With ransomware attacks surging and 2024 on track to be one of the worst years on record, U.S. officials are seeking ways to counter the threat, in some cases, urging a new approach to ransom payments.

Ann Neuberger, U.S. deputy national security adviser for cyber and emerging technologies, wrote in a recent Financial Times opinion piece, that insurance policies — especially those covering ransomware payment reimbursements — are fueling the very same criminal ecosystems they seek to mitigate. “This is a troubling practice that must end,” she wrote, advocating for stricter cybersecurity requirements as a condition for coverage to discourage ransom payments.

Zeroing in on cyber insurance as a key area for reform comes as the U.S. government scrambles to find ways to disrupt ransomware networks. According to the latest report by the Office of the Director of National Intelligence, by mid-2024 more than 2,300 incidents already had been recorded — nearly half targeting U.S. organizations — suggesting that 2024 could exceed the 4,506 attacks recorded globally in 2023.

Yet even as policymakers scrutinize insurance practices and explore broader measures to disrupt ransomware operations, businesses are still left to grapple with the immediate question when they are under attack: Pay the ransom and potentially incentivize future attacks or refuse and risk further damage.

For many organizations, deciding whether to pay a ransom is a difficult and urgent decision. “In 2024, I attended a briefing by the FBI where they continued to advise against paying a ransom,” said Paul Underwood, vice president of security at IT services company Neovera. “However, after making that statement, they said that they understand that it’s a business decision and that when companies make that decision, it is taking into account many more factors than just ethics and good business practices. Even the FBI understood that businesses need to do whatever it takes to get back to operations,” Underwood said.

The FBI declined to comment.

“There’s no black or white here,” said cybersecurity expert Bryan Hornung, CEO of Xact IT Solutions. “There’s so many things that go into play when it comes to making the decision on whether you’re even going to entertain paying the ransom,” he said.

The urgency to restore operations can push businesses into making decisions they may not be prepared for, as does the fear of increasing damage. “The longer something goes on, the bigger the blast radius,” Hornung said. “I’ve been in rooms with CEOs who swore they’d never pay, only to reverse course when faced with prolonged downtime.”  

In addition to operational downtime, the potential exposure of sensitive data — especially if it involves customers, employees, or partners — creates heightened fear and urgency. Organizations not only face the possibility of immediate reputational damage but also class-action lawsuits from affected individuals, with the cost of litigation and settlements in some cases far outweighing the ransom demand, and driving companies to pay just to contain the fallout.

“There are lawyers out there who know how to put together class-action lawsuits based on what’s on the dark web,” Hornung said. “They have teams that find information that’s been leaked — driver’s licenses, Social Security numbers, health information — and they contact these people and tell them it’s out there. Next thing you know, you’re defending a multimillion-dollar class-action lawsuit.”  

Ransom demands, data leaks, and legal settlements

A notable example is Lehigh Valley Health Network. In 2023, the Pennsylvania-based hospital refused to pay the $5 million ransom to the ALPHV/BlackCat gang, leading to a data leak affecting 134,000 patients on the dark web, including nude photos of about 600 breast cancer patients. The fallout was severe, resulting in a class-action lawsuit, which claimed that “while LVHN is publicly patting itself on the back for standing up to these hackers and refusing to meet their ransom demands, they are consciously and internationally ignoring the real victims.”

LVHN agreed to settle the case for $65 million.

Similarly, background-check giant National Public Data is facing multiple class-action lawsuits, along with more than 20 states levying civil rights violations and possible fines by the Federal Trade Commission, after a hacker posted NPD’s database of 2.7 billion records on the dark web in April. The data included 272 million Social Security numbers, as well as full names, addresses, phone numbers and other personal data of both living and deceased individuals. The hacker group allegedly demanded a ransom to return the stolen data, though it remains unclear whether NPD paid it.

What is clear, though, is that the NPD did not immediately report the incident. Consequently, its slow and incomplete response — especially its failure to provide identity theft protection to victims — resulted in a number of legal issues, leading its parent company, Jerico Pictures, to file for Chapter 11 on Oct. 2.

NPD did not to respond to requests for comment.

Darren Williams, founder of BlackFog, a cybersecurity firm that specializes in ransomware prevention and cyber warfare, is firmly against paying ransoms. In his view, paying encourages more attacks, and once sensitive data has been exfiltrated, “it is gone forever,” he said.

