Ransomware - Paying the Piper: Ethics vs. Necessity
By Mark E. Battersby
Ransomware has long been thought of as an economic nuisance, but the recent proliferation of well-publicized cyberattacks has revealed ransomware as a serious national threat. Still largely hidden from public view, however, are the attacks on small businesses, including many in the car care industry, that don’t make the headlines.
A ransomware attack on Colonial Pipeline led to gas shortages and resulted in a 75-bitcoin ransom payment — about $4.5 million.
An attack on JBS SA, the world’s largest meat processor, was resolved with a ransomware payment close to $11 million. But, don’t forget that, while ransomware has become a multibillion-dollar threat, the average payment demanded was only $310,000 in 2020, with many payments in the $25,000 to $30,000 range.
What can a car wash operator, detailer, or fast lube operator do to reduce the risk of becoming a ransomware victim? The ethics and morality of making these payments aside, the question of how to make a ransomware payment and how to use the cybercurrency market arises. Fortunately, there are steps that can be taken via taxes and insurance to reduce the pain of many ransomware payments.
WHAT IS RANSOMWARE?
Ransomware is a type of malicious software, or malware, that prevents a car wash, detail, or fast lube business from accessing its computer files, systems, or networks and demands payment of a ransom for their return. Ransomware can unknowingly be downloaded onto a computer by opening an e-mail attachment, clicking an ad, following a link, or even visiting a website that’s embedded with malware.
Once the code is loaded on a computer, it will lock access to the computer itself or to data and files stored there. More menacing versions can encrypt files and folders on local drives, attached drives, and even networked computers. Obviously, ransomware attacks can cause costly disruptions to operations and the loss of critical information and data.
In many situations, the business is unaware their computers have been infected. It is usually discovered when data can no longer be accessed or a computer message pops up alerting users to the attack and demanding ransom payments.
PAYING THE PIPER -– OR NOT
Top U.S. law enforcement officials discourage meeting ransomware demands. The FBI is reportedly doubling down on its guidance to affected businesses and their message remains: don’t pay the cybercriminals.
Ransom payments vary depending on the ransomware variant and the price or exchange rates of digital currencies. The anonymity offered by cryptocurrencies makes this the ideal payment vehicle. Alternative payment options are also frequently employed including iTunes and Amazon gift cards.
Unfortunately, paying the ransom does not guarantee that users will get the decryption key or unlock code needed to regain access to the infected computer system or files being held hostage. Successful or not, however, the government offers a little-noticed incentive for those who do pay: the ransom may be tax deductible. And, there may also be insurance payments to cover both business disruption and the ransomware payment.
TAXES TO THE RESCUE
Tax deductibility is part of a bigger quandary stemming from the rise in ransomware attacks. The government warns payments that fund criminal gangs could encourage even more attacks.
But, failing to pay a ransomware demand can have devastating consequences for a car wash — or any business.
Fortunately, a business that pays ransomware may be entitled to claim a tax deduction on their federal tax returns. After all, to be deductible, business expenses should be considered ordinary and necessary. Losses from more traditional crimes such as robberies or embezzlement have long been deductible so, too, in all likelihood, are ransomware payments.
Naturally, there are limits to the deduction. If the loss is covered by cyber insurance — something that is becoming increasingly more common — the operation can’t claim a deduction for a payment made by an insurer.
The question of whether traditional insurance policies provide coverage for losses due to cyberattacks and cybersecurity breaches outside the relatively new cyber insurance policies is, at least temporarily, yes. A federal court in Maryland recently ruled that an insurance company must cover the costs of software, data, computers, and servers that were lost or damaged by ransomware under the property insurance coverage of one business owner’s insurance policy.
Since ransomware attacks are becoming easier for cybercriminals to execute, it makes sense for every car wash, detail, and fast lube operator to look into fortifying the operation’s digital assets and making sure they have business interruption coverage in the event of an attack. But business interruption insurance can only help the business regain some of the financial loss resulting from a security breach. Without business interruption insurance an operation could not make up any income lost due to the disaster -– the ransomware attack.
