The government is getting fed up with ransomware payments fueling endless cycle of cyberattacks
Anne Neuberger, deputy national security advisor for cyber and emerging technologies, speaks during a news conference in the James S. Brady Press Briefing Room at the White House in Washington, D.C., U.S., on Monday, May 10, 2021 amid the Colonial fuel pipeline ransomware attack.
Bloomberg | Bloomberg | Getty Images
With ransomware attacks surging and 2024 on track to be one of the worst years on record, U.S. officials are seeking ways to counter the threat, in some cases, urging a new approach to ransom payments.
Ann Neuberger, U.S. deputy national security adviser for cyber and emerging technologies, wrote in a recent Financial Times opinion piece, that insurance policies — especially those covering ransomware payment reimbursements — are fueling the very same criminal ecosystems they seek to mitigate. “This is a troubling practice that must end,” she wrote, advocating for stricter cybersecurity requirements as a condition for coverage to discourage ransom payments.
Zeroing in on cyber insurance as a key area for reform comes as the U.S. government scrambles to find ways to disrupt ransomware networks. According to the latest report by the Office of the Director of National Intelligence, by mid-2024 more than 2,300 incidents already had been recorded — nearly half targeting U.S. organizations — suggesting that 2024 could exceed the 4,506 attacks recorded globally in 2023.
Yet even as policymakers scrutinize insurance practices and explore broader measures to disrupt ransomware operations, businesses are still left to grapple with the immediate question when they are under attack: Pay the ransom and potentially incentivize future attacks or refuse and risk further damage.
For many organizations, deciding whether to pay a ransom is a difficult and urgent decision. “In 2024, I attended a briefing by the FBI where they continued to advise against paying a ransom,” said Paul Underwood, vice president of security at IT services company Neovera. “However, after making that statement, they said that they understand that it’s a business decision and that when companies make that decision, it is taking into account many more factors than just ethics and good business practices. Even the FBI understood that businesses need to do whatever it takes to get back to operations,” Underwood said.
The FBI declined to comment.
“There’s no black or white here,” said cybersecurity expert Bryan Hornung, CEO of Xact IT Solutions. “There’s so many things that go into play when it comes to making the decision on whether you’re even going to entertain paying the ransom,” he said.
The urgency to restore operations can push businesses into making decisions they may not be prepared for, as does the fear of increasing damage. “The longer something goes on, the bigger the blast radius,” Hornung said. “I’ve been in rooms with CEOs who swore they’d never pay, only to reverse course when faced with prolonged downtime.”
In addition to operational downtime, the potential exposure of sensitive data — especially if it involves customers, employees, or partners — creates heightened fear and urgency. Organizations not only face the possibility of immediate reputational damage but also class-action lawsuits from affected individuals, with the cost of litigation and settlements in some cases far outweighing the ransom demand, and driving companies to pay just to contain the fallout.
“There are lawyers out there who know how to put together class-action lawsuits based on what’s on the dark web,” Hornung said. “They have teams that find information that’s been leaked — driver’s licenses, Social Security numbers, health information — and they contact these people and tell them it’s out there. Next thing you know, you’re defending a multimillion-dollar class-action lawsuit.”
Ransom demands, data leaks, and legal settlements
A notable example is Lehigh Valley Health Network. In 2023, the Pennsylvania-based hospital refused to pay the $5 million ransom to the ALPHV/BlackCat gang, leading to a data leak affecting 134,000 patients on the dark web, including nude photos of about 600 breast cancer patients. The fallout was severe, resulting in a class-action lawsuit, which claimed that “while LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and internationally ignoring the real victims.”
LVHN agreed to settle the case for $65 million.
Similarly, background-check giant National Public Data is facing multiple class-action lawsuits, along with more than 20 states levying civil rights violations and possible fines by the Federal Trade Commission, after a hacker posted NPD’s database of 2.7 billion records on the dark web in April. The data included 272 million Social Security numbers, as well as full names, addresses, phone numbers and other personal data of both living and deceased individuals. The hacker group allegedly demanded a ransom to return the stolen data, though it remains unclear whether NPD paid it.
What is clear, though, is that the NPD did not immediately report the incident. Consequently, its slow and incomplete response — especially its failure to provide identity theft protection to victims — resulted in a number of legal issues, leading its parent company, Jerico Pictures, to file for Chapter 11 on Oct. 2.
NPD did not to respond to requests for comment.
Darren Williams, founder of BlackFog, a cybersecurity firm that specializes in ransomware prevention and cyber warfare, is firmly against paying ransoms. In his view, paying encourages more attacks, and once sensitive data has been exfiltrated, “it is gone forever,” he said.
