Paying bitcoin to ransomware groups should be illegal, according to Ciaran Martin, the former head of the U.K.’s National Cyber Security Centre.
His call came as blockchain intelligence Chainalysis released data showing the total amount paid by ransomware victims increased by 311% in 2020, reaching nearly $350 million.
According to a Jan. 24 report by The Guardian, Martin said that insurers have effectively funded organized crime by paying out claims to clients who paid ransoms to regain access to their data after being locked out by the hacker gangs.
Warning that ransomware attacks are “close to getting out of control” Martin said he feared that that the U.K.’s National Health Service may be hit next.
According to Martin, who led the United Kingdom’s top cybersecurity organization until August 2020, the ransomware problem is exacerbated by the absence of a legal barrier to companies paying ransoms and claiming the funds from their insurance firms. He said:
“People are paying bitcoin to criminals and claiming back cash… I see this as so avoidable.”
The problem is that “at the moment, companies have incentives to pay ransoms to make sure this all goes away,” he said “You have to look seriously about changing the law on insurance and banning these payments.”
Martin’s remarks come as 2020 closed with a notable increase in ransomware cases compared to the previous year. The situation got so bad that blockchain analytics firm Chainalysis said in a Jan. 26 report:
“2020 will forever be known as the year of COVID, but when it comes to crypto crime, it’s also the year that ransomware took off.”
Ransomware was the cryptocurrency crime with the highest growth rate last year, Chainalysis found. This was caused, in a large part, by new kinds of ransomware gangs that demand much higher ransoms by attacking large corporations and institutions instead of just consumers.
In December, electronics giant Foxconn’s Mexican facility was taken over by a ransomware gang demanding $34 million. Aside from locking the company out of its systems, the gang threatened to release confidential information.
A bigger problem is that the gangs are evolving into a more complex industry, with criminal creating Ransomware as a Service—or RaaS—businesses in which gang “affiliates ‘rent’ usage of a particular ransomware strain from its creators or administrators, in exchange for a cut of the money from each successful attack,” Chainalysis said.
Chainalysis added that its $350 million figure is almost certainly much higher:
“Keep in mind too that this number is a lower bound of the true total, as underreporting means we likely haven’t categorized every victim payment address in our datasets.”