Make paying ransom to cybercriminals unattractive

In recent years, the number of ransomware attacks in the Netherlands has skyrocketed. Criminals who manage to gain access to the computer systems of large organisations encrypt computer files and render backups unusable. This brings these organisations to a standstill, often resulting in major damage. The solution offered by the criminals is very simple: pay a large sum of money – often in a crypto-currency – and they provide a code that can be used to decrypt the files again.

The alternative is the expensive and time-consuming complete replacement or reinstallation of all computer systems, if a working backup is still available. An additional risk is that the criminals also make copies of these files and make the contents public. It is therefore attractive for victims to pay the requested ransom. Not for nothing did Maastricht University choose to pay 200,000 euros to criminals in 2019 in order to resume teaching. Last week, it was announced that dental chain Colosseum Dental transferred the whopping sum of two million euros to be able to fill cavities again. And so many more victims are likely to follow in the future for paying ransom.

The ransom-paying Dutch companies keep this form of crime going because criminals can use that money to fund new attacks. Moreover, the Netherlands has an extra big problem. In fact, research shows that Dutch organisations pay larger ransom amounts on average than organisations in other countries. This makes Dutch organisations an extra attractive and profitable target.

There are therefore increasing calls to ban paying ransoms to cyber criminals. A common argument against this proposal is that affected organisations sometimes have no choice but to pay ransoms. As logical as that sounds, it does contradict the truth. There is always a choice. While that may be a difficult choice (high costs, loss of revenue, weeks of recovery, even possible bankruptcy), the choice is there and it should be expressed honestly. Socially, it is usually the right choice not to pay a ransom and thus serve the public interest. Therefore, that right choice should be made more attractive than paying ransom, just as investing in countering digital attacks upfront should be made more attractive than cleaning up debris afterwards.

My proposal is therefore the introduction of a statutory ransom surcharge of, say, 100 per cent for large organisations. These are organisations with more than 50 employees or organisations so large that they have to publish full financial statements. These organisations are also large enough to employ or hire professional responders who can help prevent a ransomware attack and build proper backup facilities that can withstand such an attack. This surcharge ensures that organisations paying a hundred thousand euros to cyber criminals will have to pay another hundred thousand euros surcharge, doubling the total cost. This has a number of advantages.

First of all, this surcharge makes investing upfront in preventing a ransomware attack and good backup facilities more financially attractive. It also makes the choice not to pay a ransom more attractive, as paying a ransom becomes more expensive. Finally, if an organisation has no choice but to pay ransom anyway, the money collected in surcharges can be used to help individuals and small business owners who have neither the knowledge nor the means to hire professional help make themselves more resilient to such ransomware attacks, so that they too become victims less often. The money can also be used for more detection capacity to increase the chances of being caught. Finally, it will create a better picture of how often Dutch companies pay ransoms, and how much money is involved. Currently, we do not really know how big the problem is exactly, because companies that have paid ransoms often remain silent about it.

A ransom fee will make the Netherlands more resilient, companies will pay ransoms less often and less, and the Netherlands will no longer be an above-average attractive country for cybercriminals to aim their digital arrows at.

This opinion article was published in NRC Handelsblad.

Leave a Reply

Your email address will not be published. Required fields are marked *