U.S. Plans to Push Other Countries Not to Pay Hacker Ransoms

Source: Bloomberg | Published on October 17, 2023

Christie's ransomware

The U.S. is pushing a group of governments to publicly commit to not make ransom payments to hackers ahead of an annual meeting of more than 45 nations in Washington later this month.

Anne Neuberger, deputy national security adviser, told Bloomberg News that she is “incredibly hopeful” about enlisting support for such a statement but acknowledged it’s a “hard policy decision.” If members can’t agree to the statement in advance of the meeting, then it will be included as a discussion point, she said.

Ransomware is a type of malicious code that encrypts a victim’s computer files, essentially rendering them useless. The hackers then demand a payment to provide a key to unlock them. Another popular type of extortion attack involves hackers stealing sensitive documents from a victim and demanding payment to not post them online.

Such ransom attacks have grown in popularity in recent years, in part because they are so profitable for hackers. That’s because victims often conclude that it’s easier to pay the ransom and restore operations than push back against the hackers’ demands.

The aim of the statement is to change that calculus, Neuberger said. “Ransom payments are what’s driving ransomware,” she said. “That’s the reason we think it’s so needed.”

“You’ve got to go to the root cause,” Neuberger said. “The root cause is money.” The statement is expected to apply to governments rather than companies that regularly fall victim to ransomware attacks. Neuberger indicated it would be a first step toward a broader effort to curb ransom payments to hackers.

The Biden administration established an annual international summit to address ransomware in 2021, a gathering of cybersecurity leaders from different nations that were brought together to collaborate on ways to curb the attacks. The first summit came months after a cyberattack against Colonial Pipeline Co. disrupted fuel supplies along the US East Coast and served as a broad wake-up call about the dangers of ransomware. Since the first meeting, the number of participants has expanded from 31 countries to more than 45.

But more than two years after the Colonial Pipeline hack, a string of disruptive ransomware attacks on hospitals, manufacturing and casinos in recent months shows more still needs to be done to curb the crime, Neuberger said. “We’re going to eradicate the ghost of Colonial Pipeline,” she said, explaining the intention behind the Oct. 31 meeting.

Charles Carmakal, chief technology officer at Mandiant Consulting, is among those who argue that an outright ban is still far from feasible.

“There’s so much more that needs to be done before you could outlaw extortion payments,” he told Bloomberg in September. “Law enforcement has to get more aggressive with threat actors and impose pain onto them.”

But Neuberger argues that advances in cybersecurity standards, preparedness and stronger interventions from law enforcement mean it’s now more feasible not to pay ransoms. She said more companies are now making backups so they can restore their systems if they are hacked, and that insurance company policies are incentivizing higher cybersecurity standards.

The UK, which is co-leading the effort to counter illicit finance with Singapore under the counter ransomware initiative, didn’t reply to a request for comment. The Record, a publication by the cybersecurity firm Recorded Future Inc., previously reported the US push for a statement from governments not to pay ransoms.

Neuberger, who is attending this week’s Singapore International Cyber Week, is also making a push for greater disclosures in cryptocurrency transactions to help curb money laundering. She wants to expand the number of countries that implement “Know Your Customer” rules for cryptocurrency firms, at least on a voluntary basis.

In addition, the US wants governments around the world to establish cybersecurity labeling standards so consumers can assess — before they make purchases — how secure are internet-connected devices such as baby monitors and home alarms, Neuberger said. The US announced a proposal for a voluntary cybersecurity labeling effort for internet-connected devices earlier this year.

She said the goal is to have labels on such “Internet of Things” devices in stores in time for Christmas 2024.