systems, and our ongoing efforts to combat ransomware." She added that the president "reserves the right to respond against any ransomware networks and those that harbor them."
The attack over the July 4 holiday weekend targeted U.S.-based software supplier Kaseya and more than 1,000 of its customers worldwide. It followed a spate of similar intrusions attributed to criminal gangs believed to be operating out of Russia.
REvil, a Russian-speaking cybercriminal gang blamed for an attack on meat processor JBS USA in June, has taken credit for the latest hit, claiming to have infected more than 1 million "systems." The group is demanding a $70 million ransom in cryptocurrency in return for a "universal" key to unlock the affected machines. The ransomware payment would be the highest ever made, according to cybersecurity firm Recorded Future.
'An awful situation'
While cybersecurity experts say it is highly unlikely that the affected companies — from Swedish grocery stores to New Zealand kindergartens — will band together to pay the ransom, the incident illustrates the conundrum that victims of ransomware attacks often find themselves in.
"No company wants to find themselves in this position, where they have to choose between keeping their doors open and keeping their business going as juxtaposed against giving funding to criminals," said Philip Reiner, chief executive officer of the Institute for Security and Technology. "It's an awful situation for a CEO or for a board to be in."
FBI Director Christopher Wray has said that companies and organizations targeted by ransomware attacks should not pay hackers to unlock their data but should immediately turn to law enforcement officials for assistance.
JBS USA reportedly paid $11 million to hackers responsible for a May 30 malware attack that had temporarily halted company operations throughout North America and Australia. Colonial Pipeline company paid $4.4 million in ransom after hackers had forced the shutdown of the largest fuel pipeline in the U.S. on May 7. The FBI later recovered most of Colonial's ransom payment.
In a ransomware attack, hackers lock a victim's computer network and hold it hostage until a ransom, often in cryptocurrency, is paid. Depending on the scale of an attack, this can force a company to shut down its entire operations.
Ransomware attacks have grown in both frequency and severity in the past year or two, driven by the rise of cryptocurrencies that allow for pseudo-anonymous payments and a business model that enables even unsophisticated cybercriminals to participate.
Moreover, with cybercriminals increasingly targeting critical services such as hospitals and schools, U.S. and other Western officials are treating ransomware as a national security threat. In a statement released late Tuesday, the White House described ransomware as a "national security and economic security priority for the administration."
Anne Neuberger, deputy national security adviser for cyber and emerging technology, told the nonpartisan National Association of Attorneys General last month that the Biden administration has a four-pronged ransomware strategy: disrupting threat actors and their infrastructure, holding countries that shelter ransomware criminals accountable, identifying and pursuing criminal transactions in cryptocurrencies, and reviewing the government's ransomware payment policies.
To pay or not to pay
One of the toughest questions facing administration officials is whether businesses and other organizations targeted by ransomware should be prohibited from paying a ransom. Those advocating a payment ban argue that since ransomware is motivated by profit, removing the financial incentive would drive ransomware criminals out of business. Opponents say banning ransom payments could badly undercut efforts by businesses trying to restore their operations.
"It's such a difficult policy decision," Neuberger said last week at an online event sponsored by Silverado Policy Accelerator, a bipartisan policy organization focused on advancing American prosperity and competitiveness. "It has to be approached with a lot of careful thought, thinking second- and third-order effects in thinking through that."
What is more, Neuberger noted, U.S. critical infrastructure is largely owned and operated by the private sector, limiting the government's ability to dictate business decisions such as whether to pay a ransom.
Instead of an outright ban on ransom payments, she indicated that the administration is looking into incentives the government can offer organizations to avoid having to pay a ransom in the first place.
"If a company is a victim of ransomware … they're in a difficult spot. There is a process that brings a company to that difficult place," Neuberger said. "What are the incentives along the way that we can do to really reshape that process?"
At the same time, the administration is reviewing its policy on whether ransom payments can be kept secret. Because many victims quietly negotiate with ransomware gangs and don't publicly acknowledge payments, the scope of ransomware attacks remains uncertain, Neuberger said.
Meanwhile, some members of Congress have pressed for legislation requiring companies to notify the government about any breach and to report all ransom payments.
"We need more transparency because right now what's happening around ransomware, not only are the companies often not reporting that they are attacked, but they're not reporting the ransomware payments," Democratic Senator Mark Warner, chairman of the Senate Intelligence Committee, said on NBC's Meet the Press last month.