Ransomware is now a billion dollar industry, fuelled by hacking groups adopting old and new technologies, and techniques to exploit vulnerabilities in an increasingly professional way - targeting some of the biggest businesses in the world.

Ransomware has evolved since a relatively ineffective inception of the Aids Trojan in 1989, to sophisticated, incredibly damaging attacks using the WannaCry worm in 2017, and the Maze malware in 2019, for example.

In the last year alone, the global navigation technology firm Garmin, suffered a $10m ransom attack from WastedLocker operators, and The University of California at San Francisco (UCSF) confirmed a payment for a partial ransom demand of $1.14m to recover files locked down by a ransomware infection in June. Cyberpunk 2077 game developers CD Projekt Red became a victim as cyber criminals stole the source code for the popular game, threatening to leak the information online.

Corporate entities have not been the only subject of attack. In fact, smaller startups can be at greater risk, because they tend to run lean operations, employing a small number of generalists who are able to wear many hats. This means they are less likely to have a team of security experts within the company, with advanced knowledge of how to protect themselves against cyber attacks or mitigate the consequences of one.

To stay one step ahead, bad actors are using new methods to carry out attacks. Many cyber criminals are using a double extortion technique, which is intended to force victims of ransomware attacks to give in and pay the ransom fee (which is often bitcoin) rather than waiting and restoring the impacted network.

For startups working with detailed personal information, the prospect of sensitive and private data leaking online is particularly worrying and has led to companies paying the ransom fees to cyber criminals.

The rise of the attacks has not gone unnoticed, and the issue of paying ransomware demands is now under legal and political scrutiny in 2021.

In October, the US Treasury’s Office of Foreign Assets Control (OFAC) issued new guidance to companies on ransomware payments by victims. The advice states that payments could be violating OFAC regulations, as well as encouraging further attacks from bad actors.

OFAC also warned that it may impose civil penalties for ransom payment sanctions violations based on ‘strict liability.’ This means that anyone found to breach this may be held liable, even if they were unaware that the payment had broken US sanctions law.

As well as the US, other western regulators are also turning their attention to ransom fine payments. It is an increasing political concern that these ransomware payments are ending up in the hands of hacking groups, backed by states or even terrorist groups.

This move from OFAC has placed startups in a very difficult position. If they succumb to the cybercriminals, and pay the ransom fee, they could be in breach of US law.

But in respecting the position of OFAC, businesses from all sectors run the risk of their intellectual property leaking, customer records being exposed, and IT systems failing. For small businesses without access to substantial funds (or necessary expertise in IT, legal and reputation management) either option could spell the end of their operations.

It’s fair to consider cyber security breaches in general a certainty in the lifetime of a startup, rather than hoping for the best and getting caught out.

Avoiding ransomware attacks is a complex task, and startups should consider regular data backups as a proactive strategy against double extortion techniques. Elsewhere, attention should be paid to preventing malware being transferred to multiple devices, protecting remote access devices, securing wider networks and adapting network segmentation to stop the spread of malware.

Current advice for all businesses is to involve law enforcement at the earliest possible stage. There is no guarantee that paying the ransom to cyber criminals will deliver the stolen data, or prevent it from leaking – and the payment could be fuelling further ransom attacks.

However, we must ask if this current legal position and political advice from OFAC is enough to slow down the ransomware economy.

The law has not yet caught up with all the complexities of cyber crime but working together to share insights into attacks and enable other organisations to benefit from the learnings is a key step in combating ransomware.

To continue at the current speed risks more businesses from these attacks, the price of the ransoms increasing, and consumers being hit with data leaks.