The government is upset with companies that pay ransom to ransomware criminals. The Ministry of Justice and Security is investigating, among other things, the possibilities of prohibiting insurers from paying ransoms. Sources report this to the NOS.
If a business is shut down by a ransomware attack, an insurer can now choose to reimburse the ransom so that the entrepreneur can quickly get back to work. In many cases, this is cheaper than when a company is shut down for a few weeks and the insurer has to reimburse those costs. Earlier, Minister Grapperhaus said he would prefer not to see insurers pay ransom.
“We are investigating how we can reduce ransom payments,” a ministry spokesperson confirmed. “We haven’t made a decision on that yet.”
Why only insurer payments, and not all ransom payments, would be restricted is unclear; the ministry did not answer questions about it.
“
Strange, then ban ransom payments for all companies
Yasin Chalabi of insurer Hiscox, which also offers cybercrime insurance, finds this choice strange. “Then ban ransom payments for all companies, because most companies do not have insurance.”
The Dutch Association of Insurers is also critical: “We understand the political sentiment, but one should not act overnight.” Not being allowed to pay can have major consequences and can endanger companies.
Criminal ecosystem
In a ransomware attack, a company is shut down until money is paid to the attackers. In doing so, they work slyly: backups are also often taken out of the air, making recovery difficult or even almost impossible.
The idea is that if no company paid a ransom, it would make no sense for criminals to attack companies. “The payments keep the criminal ecosystem going,” said Chief Public Prosecutor Michiel Zwinkels.
How does a ransomware attack actually work? In this video we explain it to you:
The criminals can also use the money they earn for new attacks. “We see in studies that the money paid by one victim is directly invested in infrastructure and resources,” says Matthijs Japsers of the police ransomware task force.
“We would like to see victims not pay, but we see that sometimes it does happen because it is cheaper than all the repair work.”
Pay
It is not known how often companies pay. Security expert Frank Groenewegen of Deloitte, who assists hacked companies, says that in his experience it happens in six out of ten cases.
Research by insurer Hiscox also shows that 58 percent of successfully attacked companies pay. That research included the Netherlands; specific figures on the Dutch situation are not known.
The police also do not have exact figures. “We only see the tip of the iceberg, because companies often don’t file a report for fear of reputation damage.”
Entrepreneurs or institutions that pay the ransom often do not want to be publicized, for fear of the same reputation damage or of being targeted again. One of the few known Dutch cases is Maastricht University, which paid the attackers 200,000 euros. One of the best-known examples is Brazilian meat processor JBS, which paid the attackers $11 million.
“Sometimes they have no other choice,” says Groenewegen. “In most cases I see, entrepreneurs really don’t see any other option.” The cases where ransom is paid out of a business consideration – recovery is possible, but more expensive – are rarer, he says.
“I have assisted many companies where all the data was really gone. They then have the choice: pay, or spend weeks to months recovering and sometimes even go bankrupt.”
Files leaked
Meanwhile, attackers are putting more and more pressure on companies to pay. Not only the corporate networks are encrypted, the attackers also steal data from employees and customers. They then publish it when companies refuse to pay.
It happened to ROC Mondriaan, an MBO school community in the The Hague region with 25,000 students. Internal documents are now available on the internet, such as teachers’ personnel files, reported complaints and financial documents.
“The attackers demand four million euros,” said Hans Schutte, the chairman of the board of directors. “That is, of course, an absurd amount of money.”
Despite the leaked documents, the organization has chosen not to pay. “We have never considered payment. Basically we have said: we do not pay.”