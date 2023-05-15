Listen 4 min Comment on this story Comment Gift Article Share

The good news on ransomware is that attacks seem to be decreasing where, in the past, they’ve hit hardest. The bad news is that the numbers might not tell the full story. The Institute for Security and Technology’s influential Ransomware Task Force released a progress report this month that was altogether heartening: Not only have 92 percent of the group’s recommendations “seen some action” but also the usual suspects are laying off the usual targets. Attempts to hold data hostage at critical infrastructure companies such as the oil-carrying Colonial Pipeline or the meat processor JBS Foods have slowed. One blockchain-analytics firm found that payments dropped by 40 percent last year — down to $457 million from $766 million — and another report indicates the payment rate on demands has sunk from 85 percent to 37 percent in the past three years. The so-called life span of the average ransomware exploit has plummeted in two years from 265 days to 70.

But there’s one number that throws all the others into some doubt: FBI and Justice Department representatives said recently that only around 20 percent of ransomware victims report attacks. How many ransoms were paid that authorities never heard about?

Advertisement

Victims of ransomware have compelling reasons to keep quiet about it. They may worry their company’s security systems will seem too lax to clients or investors. And in cases where they pay up, they may fear legal consequences for doing criminals’ bidding. Some hacking groups are subject to U.S. sanctions that companies might violate by complying with their demands. There are ways to ameliorate these obstacles — and, perhaps not so coincidentally, they line up with task-force recommendations.

Follow Editorial Board 's opinions Follow

Last year’s Cyber Incident Reporting for Critical Infrastructure Act included a requirement that critical infrastructure companies report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency. Those standards are under development. The Securities and Exchange Commission is also considering a rule that would impose reporting requirements on private companies.

These could be the first steps in building a robust process for firms under attack to review their options before resorting to paying a ransom — which should, as a matter of policy, be considered a last resort. The surest way to kill the extortion industry, after all, is to make it unprofitable. Continuing to improve the federal government’s emergency response services to help victims better navigate these crises and, ideally, get back online will be essential to this process. So will reducing liability for companies that comply with federal frameworks for boosting their cybersecurity and reacting to breaches.

Advertisement

Information-sharing more generally is key to quelling the ransomware epidemic, and while the United States has come a long way in collaborating both with the private sector here at home and with partner countries globally, there’s more work to be done — with increased reporting at its core. Better information could allow authorities not only to understand the issue’s magnitude but also to map connections among those who develop the hacks, those who deploy them and those who allow them to move their money around. It could assist organizations already under attack in limiting the damage, and it could tip those who might be attacked off to their vulnerabilities. A clear picture of the ransomware problem could also aid authorities in understanding not only whether attacks are down but also why: The recent reported drop, for instance, could be attributable to hardened systems and more aggressive authorities or it could largely be thanks to the Russia-Ukraine war redirecting the efforts of hackers in the area.

There are other reasons not to celebrate so early. The threat is rising in the global south. And even here in the United States, less of a problem doesn’t mean no problem: Ransomware took hold at 2,025 educational institutions, 290 hospitals and 105 local governments in the United States in 2022. Just recently, investigators seeking records on police calls to the home of a suspect in the Allen Premium Outlets mass shooting were stymied by a ransomware attack that tied up Dallas government computers. It’s only one example of the very real risks to public safety that this scourge presents.

Certainly, the government and its peers deserve credit for what they’ve done so far to fight cybercriminals: improving global law enforcement cooperation to track down malicious actors, disrupting gangs as well as cryptocurrency exchanges that have become hotbeds for laundering stolen funds, devoting more money to defenses. To know just how much credit that is, however, the statistics have to be more than best guesses.

GiftOutline Gift Article