Even when companies choose to pay, there’s no certainty the data will remain secure. UnitedHealth Group experienced this firsthand after its subsidiary, Change Healthcare, was hit by the ALPHV/BlackCat ransom group in April 2023. Despite paying the $22 million ransom to prevent a data leak and quickly restore operations, a second hacker group, RansomHub, angry that ALPHV/BlackCat failed to distribute the ransom to its affiliates, accessed the stolen data and demanded an additional ransom payment from Change Healthcare. While Change Healthcare hasn’t reported if it paid, the fact that the stolen data was eventually leaked on the dark web indicates their demands most likely were not met.
The fear that a ransom payment may fund hostile organizations or even violate sanctions, given the links between many cybercriminals and geopolitical enemies of the U.S., makes the decision even more precarious. For example, according to a Comparitech Ransomware Roundup, when LoanDepot was attacked by the ALPHV/BlackCat group in January, the company refused to pay the $6 million ransom demand, opting instead to pay the projected $12 million to $17 million in recovery costs. The choice was primarily motivated by concerns about funding criminal groups with potential geopolitical ties. The attack affected around 17 million customers, leaving them unable to access their accounts or make payments, and in the end, customers still filed class-action lawsuits against LoanDepot, alleging negligence and breach of contract.
Regulatory scrutiny adds another layer of complexity to the decision-making process, according to Richard Caralli, a cybersecurity expert at Axio.
On the one hand, recently implemented SEC reporting requirements, which mandate disclosures about cyber incidents of material importance, as well as ransom payments and recovery efforts, may make companies less likely to pay because they fear legal action, reputational damage, or shareholder backlash. On the other hand, some companies may still opt to pay to prioritize a quick recovery, even if it means facing those consequences later.
“The SEC reporting requirements have certainly had an effect on the way in which organizations address ransomware,” Caralli said. “Being subjected to the consequences of ransomware alone is tricky to navigate with customers, business partners, and other stakeholders, as organizations must expose their weaknesses and lack of preparedness.”
With the passage of the Cyber Incident Reporting for Critical Infrastructure Act, set to go into effect around October 2025, many non-SEC regulated organizations will soon face similar pressures. Under this ruling, companies in critical infrastructure sectors — which are often small and mid-sized entities — will be obligated to disclose any ransomware payments, further intensifying the challenges of handling these attacks.
Cybercriminals changing nature of data attack
As fast as cyber defenses improve, cybercriminals are even quicker to adapt.
“Training, awareness, defensive techniques, and not paying all contribute to the reduction of attacks. However, it is very likely that more sophisticated hackers will find other ways to disrupt businesses,” Underwood said.
A recent report from cyber extortion specialist Coveware highlights a significant shift in ransomware patterns.
While not an entirely new tactic, hackers are increasingly relying on data exfiltration-only attacks. That means sensitive information is stolen but not encrypted, meaning victims can still access their systems. It’s a response to the fact that companies have improved their backup capabilities and become better prepared to recover from encryption-based ransomware. The ransom is demanded not for recovering encrypted files but to prevent the stolen data from being released publicly or sold on the dark web.
New attacks by lone wolf actors and nascent criminal groups have emerged following the collapse of ALPHV/BlackCat and Lockbit, according to Coveware. These two ransomware gangs were among the most prolific, with LockBit believed to have been responsible for nearly 2,300 attacks and ALPHV/BlackCat over 1,000, 75% of which were in the U.S.
BlackCat executed a planned exit after pilfering the ransom owed to its affiliates in the Change Healthcare attack. Lockbit was taken down after an international law-enforcement operation seized its platforms, hacking tools, cryptocurrency accounts, and source codes. However, even though these operations have been disrupted, ransomware infrastructures are quickly rebuilt and rebranded under new names.
“Ransomware has one of the lowest barriers to entry for any type of crime,” said BlackFog’s Williams. “Other forms of crime carry significant risks, such as jail time and death. Now, with the ability to shop on the dark web and leverage the tools of some of the most successful gangs for a small fee, the risk-to-reward ratio is quite high.”
Making ransom a last resort
One point on which cybersecurity experts universally agree is that prevention is the ultimate solution.
As a benchmark, Hornung recommends businesses allocate between one percent and three percent of their top-line revenue toward cybersecurity, with sectors like health care and financial services, which handle highly sensitive data, at the higher end of this range. “If not, you’re going to be in trouble,” he said. “Until we can get businesses to do the right things to protect, detect, and respond to these events, companies are going to get hacked and we’re going to have to deal with this challenge.”
