3 Measures to Stifle the Ransomware Crisis

There is a new ransomware attack in the headlines nearly weekly. Several high-profile attacks in the last year were disastrous for the victim organizations, and even caused supply chain disruptions, including two that impacted the oil and meat processing industries.

These attacks are also costly. According to Sophos’ State of Ransomware report, the average bill for rectifying a ransomware attack, considering downtime, people time, device cost, network cost, lost opportunity, and ransom paid is US$1.85 million.

With no signs of slowing down, what can be done to stop this global crisis? The ransomware plague deserves a global response with concrete actions. The US federal government and its partners can take meaningful anti-ransomware action around the world with these three steps.

1. Stop paying ransoms

As long as victims pay ransoms, criminals will still be incentivized to launch ransomware attacks. That’s why all organizations that are part of a federal, state, or local government supply chain need to commit not to pay ransoms. The commitment should come in the form of a contractual agreement not to pay with partners and vendors.

The government should play a role in helping to make this idea more acceptable by issuing a recommendation to organizations not to pay and instead emphasize the need to invest in defenses against ransomware.

2. Regulate cryptocurrency exchanges

If ransomware groups only have a few places where they can safely cash out their ransom payments, it will be less lucrative to earn illegal income from these attacks. That’s why the cryptocurrency exchanges where cybercriminals convert their ransoms into hard currencies must be regulated – this way criminals cannot easily convert crypto earnings from ransomware attacks.

In order for this to happen, the US government should pass cryptocurrency laws and anti-money laundering policies that prevent American-based crypto companies from being used as currency exchanges for ransomware attackers. The US should also work with allies and international groups like the UN and G-7 to apply these policies on an international level.

3. Mandate IT hygiene and breach disclosure

There is a reason why ransomware attacks are still so successful: many companies still lack basic IT hygiene. Employees need education about spear-phishing, two-factor and multifactor authentication, deploying basic endpoint protection, and backing up data to off-network and off-site storage.

While companies that contract with the federal government are obligated to follow baseline levels of cybersecurity, IT hygiene should also be mandated in some way for commercial organizations. One way? Make it part of compliance with certifications, versus trying to pass laws that mandate this behavior. Certifications are easier to update than laws, meaning vendor compliance also stays up to date.

To fight back against ransomware attacks, we need to understand the scope and breadth of the problem, which is why breach disclosure should also be mandated. But any mandate for breach disclosure reporting must be applied carefully. It should not be deployed as a punishment for breach, but rather as an awareness measure. Mandates should emphasize that swift disclosure provides faster visibility into attacks – and faster action to protect themselves.

It’s time now for global organizations and government entities to band together and take a stand against ransomware. These actions can serve as a meaningful roadmap to stopping this plague on business from continuing to devastate victims around the world.

Sophos works with organizations to help them tackle the threat of ransomware. Learn more at Sophos.com.