Even when companies choose to pay, there’s no certainty the data will remain secure. UnitedHealth Group experienced this firsthand after its subsidiary, Change Healthcare, was hit by the ALPHV/BlackCat ransom group in April 2023. Despite paying the $22 million ransom to prevent a data leak and quickly restore operations, a second hacker group, RansomHub, angry that ALPHV/BlackCat failed to distribute the ransom to its affiliates, accessed the stolen data and demanded an additional ransom payment from Change Healthcare. While Change Healthcare hasn’t reported if it paid, the fact that the stolen data was eventually leaked on the dark web indicates their demands most likely were not met.

The fear that a ransom payment may fund hostile organizations or even violate sanctions, given the links between many cybercriminals and geopolitical enemies of the U.S., makes the decision even more precarious. For example, according to a Comparitech Ransomware Roundup, when LoanDepot was attacked by the ALPHV/BlackCat group in January, the company refused to pay the $6 million ransom demand, opting instead to pay the projected $12 million to $17 million in recovery costs. The choice was primarily motivated by concerns about funding criminal groups with potential geopolitical ties. The attack affected around 17 million customers, leaving them unable to access their accounts or make payments, and in the end, customers still filed class-action lawsuits against LoanDepot, alleging negligence and breach of contract.

Regulatory scrutiny adds another layer of complexity to the decision-making process, according to Richard Caralli, a cybersecurity expert at Axio.

On the one hand, recently implemented SEC reporting requirements, which mandate disclosures about cyber incidents of material importance, as well as ransom payments and recovery efforts, may make companies less likely to pay because they fear legal action, reputational damage, or shareholder backlash. On the other hand, some companies may still opt to pay to prioritize a quick recovery, even if it means facing those consequences later.

“The SEC reporting requirements have certainly had an effect on the way in which organizations address ransomware,” Caralli said. “Being subjected to the consequences of ransomware alone is tricky to navigate with customers, business partners, and other stakeholders, as organizations must expose their weaknesses and lack of preparedness.” 

With the passage of the Cyber Incident Reporting for Critical Infrastructure Act, set to go into effect around October 2025, many non-SEC regulated organizations will soon face similar pressures. Under this ruling, companies in critical infrastructure sectors — which are often small and mid-sized entities — will be obligated to disclose any ransomware payments, further intensifying the challenges of handling these attacks.

Cybercriminals changing nature of data attack

As fast as cyber defenses improve, cybercriminals are even quicker to adapt.

“Training, awareness, defensive techniques, and not paying all contribute to the reduction of attacks. However, it is very likely that more sophisticated hackers will find other ways to disrupt businesses,” Underwood said.

A recent report from cyber extortion specialist Coveware highlights a significant shift in ransomware patterns.

While not an entirely new tactic, hackers are increasingly relying on data exfiltration-only attacks. That means sensitive information is stolen but not encrypted, meaning victims can still access their systems. It’s a response to the fact that companies have improved their backup capabilities and become better prepared to recover from encryption-based ransomware. The ransom is demanded not for recovering encrypted files but to prevent the stolen data from being released publicly or sold on the dark web.

New attacks by lone wolf actors and nascent criminal groups have emerged following the collapse of ALPHV/BlackCat and Lockbit, according to Coveware. These two ransomware gangs were among the most prolific, with LockBit believed to have been responsible for nearly 2,300 attacks and ALPHV/BlackCat over 1,000, 75% of which were in the U.S.

BlackCat executed a planned exit after pilfering the ransom owed to its affiliates in the Change Healthcare attack. Lockbit was taken down after an international law-enforcement operation seized its platforms, hacking tools, cryptocurrency accounts, and source codes. However, even though these operations have been disrupted, ransomware infrastructures are quickly rebuilt and rebranded under new names.

“Ransomware has one of the lowest barriers to entry for any type of crime,” said BlackFog’s Williams. “Other forms of crime carry significant risks, such as jail time and death. Now, with the ability to shop on the dark web and leverage the tools of some of the most successful gangs for a small fee, the risk-to-reward ratio is quite high.”

Making ransom a last resort

One point on which cybersecurity experts universally agree is that prevention is the ultimate solution.

As a benchmark, Hornung recommends businesses allocate between one percent and three percent of their top-line revenue toward cybersecurity, with sectors like health care and financial services, which handle highly sensitive data, at the higher end of this range. “If not, you’re going to be in trouble,” he said. “Until we can get businesses to do the right things to protect, detect, and respond to these events, companies are going to get hacked and we’re going to have to deal with this challenge.”

Additionally, proactive measures such as endpoint detection — a type of “security guard” on your computer that constantly looks for signs of unusual or suspicious activity and alerts you — or response and ransomware rollback, a backup feature that kicks in and will undo damage and get you your files back if a hacker locks you out of your system, can minimize damage when an attack occurs, Underwood said.

A well-developed plan can help ensure that paying the ransom is a last resort, not the first option.

