Research Essay - Cybercrime Assignment PDF

Preview

Summary

Research Essay – PICTThe discussion surrounding the issue of ransomware attacks and the potential outlawing of payments made to remove ransomware consists of valid arguments for both the potential benefits and negatives that will arise from outlawing the payments. “Ransomware is a malware that rende...

Description

Research Essay – PICT2001 The discussion surrounding the issue of ransomware attacks and the potential outlawing of payments made to remove ransomware consists of valid arguments for both the potential benefits and negatives that will arise from outlawing the payments. “Ransomware is a malware that renders a victim's computer or data unusable and is increasingly being used by criminals to generate revenue through extortion” [ CITATION OKa17 \l 1033 ]. In 2020 alone ransomware payments totalled around three hundred and seventy million dollars, a three hundred- and thirty-six percent increase from 2019 [ CITATION Sch21 \l 1033 ]. This great increase has resulted in many companies taking out cyber insurance policies so if they are attacked, they are protected and will not be a financial loss. However, cyber criminals will still get paid from their attack so have continued their attacks as they know most of the companies will pay off the ransomware attack through insurance straight away to protect their company’s cyber information. For this reason, two sides have emerged for and against the outlawing of ransomware payments. This essay will critically evaluate the effectives of this strategy through discussing the key benefits, that being the cyber-criminals would be making significantly less profit and the frequency of attacks would then drop. The negative side of the strategy will also be discussed, with the key points of criminalizing the victim and also how the law would be enforced upon companies and people. Through analysis of these points the effectiveness of outlawing ransomware payments will be critically evaluated and outlined within this essay. The most essential benefit from the strategy of criminalizing ransomware is that the cyber criminals would not be receiving any financial gain from their attacks. This being the main goal of outlawing ransomware payments as O’Kane, Sezer and Carlin (2017) argue ransomware is now one of the biggest cyber security threats as criminal’s see the internet as a major gift, due to how much money is made so easily from ransomware. The ease at which this money is made is accentuated by the types of people that can perform ransomware attacks. The Russian online forum (RaaS) has allowed for people with extremely limited programming skill (script kiddies) to be able to perform ransomware attacks [ CITATION OKa17 \l 1033 ] and make easy money from companies and individuals that will get the ransom paid off through insurance most likely. If the strategy of outlawing ransomware payments is made law these “script kiddies” would be making no money from their attacks and ultimately would give up on performing ransomware attacks as it is all about the money for most cyber criminals, displaying a critical positive outcome of the strategy. Another example of why ransomware payments should be outlawed is that there is no guarantee that after a payment is made the hacker will unlock the victim’s files/device and even commonly ask for extra payment as the hacker now recognises the individual or company is willing to pay. It has been found that victims that pay their ransom only recover their data around fifty percent of the time [ CITATION Car19 \l 1033 ]. If individuals and companies recognise that there is a high chance of their data not being returned, they will already be unsure weather to pay off the ransomware so adding to that the introduction of outlawing ransomware payments an extra line reasoning is there for victims to not contribute to the funding of ransomware cyber criminals. Another reason for ransomware payments being outlawed is that victims that are known to pay off the ransomware are more susceptible to more attacks. As O’Kane, Sezer and Carlin

(2017) argue, “Ransomware targets a wide range of users, many with a low-technical skill level, and therefore the ransomware creators have gone to great lengths to ensure that even the novice can pay the ransomware”. These victims are put on lists called “sucker-lists” [ CITATION OKa17 \l 1033 ] which are put together to inform other hackers of gullible and vulnerable internet users. Outlawing payments with significant penalties would likely be particularly effective in persuading users on the internet, that are not necessarily technologically savvy, against paying off ransomware attacks and in turn assisting in the decreasing of ransomware profits for cyber criminals. The examples above highlight the beneficial nature of outlawing ransomware payments, with the key focus on limiting the amount of money cyber-criminals are making off of individuals and businesses. A crackdown on people using insurance money to pay the attacks off and get their data back without thinking about the consequences of giving large sums of money to criminals without much resistance will assist in the decrease in frequency of ransomware attacks, due to less attacks being paid off. Therefore, we recognise how the outlawing of ransomware payments as a strategy can provide some clear benefits to the cyber security field. Although, to go along with these benefits of outlawing ransomware payments are some negative and ineffective aspects of the strategy. A key issue with this strategy is the idea that the law will be punishing the victim of the initial attack. Yes, the law would deter a percentage of people from paying the ransom, but many individuals or companies would have other elements to factor in. This could be because of the data that has been attacked is of high importance to an individual or could be key trade secrets for a large company that the hacker has stated will be release if not paid. These data breeches could also result in significantly negative financial and reputational impacts for the victim [ CITATION Ree21 \l 1033 ]. A more effective way for ransomware payments to be prevented from occurring is to initially focus on developing the increased protection on individual and company files. Computing infrastructure must be prepared for ransomware attacks and specifically for companies, “Personnel in the organization responsible for maintaining all of the computers’ operating systems, application software, browsers and plug-ins, firmware, and anti-virus software should ensure that they are up-to-date with the latest patches.” [ CITATION Sit16 \l 1033 ]. This would most definitely assist companies in at the very least mitigate the impact of ransomware attacks on the company. However, individual’s that are targeted potentially do not have the resources to maintain their computer systems nor even the knowledge of how to do so. Education for individuals then is paramount so the impact of a ransomware attack is limited and ultimately the pressure to pay the ransom is reduced. Tactics such as “avoid opening attachments or clicking on links unless they are known to be from a legitimate source” [ CITATION Ree21 \l 1033 ] is a simple step to at the minimum reduce the chances of an attack on an individual. Other step to be made is for companies to consistently inform employees to monitor network activity so ransomware such as malware and phishing can be identified and appropriately removed [ CITATION Ree21 \l 1033 ]. These alternative approaches to limiting the damage ransomware attacks are more favourable than the outlawing of ransomware payments as the victim is not being criminalized, which many unsuspecting victims would be confused and upset about being penalised after being initially attacked. The process of outlawing ransomware payments is a reaction to the ransomware attacks and ultimately does not assist in the prevention or mitigation of the attacks on people or companies. Therefore, the strategy of outlawing ransomware payments displays some ineffectiveness when compared to more preventative strategies that are being used.

