Amid a rise in ransomware attacks and the prospect of 2024 potentially being one of the worst years on record, U.S. officials are exploring strategies to combat the threat, including reconsidering the approach to ransom payments. Anne Neuberger, the U.S. Deputy National Security Adviser for Cyber and Emerging Technologies, recently argued in a Financial Times opinion piece that certain insurance policies, particularly those covering ransomware payment reimbursements, are inadvertently supporting the criminal ecosystems they aim to mitigate. She advocated for implementing stricter cybersecurity requirements as conditions for coverage to discourage ransom payments.
The U.S. government’s focus on reforming cyber insurance comes as it intensifies efforts to dismantle ransomware networks. Data from the Office of the Director of National Intelligence indicates that by mid-2024, over 2,300 incidents had already been reported, nearly half targeting U.S. organizations, suggesting that 2024 might surpass the 4,506 attacks recorded globally in 2023.
However, even as policymakers examine insurance practices and consider broader strategies to counter ransomware operations, organizations face the immediate dilemma during an attack: pay the ransom, potentially encouraging further incidents, or refuse and risk exacerbating the damage. For many companies, deciding whether to pay is a challenging and pressing issue. Paul Underwood, Vice President of Security at Neovera, a firm that provides IT services, recalled an FBI briefing in 2024 advising against ransom payments but recognizing that it is a business decision involving numerous factors beyond ethics and business practices. The FBI declined to comment on the issue.
Cybersecurity expert Bryan Hornung, CEO of Xact IT Solutions, emphasized the complexity of deciding whether to entertain paying a ransom. The urgency to restore operations can pressure businesses into making unexpected decisions, compounded by the fear of escalating damage. Hornung noted the dilemma faced by CEOs who initially resist paying but change course when enduring downtime creates more significant problems.
In addition to operational disruptions, the risk of exposing sensitive data, particularly involving customers, employees, or partners, amplifies fear and urgency. Companies not only face potential reputational damage but also class-action lawsuits from affected individuals, with the costs of litigation and settlements sometimes exceeding the ransom demand, prompting companies to pay to minimize fallout. Hornung pointed out that lawyers often initiate class-action lawsuits based on leaked information from the dark web.
A notable case involves Lehigh Valley Health Network, which in 2023 refused to pay a $5 million ransom to the ALPHV/BlackCat group, resulting in a data breach affecting 134,000 patients, including sensitive photographs of breast cancer patients. The incident led to a class-action lawsuit, with allegations that the hospital ignored the real victims while standing firm against the hackers. LVHN eventually settled the lawsuit for $65 million.
Similarly, National Public Data faces multiple class-action lawsuits and possible federal penalties after a hacker posted its database of 2.7 billion records on the dark web, including 272 million Social Security numbers. It remains unclear whether the company paid the demanded ransom. Its slow response, particularly its failure to offer identity theft protection to victims, led its parent company, Jerico Pictures, to file for Chapter 11 bankruptcy on October 2. National Public Data did not comment on the situation.
Darren Williams, founder of the cybersecurity firm BlackFog, opposes paying ransoms, arguing that it encourages more attacks and that exfiltrated data is irretrievably lost. Even when payments are made, as shown in the UnitedHealth Group case where its subsidiary Change Healthcare paid a $22 million ransom, security is not guaranteed. Another group, RansomHub, demanded an additional payment, leading to data eventually being leaked on the dark web.
Concerns about ransom payments potentially funding hostile organizations or violating sanctions add further complexity, given many cybercriminals’ ties to geopolitical adversaries of the U.S. For instance, following an attack by ALPHV/BlackCat, LoanDepot opted not to pay a $6 million ransom, choosing instead to spend $12 million to $17 million on recovery due to concerns about funding criminal groups with possible geopolitical links. This decision resulted in ongoing customer lawsuits.
Regulatory scrutiny further complicates decision-making in ransomware situations. Richard Caralli of Axio, a cybersecurity expert, pointed out that while new SEC reporting requirements on cyber incidents may deter some companies from paying ransoms due to fears of legal repercussions, others may still prioritize speedy recovery despite potential fallout.
As the Cyber Incident Reporting for Critical Infrastructure Act comes into effect in October 2025, requiring disclosure of ransomware payments, all businesses, including those outside SEC regulation, will face similar pressures. The evolving nature of ransomware attacks has led to a shift toward data exfiltration tactics, where data is stolen but not encrypted, forcing businesses to pay ransoms to prevent data exposure.
Despite the collapse of major ransomware groups like ALPHV/BlackCat and LockBit, new criminal entities quickly emerge, leveraging accessible tools for cybercrime. The risk-reward balance remains high, with low entry barriers compared to other crimes.
Experts agree that prevention remains key. Bryan Hornung suggests businesses invest a percentage of their revenue in cybersecurity measures, particularly in sectors handling sensitive data. Proactive defenses like endpoint detection and ransomware rollback features can help organizations manage threats more effectively and make paying the ransom a last resort.
Richard Caralli emphasized the importance of incident response plans that incorporate reliable data backups and regular drills to ensure recovery processes are effective. Hornung warned that the ransomware threat would persist unless businesses prioritize prevention over reactive measures. Small and medium-sized businesses, in particular, should not underestimate their vulnerability to attacks, despite receiving less public attention.
Reducing ransom payments could potentially decrease the financial incentives for ransomware attacks, but hackers may continue to explore alternative methods for financial gain.
