Cloud money

Taking the ‘ransom’ out of ‘ransomware’ is a dangerous, possibly brilliant, idea

Billy MacInnes wonders if a policy of non-payment will be an effective way to tackle cyber crime at source
Blogs
Image: Shutterstock/Dennis

16 January 2025

I’ve always wanted to start a column with “As Oscar Wilde once said”. It’s quite possible that, considering how many years I’ve been writing them, I have already done and forgotten about it, but who’s to know. So let me realise that ambition now.

As Oscar Wilde once said: “An idea that is not dangerous is unworthy of being called an idea at all.”

The eagle-eyed among you will have noticed that, sadly, I did not get my wish to start the column with “As Oscar Wilde once said”.

Anyway, I think we can all appreciate there’s a certain thrill that accompanies the airing or forming of “dangerous” ideas, assuming we’re not scoffing scornfully at the idiocy of whatever is being proposed.

Which brings us neatly to an interesting move by the UK government to combat the scourge of ransomware and end it for good. Among the proposals are plans to ban all public sector bodies, such as the NHS, local councils, schools, as well as critical national infrastructure, from making ransomware payments.

On the face of it, that makes some kind of sense. It can’t be ‘ransomware’ if no one’s going to pay the ransom.  So, there you go, problem solved, ransomware erased. Simple really, when you stop to think about it.

And it is. Apart from the small matter of there still being ‘ware’ on the systems preventing them from functioning. Whatever you call it, you still have to deal with it.

No one is suggesting criminals should be rewarded for their criminality – apart from criminals, of course –  but if you don’t pay the ransom, you do have to concentrate on the issue of getting rid of the “ware” as quickly as you can to get your systems up and running again.

The human cost

Ilia Sotnikov, security strategist at Netwrix makes the salient point that there are wider ethical issues that need to be considered with some public sector bodies. If a hospital is subject to a ransomware attack, for example, and patient lives are at stake, “the ethical and legal considerations surrounding ransom payments are more complex than a simple ban allows”, adding that a “blanket ban on all ransom payments could force decision-makers into impossible moral dilemmas”.

Sotnikov argues the government should concentrate more on creating cyber security benchmarks and make risk mitigation strategies the norm for high-risk industries like healthcare, transportation, and others. “With standards in place, organisations would have appropriate guidance for establishing an efficient strategy against the threat of ransomware.”

He does have a point. You’re not really in a position to airily dismiss the threat of a ransom unless you have the capabilities either to reduce the chances of it happening in the first place or to quickly disarm it when it does.

If it’s hard to get the ransomware onto systems and the threat can be rendered ineffective more quickly, criminals will probably concentrate their efforts elsewhere on more lucrative targets where their chances of being paid are higher. Reducing the profit motive can definitely have a deterrent effect.

We had our own experience of this with the Conti ransomware attack on HSE systems in 2021 which affected both national and local systems, In 2022, it was estimated the attack had cost at least €101 million, and more than €600 million would need to be spent upgrading the HSE’s IT systems to safeguard against repeat attacks. The attackers had initially demanded €20 million. They then gave the decryption tool to the government for free. No one knows quite why.

I was hoping that if I couldn’t successfully start this column with a quote by Oscar Wilde, I could at least end it with one. But it’s not to be. Instead, I’ll leave you with one by H.L. Mencken who has been quoted quite a bit of late because of his observations on democracy and government. For example, in 1920 he wrote: “On some great and glorious day the plain folks of the land will reach their heart’s desire at last, and the White House will be adorned by a downright moron.” Here’s another one, from 1924: “The men the American people admire most extravagantly are the most daring liars; the men they detest most violently are those who try to tell them the truth.”

But in the context of what to do about ransomware, we’ll end with this one: “To every complex question there is a simple answer and it is wrong.”

Read More:


Back to Top ↑

TechCentral.ie