Additionally, proactive measures such as endpoint detection — a type of “security guard” on your computer that constantly looks for signs of unusual or suspicious activity and alerts you — or response and ransomware rollback, a backup feature that kicks in and will undo damage and get you your files back if a hacker locks you out of your system, can minimize damage when an attack occurs, Underwood said.
A well-developed plan can help ensure that paying the ransom is a last resort, not the first option.
“Organizations tend to panic and have knee-jerk reactions to ransomware intrusions,” Caralli said. To avoid this, he stresses the importance of developing an incident response plan that outlines specific actions to take during a ransomware attack, including countermeasures such as reliable data backups and regular drills to ensure that recovery processes work in real-world scenarios.
Hornung says ransomware attacks — and the pressure to pay — will remain high. “Prevention is always cheaper than the cure,” he said, “but businesses are asleep at the wheel.”
The risk is not limited to large enterprises. “We work with a lot of small- and medium-sized businesses, and I say to them, ‘You’re not too small to be hacked. You’re just too small to be in the news.'”
If no organization paid the ransom, the financial benefit of ransomware attacks would be diminished, Underwood said. But he added that it wouldn’t stop hackers.
“It is probably safe to say that more organizations that do not pay would also cause attackers to stop trying or perhaps try other methods, such as stealing the data, searching for valuable assets, and selling it to interested parties,” he said. “A frustrated hacker may give up, or they will try alternative methods. They are, for the most part, on the offensive.”
Tik Tok creators gather before a press conference to voice their opposition to the “Protecting Americans from Foreign Adversary Controlled Applications Act,” pending crackdown legislation on TikTok in the House of Representatives, on Capitol Hill in Washington, U.S., March 12, 2024.
Craig Hudson | Reuters
The Supreme Court on Friday will hear oral arguments in the case involving the future of TikTok in the U.S., which could ban the popular app as soon as next week.
The justices will consider whether the Protecting Americans from Foreign Adversary Controlled Applications Act, the law that targets TikTok’s ban and imposes harsh civil penalties for app “entities” that continue to carry the service after Jan.19, violates the U.S. Constitution’s free speech protections.
It’s unclear when the court will hand down a decision, and if China’s ByteDance continues to refuse to divest TikTok to an American company, it faces a complete ban nationwide.
What will change about the user experience?
The roughly 115 million U.S. TikTok monthly active users could face a range of scenarios depending on when the Supreme Court hands down a decision.
If no word comes before the law takes effect on Jan. 19 and the ban goes through, it’s possible that users would still be able to post or engage with the app if they already have it downloaded. However, those users would likely be unable to update or redownload the app after that date, multiple legal experts said.
Thousands of short-form video creators who generate income from TikTok through ad revenue, paid partnerships, merchandise and more will likely need to transition their businesses to other platforms, like YouTube or Instagram.
“Shutting down TikTok, even for a single day, would be a big deal, not just for people who create content on TikTok, but everyone who shares or views content,” said George Wang, a staff attorney at the Knight First Amendment Institute who helped write the institute’s amicus briefs on the case.
“It sets a really dangerous precedent for how we regulate speech online,” Wang said.
Who supports and opposes the ban?
Dozens of high-profile amicus briefs from organizations, members of Congress and President-elect Donald Trump were filed supporting both the government and ByteDance.
The government, led by Attorney General Merrick Garland, alleges that until ByteDance divests TikTok, the app remains a “powerful tool for espionage” and a “potent weapon for covert influence operations.”
Trump’s brief did not voice support for either side, but it did ask the court to oppose banning the platform and allow him to find a political resolution that allows the service to continue while addressing national security concerns.
The short-form video app played a notable role in both Trump and Democratic nominee Kamala Harris’ presidential campaigns in 2024, and it’s one of the most common news sources for younger voters.
In a September Truth Social post, Trump wrote in all caps Americans who want to save TikTok should vote for him. The post was quoted in his amicus brief.
What comes next?
It’s unclear when the Supreme Court will issue its ruling, but the case’s expedited hearing has some predicting that the court could issue a quick ruling.
The case will have “enormous implications” since TikTok’s user base in the U.S. is so large, said Erwin Chemerinsky, dean of Berkeley Law.
“It’s unprecedented for the government to prohibit platforms for speech, especially one so many people use,” Chemerinsky said. “Ultimately, this is a tension between free speech issues on the one hand and claims of national security on the other.”
