Ransomware targets will pay one way or another

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in Paris

NEW YORK, Nov 17 (Reuters Breakingviews) – A surge in online hacking presents corporate executives a new challenge, and a new set of costs to be borne. And in the wake of an attack on the U.S. arm of China’s biggest bank, a bid to stamp out ransom payments to cybercriminals looks far-fetched.

Joe Biden’s administration has drummed up support amongst 40 allies of the United States for a collective pledge to never pay ransoms in hopes that it will starve cybercriminals of their key funding source. The White House has even considered an outright ban on firms making ransom payments. In theory, it’s a great idea. If companies can’t pay ransom, there’s no point in asking for it.

In the real world things are more fragile. A unit of Industrial and Commercial Bank of China (601398.SS) last week fell victim to a ransomware attack that wasn’t just a problem for the Chinese lender’s employees and customers: As a bank that provides clearing for U.S. Treasuries, the attack added friction to one of the world’s most critical financial markets. ICBC’s self-identified attacker, a gang of digital extortionists called Lockbit, says ICBC paid up. If a critical firm – say a bank with even bigger U.S. operations – faced prolonged downtime, things could get nasty.

That doesn’t mean companies should just give in to criminals. Companies involved in recent attacks, from consumer goods maker Clorox (CLX.N) to casino operator Caesars Entertainment (CZR.O), have had different responses. But more firms are having to make the choice. Digital analytics firm Chainalysis reckons ransomware attackers siphoned at least $457 million from victims last year, likely a low estimate as companies don’t typically disclose much detail around such incidents.

The alternative is to be unhackable – which means spending ever more on defenses. But there are no guarantees. Ransomed firms that had backups of crucial company information got access to their data back within a week just 45% of the time, according to a survey by cybersecurity firm Sophos, comparable to those who paid the ransom. But almost one-quarter of firms with backups still waited a month or more.

If politicians really want to ban companies from paying ransom, they could help meet the costs when firms get hit, which can be considerable. That’s unlikely to happen any time soon given the tightness of U.S. government finances. Companies should therefore be prepared to shell out themselves, one way or another.

Follow @AnitaRamaswamy on X