Another inefficiency of the strategy to outlaw ransomware payments is the system for enforcing the rule of law and the difficulties that will arise for law enforcement. How would law enforcement discover that an individual or company has even paid off a ransomware attack? As ransomware can attack a whole range of security services i.e., confidentiality, integrity, and availability, which may not only result in financial losses but may also result in important information breaches [ CITATION Ibr17 \l 1033 ]. Companies may find it more ideal to pay off an attack secretly to avoid reputational damage to the company’s level of security which could in turn lead to companies not disclosing information on attacks to the authorities (Reed, 2021) and effectively sweep the attack under the rug. This displays how a level of trust between companies, individuals and law enforcement is required for the law to be effective at all. This impacts heavily on the effectiveness of the strategy as many companies/individuals will value their data over the ransom amount paid which attackers continue to recognise and know that it is likely law enforcement will not be informed for the majority of attacks. Another difficult aspect for law enforcement would be even finding proof that a ransomware attack even occurred and was paid off, with the only way law enforcement could find out is through being reported another individual that saw an individual pay off a ransom or a company reported by an insider within the company that paid off a ransom. These difficulties highlight a key ineffective aspect of the strategy to outlaw ransomware payments as law enforcement have to rely on individuals or businesses self-reporting an attack where many of these victims would much rather pay the ransom to get back access to their data rather than involve authorities and damage personal/company reputations. With the recent rapid technological advancement of the online world, cybercrime has also been apart of that rapid growth. Particularly with new ways to make money through hacking and scamming other unsuspecting individuals and companies throughout the world. This has brought upon ransomware attacks which force victims to pay a sum to avoid their private data being breeched or sent out into the world. The strategy of outlawing ransomware payments by victims has been floated within governments of the world as a way to decrease the amount of money cyber criminals are being given and ultimately limit the frequency of attacks. This essay has reported upon the benefits that can be gained from this strategy, such as a great impact on limiting the financial gain for cyber criminals and limiting the number of attacks, which ultimately lowers the risk of unsuspecting victims having to pay large sums for their own data. The key negatives of the strategy being the strategy’s heavy focus on reacting to the attack as a solution rather than a focus on prevention and mitigation of ransomware attacks initially. Then to add the criminalization of a victim that is most likely uneducated or unprepared for cyber attacks on their data and the difficulty for law enforcement to effectively uphold the law. Through this discussion we can see there are clear benefits to the strategy of outlawing ransomware payments that would assist in limiting a significant portion of total cybercrime funding in the online world. However, the variety of negative impacts in regard to the outlawing of ransomware payments should not be ignored and highlight the potential ineffectiveness of the strategy. Word Count: 1801 Student Number: 45876509

References Cartwright, A. & Cartwright, E., 2019. Ransomware and Reputation. Games , Volume 10, pp. 26-40. Guizan, M., Yaqooba, I., Ahmeda, E., Rehmanb, M. H., Ahmeda, A. I. A., Al-garadi, M., Imrand, M., 2017. The rise of ransomware and emerging security challenges in the internet of things. Computer Networks, pp. 444-458. O'Kane, P., Sezer, S. & Carlin, D., 2017. Evolution of Ransomware. IET Journals, Volume 7, pp. 321327. Reed, S., 2021. Info Security. [Online] Available at: https://www.infosecurity-magazine.com/opinions/case-for-against-criminalizing/ [Accessed 27 May 2021]. Schwartz, M., 2021. Bank Info Security. [Online] Available at: https://www.bankinfosecurity.com/mark-ransomwares-success-370-million-in-2020profits-a-16121#:~:text=Blockchain%20analysis%20firm%20Chainalysis%20this,increase%20over %20known%202019%20earnings. [Accessed 29 May 2021]. Sittig, D. & Singh, H., 2016. A Socio-technical Approach to Preventing, Mitigating, and Recovering from Ransomware Attacks. Applied Clinical Informatics, Volume 7, pp. 624-632....