The successful attack on Hillel Yaffe Hospital in Israel, and many attacks on hospitals worldwide, are demonstrations of ransom attacks threatening not only the economy but also critical services.
Most OECD countries today ignore and even legitimize cyberattacks by allowing ransom payments. In practice, there is no country that enforces the law on private companies not to pay post-attack ransom.
Moreover, OECD countries allow selling insurance policies that include reimbursement of ransom payments to international criminal organizations. Such insurance policies make the Ransomware damages a state-ignored or even sponsored crime. A ransom payment policy is in fact allowing the ransom market to flourish intensively. Indeed, the number of attacks on private companies and government corporations is worsening and their daring is intensifying.
Paying ransom to an international crime organization conflicts with money laundering and organized crime prevention laws, which are based on international agreements and treaties. If OECD countries would choose to prevent ransom payments, the legal infrastructure for it is well established. The existing Anti-Money Laundering Act, the Anti-Terrorist Financing Act, the Banking Act and the Securities Act are laws, and in complete contradiction to the payment of ransom by private and public companies.
The helplessness in the face of the phenomenon – and the fear that non-payment of ransom is a decree with which the private sector cannot comply – has made the paying of ransom an accepted norm.
Several steps are required that will lead to a significant reduction in the use of Ransomware attacks in the international treaty of OECD countries. The major obligation of members of the treaty is a total and clear ban on the payment of ransom based on the existing anti-money laundering laws and laws directed against criminal organizations.
Yet banning the payment of ransom is not enough. The ransom victims should be protected from Ransomware damages. Therefore, two additional measures should be made part of the package: the establishment of an international fund to reimburse losses due to ransomware damage (since no ransom will be paid), and protection against damages claims to companies that have not paid the ransom. Such a fund and immunity from lawsuits would apply only if the ransom victims can prove they have met standards of cyber security protection and especially recovery technologies and regulations.
Banning the payment of ransom together with compensating and protecting companies that have indeed implemented established cyber security and recovery practices will constitute a significant barrier to the continued explosion of the ransom damage market.
Israel with the US can lead such an international effort. The proposal presented here does not guarantee an immediate solution to the phenomenon, but it can make a difference. Keeping our heads in the sand will not solve the problem.
The writer is a cyber crisis specialist and associate researcher at the Institute for Counter-Terrorism Policy at the Interdisciplinary Center in Herzliya.