Pay The Piper — Or Not

Features - Finance & Accounting

The rise of ransomware attacks over the last few years has created an extremely profitable criminal enterprise. What you need to know to reduce the risk of becoming a victim.

Subscribe
October 8, 2021

© xunantunich | adobe stock

Ransomware has long been thought of as an economic nuisance but the recent proliferation of well-publicized cyberattacks has revealed ransomware as a serious national threat. Still largely hidden from public view, however, are the attacks on small businesses including many snow removal and ice management businesses, that don’t make the headlines.

A ransomware attack on Colonial Pipeline led to gas shortages and resulted in a 75-bitcoin ransom payment -– about $4.5 million. An attack on JBS SA, the world’s largest meat processor, was resolved with a ransomware payment close to $11 million. But don’t forget that while ransomware has become a multibillion-dollar threat, the average payment demanded was only $310,000 in 2020, with many payments in the $25,000 to $30,000 range.

What can a snow removal contractor or business owner do to reduce the risk of becoming a ransomware victim? The ethics and morality of making these payments aside, the question of how to make a ransomware payment and how to use the cybercurrency market arises. And then, there are the steps that can be taken via taxes and insurance to reduce the pain of many ransomware payments.

DOUBLING DOWN

Top U.S. law enforcement officials discourage meeting ransomware demands. The FBI is reportedly doubling down on its guidance to affected businesses and their message remains: don’t pay the cybercriminals.

Ransom payments vary depending on the ransomware variant and the price or exchange rates of digital currencies. The anonymity offered by cryptocurrencies makes this the ideal payment vehicle. Alternative payment options are also frequently employed including iTunes and Amazon gift cards.

Unfortunately, paying the ransom does not guarantee that users will get the decryption key or unlock code needed to regain access to the infected computer system or files being held hostage. Successful or not however, the government offers a little-noticed incentive for those who do pay: the ransom may be tax deductible. And there may also be insurance payments to cover both business disruption and the ransomware payment.

TAXES TO THE RESCUE

Tax deductibility is part of a bigger quandary stemming from the rise in ransomware attacks. The government does warn payments that fund criminal gangs could encourage even more attacks. But, failing to pay a ransomware demand can have devastating consequences for a snow and ice removal business.

Fortunately, a business that pays ransomware may be entitled to claim a tax deduction on their federal tax returns. After all, to be deductible, business expenses should be considered ordinary and necessary. Losses from more traditional crimes such as robberies or embezzlement have long been deductible so, too, in all likelihood, are ransomware payments.

Naturally, there are limits to the deduction. If the loss to the snow removal business is covered by cyber insurance – something that is becoming increasingly more common – the operation can’t claim a deduction for a payment made by an insurer.

INSURANCE

The question of whether traditional insurance policies provide coverage for losses due to cyberattacks and cybersecurity breaches outside the relatively new cyber insurance policies is, at least temporarily, yes. A federal court in Maryland recently ruled that an insurance company must cover the costs of software, data, computers, and servers that were lost or damaged by ransomware under the property insurance coverage of one business owner’s insurance policy.

Since ransomware attacks are becoming easier for cybercriminals to execute, it makes sense for every contractor and business owner to investigate fortifying the operation’s digital assets and making sure they have business interruption coverage in the event of an attack. But business interruption insurance can only help the business regain some of the financial loss resulting from a security breach. Without business interruption insurance an operation could not make up any income lost due to the disaster -– the ransomware attack.

To protect against cyber risks, businesses are beginning to add cyber insurance to their business insurance policies. Cyber insurance offers broad coverages to help protect the operation various technology-related risks.

So-called “data breach insurance” helps a business respond to breaches and usually offer sufficient protection for small businesses. Cyber liability insurance, on the other hand, is typically used by larger businesses and offers more coverage to help prepare for, respond and recover from cyberattacks.

It should be noted most cyber policies require permission be secured before any ransom is paid. The same requirement also applies to extortion-related expenses. Remember, most cyber-related insurance policies provide reimbursement for a ransom payment and related expenses. They don’t pay these costs up front.

PAYMENT MECHANICS

Although paying ransom in a ransomware attack is not recommended, all-too-often it is necessary. Ransomware attacks usually call for sending cryptocurrency to unlock date, with amounts ranging from a few hundred to, in an increasing number of cases, millions of dollars.

Surprisingly, small scale ransomware attackers may demand payment to be wired through Western Union or paid through a specialized text message. In fact, some demand payment in the form of gift cards such as Amazon or iTunes Gift Cards. But, far and away, ransomware payments involve cryptocurrencies.

Bitcoin is the popular currency demanded by ransomware attackers, but other cryptocurrencies are also demanded included Ethereum, Zcash and Monero. Although traditional financial institutions reportedly have their hands ties when it comes to ransomware payments under the money-laundering and know-your-customer regulations, the first step should be to contact the snow removal operation’s bank to determine if they transfer funds to a cryptocurrency exchange and if there are any limits.

The attacked business sets up an account with one of the cryptocurrency exchanges – somewhere funds held in custodial accounts are FDIC-insured for up to $250,000. US dollars are exchanged for digital currency, with the purchased cryptocurrency held in an insured custodial account.

RANSOMWARE COST

Extortion-related expenses including the cost of hiring a security expert for advice on responding to these threats -– and ensuring they don’t happen again –- obviously deserve attention. Since payment of a ransom does not guarantee the snow removal and ice management operation’s computers or data will be unchanged after their release, there is a cost to restore, replace or reconstruct programs, software and data.

AVOIDING THE INEVITABLE

While frightening to think nothing can be done when faced with a cyberattack, being prepared for the lost revenue/income during downtime due to an attack is as important as preemptively assessing what cybersecurity measures are in place.

The best way to avoid being exposed to ransomware – or any type of malware – requires caution whenever the operation’s computers are used by everyone. Ransomware attackers, indeed, all malware distributors, have grown increasingly savvy requiring extreme caution about what is downloaded or clicked on. Other measures for reducing the risk of potential ransomware attacks include:

  • Keeping operating systems, software and applications up to date
  • Ensure anti-virus and anti-malware programs update regularly and scans run on a regular basis
  • Back-up data regularly, double-checking that those backups were completed
  • Secure those back-ups ensuring they kept separate from the networks and computers that were backed up, and
  • Most importantly, create a plan in case the business is the victim of a ransomware attack.

THE END GAME

The rise of ransomware attacks over recent years has created an extremely profitable criminal enterprise. Targeted businesses, organizations and even governments have felt paying the ransom is the most cost-effective way to get their data back. Unfortunately, payment is the best option.

Bottom-line, does paying the ransom for the promise of restored business systems and data only encourage the cybercriminals, who grow increasingly more bold? Right now, this may be the only the most cost-effective strategy?

Mark E. Battersby is Snow Magazine’s financial writer. He resides in Ardmore, Pa.