To protect against cyber risks, many in the car care industry are beginning to add cyber insurance to their business insurance policies. Cyber insurance offers broad coverages to help protect the operation against various technology-related risks.
So-called “data breach insurance” helps a business respond to breaches and usually offers sufficient protection for small businesses. Cyber liability insurance, on the other hand, is typically used by larger businesses and offers more coverage to help prepare for, respond to, and recover from cyberattacks.
Of course, most cyber policies require the insurance company’s permission be secured before any ransom is paid. The same requirement also applies to all extortion-related expenses. And, remember, most cyber-related insurance policies provide reimbursement for a ransom payment and related expenses. They don’t pay these costs upfront.
Although paying ransom in a ransomware attack is not recommended, all-too-often it is necessary. Ransomware attacks usually call for sending cryptocurrency in order to unlock data, with amounts ranging from a few hundred to, in an increasing number of cases, millions of dollars.
Surprisingly, small-scale ransomware attackers may demand payment to be wired through Western Union or paid through a specialized text message. In fact, some demand payment in the form of gift cards such as Amazon or iTunes Gift Cards. But, far and away most ransomware payments involve cryptocurrencies.
Bitcoin is the most popular currency demanded by ransomware attackers, but other cryptocurrencies are also demanded including Ethereum, Zcash, and Monero. Although traditional financial institutions reportedly have their hands tied when it comes to ransomware payments under the money-laundering and know-your-customer regulations, an operator’s first step should be to contact the car wash’ s bank to determine if they will transfer funds to a cryptocurrency exchange and if there are any limits.
The attacked car wash, detail, or fast lube business then sets up an account with one of the many cryptocurrency exchanges where, in some cases, funds held in custodial accounts are FDIC-insured for up to $250,000. U.S. dollars are exchanged for digital currency, with the purchased cryptocurrency held in a custodial account.
Extortion-related expenses including the cost of hiring a security expert for advice on responding to these threats — and ensuring they don’t happen again — obviously deserve attention. Since payment of a ransom does not guarantee the car wash operation’s computers or data will be unchanged after their release, there is a cost to restore, replace, or reconstruct programs, software and data.
AVOIDING THE INEVITABLE
While it is frightening to think that nothing can be done when faced with a cyberattack, being prepared for the potential lost revenue/income during downtime due to an attack is as important as preemptively assessing what cybersecurity measures are already in place.
The best way to avoid being exposed to ransomware, or any type of malware, requires caution whenever the operation’s computers are used — by everyone.
Ransomware attackers, indeed all malware distributors, have grown increasingly savvy requiring extreme caution about what is downloaded or clicked on.
Other measures for reducing the risk of potential ransomware attacks include: • Keeping operating systems, software and applications up to date • Ensuring anti-virus and anti-malware programs are updated regularly and scans run regularly • Back up data regularly, double-checking that those backups were completed • Secure those backups ensuring they are kept separate from the networks and computers that were backed up • Most importantly, create a plan in case the business is the victim of a ransomware attack
THE END GAME
The rise of ransomware attacks over the last few years has created an extremely profitable criminal enterprise. Targeted businesses, organizations, and even governments have felt paying the ransom is the most cost-effective way to get their data back. Pleasant or not, payment may be the best option.
It is virtually impossible to completely eliminate the risk of a ransomware attack. Preparedness only goes so far in protecting against these increasingly more sophisticated attacks. Tax deductions can offset a portion of ransomware attacks and payments, at least for the time being, and insurance is available to help ease the pain — if already in place.
Bottom-line, does the question of whether to fund these cybercriminal organizations — in essence helping them proliferate and grow increasingly more sophisticated — outweigh paying ransomware for the promise of restored computer systems and unlocked data? Which is the most cost-effective strategy?
Mark E. Battersby is and Ardmore, PA-based freelance writer, specializing in finance and tax issues.