WATCH: It appears TikTok could really get shut down, says Jim Cramer
Nvidia CEO Jensen Huang speaks about Project Digits personal AI supercomputer for researchers and students during a keynote address at the Consumer Electronics Show (CES) in Las Vegas, Nevada on January 6, 2025. Gadgets, robots and vehicles imbued with artificial intelligence will once again vie for attention at the Consumer Electronics Show, as vendors behind the scenes will seek ways to deal with tariffs threatened by US President-elect Donald Trump. The annual Consumer Electronics Show (CES) opens formally in Las Vegas on January 7, 2025, but preceding days are packed with product announcements. (Photo by Patrick T. Fallon / AFP) (Photo by PATRICK T. FALLON/AFP via Getty Images)
Patrick T. Fallon | Afp | Getty Images
Nvidia CEO Jensen Huang was greeted as a rock star this week CES in Las Vegas, following an artificial intelligence boom that’s made the chipmaker the second most-valuable company in the world.
At his nearly two-hour keynote on Monday kicking off the annual conference, Huang packed a 12,000-seat arena, drawing comparisons to the way Steve Jobs would reveal products at Apple events.
Huang concluded with an Apple-like trick: a surprise product reveal. He presented one of Nvidia’s server racks and, using some stage magic, held up a much smaller version, which looked like a tiny cube of a computer.
“This is an AI supercomputer,” Huang said, while donning an alligator skin leather jacket. “It runs the entire Nvidia AI stack. All of Nvidia’s software runs on this.”
Huang said the computer is called Project Digits and runs off a relative of the Grace Blackwell graphics processing units (GPUs) that are currently powering the most advanced AI server clusters. The GPU is paired with an ARM-based Grace central processing unit (CPU). Nvidia worked with Chinese semiconductor company MediaTek to create the system-on-a chip called GB10.
Formerly known as the Consumer Electronics Show, CES is typically the spot to launch flashy and futuristic consumer gadgets. At this year’s show, which started on Tuesday and wraps up on Friday, several companies announced AI integrations with appliances, laptops and even grills. Other major announcements included a laptop from Lenovo which has a rollable screen that can expand vertically. There were also new robots, including a Roomba competitor with a robotic arm.
Unlike Nvidia’s traditional GPUs for gaming, Project Digits isn’t targeting consumers. instead, it’s aimed at machine learning researchers, smaller companies, and universities that want to developed advanced AI but don’t have the billions of dollars to build massive data centers or buy enough cloud credits.
“There’s a gaping hole for data scientists and ML researchers and who are actively working, who are actively building something,” Huang said. “Maybe you don’t need a giant cluster. You’re just developing the early versions of the model, and you’re iterating constantly. You could do it in the cloud, but it just costs a lot more money.”
The supercomputer will cost about $3,000 when it becomes available in May, Nvidia said, and will be available from the company itself as well as some of its manufacturing partners. Huang said Project Digits is a placeholder name, indicating it may change by the time the computer goes on sale.
“If you have a good name for it, reach out to us,” Huang said.
Diversifying its business
It’s a dramatically different kind of product from the GPUs that have driven Nvidia’s historic boom in the past two years. OpenAI, which launched ChatGPT in late 2022, and other AI model creators like Anthropic have joined with large cloud providers in snapping up Nvidia’s data center GPUs because of their ability to power the most intensive models and computing workloads.
Data center sales accounted for 88% of Nvidia’s $35 billion in revenue in the most recent quarter.
Wall Street is focused on Nvidia’s ability to diversify its business so that it’s less reliant on a handful of customers buying massive AI systems.
The Nvidia Project Digits supercomputer during the 2025 CES event in Las Vegas, Nevada, US, on Wednesday, Jan. 8, 2025.
Bridget Bennett | Bloomberg | Getty Images
“It was a little scary to see Nvidia come out with something so good for so little in price,” Melius Research analyst Ben Reitzes wrote in a note this week. He said Nvidia may have “stolen the show,” due to Project Digits as well other announcements including graphics cards for gaming, new robot chips and a deal with Toyota.
Project Digits, which runs Linux and the same Nvidia software used on the company’s GPU server clusters, represents a huge increase in capabilities for researchers and universities, said David Bader, director of the Institute for Data Science at New Jersey Institute of Technology.
Bader, who has worked on research projects with Nvidia in the past, said the computer appears to be able to handle enough data and information to train the biggest and most cutting-edge models. He told CNBC Anthropic, Google, Amazon and others “would pay $100 million to build a super computer for training” to get a system with these sorts of capabilities.
For $3,000, users can soon get a product they can plug into a standard electrical outlet in their home or office, Bader said. It’s particularly exciting for academics, who have often left for private industry in order to access bigger and more powerful computers, he said.
