Ransomware has long been thought of as an economic nuisance, but the recent proliferation of well-publicized cyberattacks has revealed ransomware as a serious national security threat. Still largely hidden from public view, however, are the attacks on small businesses, including many tactical businesses, that don’t make the headlines.
A ransomware attack on Colonial Pipeline led to gas shortages and resulted in a 75-bitcoin ransom payment — about $4.5 million. An attack on JBS SA, the world’s largest meat processor, was resolved with a ransomware payment close to $11 million. Surprisingly, however, although ransomware has become a multi-billion-dollar threat, the average payment demanded was only $310,000 in 2020, with many payments in the $25,000 to $30,000 range.
What can a tactical retailer do to reduce the risk of becoming a ransomware victim? The ethics and morality of making these payments aside, the question of how to make a ransomware payment and how to use the cybercurrency market arises. And then, there are the steps that can be taken via taxes and insurance to reduce the pain of many ransomware payments.
What Is Ransomware?
Ransomware is a type of malicious software, or malware, that prevents a business from accessing its computer files, systems or networks and demands payment of a ransom for their return. Ransomware can unknowingly be downloaded onto a computer by opening an email attachment, clicking an ad, following a link, or even visiting a website that’s embedded with malware.
Once the code is loaded on a computer, it will block access to the computer itself or to data and files stored there. More menacing versions can encrypt files and folders on local drives, attached drives and even networked computers. Obviously, ransomware attacks can cause costly disruptions to operations and the loss of critical information and data.
In many situations, the tactical retailer is unaware their computers have been infected. It is usually discovered only when data can no longer be accessed or a computer message pops up alerting users to the attack and demanding ransom payments.
Paying the Piper — Or Not
Top U.S. law enforcement officials discourage meeting ransomware demands. The FBI is reportedly doubling down on its guidance to affected businesses, and their message remains: Don’t pay the cybercriminals.
Ransom payments vary depending on the ransomware variant and the price or exchange rates of digital currencies. The anonymity offered by cryptocurrencies makes this the ideal payment vehicle. Alternative payment options are also frequently employed, including iTunes and Amazon gift cards.
Unfortunately, paying the ransom does not guarantee that users will get the decryption key or unlock code needed to regain access to the infected computer system or files being held hostage. Successful or not, however, the government offers a little-noticed incentive for those who do pay: the ransom may be tax-deductible. And, there may also be insurance payments to cover both business disruption and the ransomware payment.
Taxes to the Rescue
Tax deductibility is part of a bigger quandary stemming from the rise in ransomware attacks. While the government warns that paying ransom will fund criminal gangs and could encourage even more attacks, failing to pay a ransomware demand can have devastating consequences for a tactical retailer.
Fortunately, any tactical business paying ransom may be entitled to claim a tax deduction on their federal tax returns. After all, to be deductible, business expenses should be considered ordinary and necessary. Losses from more traditional crimes such as robberies or embezzlement have long been deductible, so, in all likelihood, ransomware payments should be as well.
Naturally, there are limits to the deduction. If the loss to the business is covered by cyber insurance — something that is becoming increasingly common — the operation can’t claim a deduction for a payment made by an insurer.
Insurance
The question of whether traditional insurance policies provide coverage for losses due to cyberattacks and cybersecurity breaches is, at least temporarily, yes. A federal court in Maryland recently ruled that an insurance company must cover the costs of software, data, computers and servers that were lost or damaged by ransomware under the property insurance coverage of one business owner’s insurance policy.
Since ransomware attacks are becoming easier for cybercriminals to execute, it makes sense for every tactical business owner and manager to look into fortifying the operation’s digital assets and making sure they have business interruption coverage in the event of an attack. But business interruption insurance can only help the business regain some of the financial loss resulting from a security breach. Without business interruption insurance, an operation could not make up any income lost due to the disaster — the ransomware attack.
To protect against cyber risks, a number of tactical retailers and other businesses have begun adding cyber or cyber liability coverage to their business insurance policies. Cyber insurance offers broad coverages to help protect an operation’s various technology-related risks.
So-called “data breach insurance” helps a business respond to breaches and usually offers sufficient protection for most small businesses. Cyber liability insurance, on the other hand, is typically used by larger businesses and offers more coverage to help prepare for, respond to and recover from cyberattacks.
It should be noted that most cyber policies require permission to be secured before any ransom amounts are paid. The same requirement also applies to extortion-related expenses. And remember, although most cyber-related insurance policies provide reimbursement for a ransom payment and related expenses, they don’t pay these costs upfront.
Payment Mechanics
Although paying ransom in a ransomware attack is not recommended, all too often it is necessary. Ransomware attacks usually call for sending cryptocurrency in order to unlock data, with amounts that range from a few hundred dollars to, in an increasing number of cases, millions of dollars.
Surprisingly, small-scale ransomware attackers often demand payment to be wired through Western Union or paid through a specialized text message. In fact, some demand payment in the form of gift cards such as Amazon or iTunes cards. But in the vast majority of cases, ransomware payments involve cryptocurrencies.
Bitcoin is the most popular currency demanded by ransomware attackers, but other cryptocurrencies such as Ethereum, Zcash and Monero are also frequently demanded. Although traditional financial institutions reportedly have their hands tied when it comes to ransomware payments under the money-laundering and know-your-customer regulations, the first step in any ransomware attack should be to contact your business’s bank to determine if they transfer funds to a cryptocurrency exchange and if there are any limits.
The attacked tactical business then sets up an account with one of the many cryptocurrency exchanges — where U.S. dollars are exchanged for digital currency. Funds held in custodial accounts are usually FDIC-insured for up to $250,000.
The Cost of Ransomware
Extortion-related expenses, including the cost of hiring a security expert for advice on responding to these threats and ensuring they don’t happen again, obviously deserve attention. Since payment of a ransom does not guarantee the tactical business’s computers or data will be unchanged after their release, expenditures to restore, replace or reconstruct programs, software and data may also be necessary.
Avoiding the Inevitable
While it is frightening to think that nothing can be done when faced with a cyberattack, being prepared for the potential lost revenue during downtime due to an attack is as important as preemptively assessing what cybersecurity measures are already in place.
Ransomware attackers, indeed all malware distributors, have grown increasingly savvy, requiring extreme caution about what is downloaded or clicked on. Obviously, the best way to avoid being exposed to ransomware, or any type of malware, requires caution whenever the tactical business’s computers are used — by everyone.
Other measures for reducing the risk of potential ransomware attacks include:
* Keeping operating systems, software and applications up to date.
* Ensuring anti-virus and anti-malware programs update regularly and scans are run on a regular basis.
* Backing up data regularly, double-checking that those backups were completed.
* Securing those back-ups and ensuring they are kept separate from the networks and computers that were backed up.
* Most importantly, creating a plan in case the business is the victim of a ransomware attack.
The End Game
Unfortunately, payment is not always the best option. The rise of ransomware attacks over the last few years has created an extremely profitable criminal enterprise. Targeted businesses, organizations and even governments often feel paying the ransom is the most cost-effective way to get their data back.
It is virtually impossible to completely eliminate the risk of a ransomware attack. Preparedness only goes so far in protecting against these increasingly sophisticated attacks. Tax deductions can offset a portion of ransomware attacks and payments, at least for the time being, while insurance is available to help ease the pain — if already in place before an attack happens.
Now the only question is, does funding these cybercriminal organizations, in essence helping them proliferate and grow increasingly more sophisticated, outweigh paying ransom for the promise of restored computer systems and unlocked data? Which is the most cost-effective strategy for your tactical business?