“Any student who is able to have one of these systems that cost roughly the same as a high-end laptop or gaming laptop, they’ll be able to do the same research and build the same models,” Bader said.
Reitzes said the computer may be Nvidia’s first move into the $50 billion market for PC and laptop chips.
“It’s not too hard to imagine it would be easy to just do it all themselves and allow the system to run Windows someday,” Reitzes wrote. “But I guess they don’t want to step on too many toes.”
Huang didn’t rule out that possibility when asked about it by Wall Street analysts on Tuesday.
He said that MediaTek may be able to sell the GB10 chip to other computer makers in the market. He made sure to leave some mystery in the air.
“Obviously, we have plans,” Huang said.
Alice Weidel, co-leader of the far-right Alternative for Germany (AfD) political party, arrives to speak to the media with AfD co-leader Tino Chrupalla shortly after the AfD leadership confirmed Weidel as the party’s candidate for chancellor on December 07, 2024 in Berlin, Germany.
Maryam Majd | Getty Images
Elon Musk used his social network X to promote Germany’s far-right Alternative for Germany party, known as AfD, hosting a live discussion Thursday with party leader Alice Weidel, a candidate for chancellor, ahead of a general election on Feb. 23.
“I’m really strongly recommending that people vote for AfD,” Musk, who is CEO of Tesla and SpaceX in addition to his role at X, said about a half hour into the conversation. “That’s my strong recommendation.”
The AfD has been classified as a “suspected extremist organization” by German domestic intelligence services. The party’s platform calls for rigid asylum laws, mass deportations, cuts to social and welfare support in Germany, and the reversal of restrictions on combustion engine vehicles.
Thierry Breton, former European Union commissioner for the internal market, said in a Jan. 4 post on X directed at Weidel: “As a European citizen concerned with the proper use of systemic platforms authorized to operate in the EU … especially to protect our democratic rules against illegal or misbehavior during election times, I believe it’s crucial to remind you” that a live discussion on X would give AfD and Weidel “a significant and valuable advantage over your competitors.”
While AfD has amassed about 20% of public support, according to reporting from broadcaster DW, the party is unlikely to form part of a coalition government, as most other parties have vowed not to work with it.
AfD previously protested the build-out of Tesla’s electric vehicle factory outside Berlin, in part because the factory would provide jobs to people who were not German citizens.
Musk’s earlier endorsements of AfD, including tweets complimenting the party and an editorial in a German newspaper, have enraged European government officials. Musk, the wealthiest person in the world, has also endorsed far-right and anti-establishment candidates and causes in the U.K.
Political leaders in France, Germany, Norway and the U.K. denounced his influence, NBC News previously reported, warning that Musk should not involve himself in their countries’ elections.
Musk, who was one of President-elect Donald Trump’s top backers in November’s election, previously promoted Trump in a live-streamed discussion on X. Before that, he hosted a conversation with Florida Gov. Ron DeSantis, who lost to Trump in the Republican primary.
Weidel during Thursday’s talk asked Musk about what Trump might do to bring Russia’s war in Ukraine to a conclusion, as the president-elect has suggested he could quickly do.
Musk demurred.
“To be clear this is up to President Trump, he is commander and chief, so it’s really up to him,” Musk said. “I don’t want to speak for him but you know I do think that there is a path to a resolution but it does require strong leadership in the United States to get this done.”
Musk also weighed in on what he thought should be done in Gaza, which has been under attack from Israel since Hamas’ deadly incursion into Israel on Oct. 7, 2023.
“There’s no choice but to eliminate those who wish to eliminate the state of Israel, you know Hamas essentially,” Musk said. “Then, the second step is to fix the education so that Palestinians are not trained from when they are children to hate and want the death of Israel.”
“Then, the third thing, which is also very important, is to make the Palestinian areas prosperous.”
— CNBC’s Sophie Kiderlin contributed to this report.
-
Sports2 years ago‘Storybook stuff’: Inside the night Bryce Harper sent the Phillies to the World Series
-
Sports9 months agoStory injured on diving stop, exits Red Sox game
-
Sports1 year agoGame 1 of WS least-watched in recorded history
-
Sports2 years agoMLB Rank 2023: Ranking baseball’s top 100 players
-
Sports3 years ago
Team Europe easily wins 4th straight Laver Cup
-
Environment2 years agoJapan and South Korea have a lot at stake in a free and open South China Sea
-
Environment2 years agoGame-changing Lectric XPedition launched as affordable electric cargo bike
-
Business2 years agoBank of England’s extraordinary response to government policy is almost unthinkable | Ed Conway