“Organizations tend to panic and have knee-jerk reactions to ransomware intrusions,” Caralli said. To avoid this, he stresses the importance of developing an incident response plan that outlines specific actions to take during a ransomware attack, including countermeasures such as reliable data backups and regular drills to ensure that recovery processes work in real-world scenarios.

Hornung says ransomware attacks — and the pressure to pay — will remain high. “Prevention is always cheaper than the cure,” he said, “but businesses are asleep at the wheel.”

The risk is not limited to large enterprises. “We work with a lot of small- and medium-sized businesses, and I say to them, ‘You’re not too small to be hacked. You’re just too small to be in the news.'”

If no organization paid the ransom, the financial benefit of ransomware attacks would be diminished, Underwood said. But he added that it wouldn’t stop hackers.

“It is probably safe to say that more organizations that do not pay would also cause attackers to stop trying or perhaps try other methods, such as stealing the data, searching for valuable assets, and selling it to interested parties,” he said. “A frustrated hacker may give up, or they will try alternative methods. They are, for the most part, on the offensive.”

Two young men accused of committing one of the largest person-to-person crypto thefts in U.S. history went on a brazen spending spree that included buying exotic cars and a $2 million wristwatch, renting mansions and running up nightclub tabs of hundreds of thousands of dollars apiece, new court records reveal.

The Aug. 18 cyber heist swindled a Washington, D.C., resident out of $230 million in cryptocurrency. To date, at least $100 million in bitcoin stolen from the victim remains unaccounted for, prosecutors said in a recent court filing in District of Columbia federal court.

Police now say that another crime, the mysterious Aug. 25 kidnapping of a Connecticut couple in broad daylight while they were house hunting, may be connected to the Washington crypto theft.

The couple was driving a Lamborghini they said was rented by their son at the time they were carjacked and abducted.

The accused kidnappers “targeted” the couple “because the co-conspirators believed the victims’ son had access to significant amounts of digital currency,” an indictment against the six defendants in that case says.

Those men, all from Florida, “planned to kidnap the victims … and hold the victims against their will at a house rented” by one of the men “and then demand payment in the form of digital currency from the son of [the couple] in return for the safety,” the indictment in Connecticut federal court says.

In addition to federal conspiracy and carjacking charges, the six men also face state criminal charges related to the kidnapping, which occurred a week after the heist of 4,100 bitcoins from the victim in Washington, D.C.

“I’ve never seen anything like this in 20 years,” Detective Sgt. Steven Castrovinci of the Danbury Police Department in Connecticut told CNBC.

The six Florida men charged in the kidnapping have not been charged in connection with the cryptocurrency theft. Nor has the unidentified son of the couple who was abducted.

“It’s amazing to see how this thing has grown legs,” Castrovinci said.

On Sept. 19, just a month after the crypto heist, the U.S. Attorney’s Office for the District of Columbia announced that the FBI had arrested two men — Malone Lam, 20, and Jeandiel Serrano, 21 — on conspiracy charges related to the alleged theft and subsequent laundering of the stolen bitcoin.

Serrano, who uses the online monikers “VersaceGod” and “@SkidStar,” was wearing a $500,000 watch at the time of his arrest in Los Angeles, where he lives, according to prosecutors.

Both men, who are being held without bail, admitted their role in the heist, prosecutors have said in court filings.

Serrano’s lawyer, Paulette Pagan, had no immediate comment on his case. CNBC has requested comment from a lawyer for Lam, a Singapore resident who had been living in L.A. and Miami after overstaying by months a visa waiver that allowed him to visit the U.S. as a tourist for just 90 days.

The scheme at the center of the bizarre case is “one of the largest cryptocurrency thefts from a private individual … in the history of the United States,” according to a federal court filing.

A month before they were arrested, Serrano, Lam and other, unnamed, co-conspirators targeted a man in Washington “because they believed he held a considerable amount of virtual currency” after they “identified him as a high net-worth investor from the early days of cryptocurrency,” court filings say.

In early August, one co-conspirator caused an “unauthorized Google account access” notification to be sent to the victim, making it appear that the purported access attempts had occurred overseas, a court filing said.

“In reality, this was just the conspirators laying the groundwork for their imminent theft through sophisticated social engineering,” prosecutors wrote in a filing.

On Aug. 18, members of the conspiracy called the man, claiming they were from Google’s security team, and asking him about the recent unauthorized access attempts.

“Through a series of prompts and misrepresentations,” the co-conspirators managed to manipulate the man into giving them enough information to access his Google drive, “where they quickly located personal financial information, including the location of his virtual currency holdings with Gemini,” a crypto exchange, a filing said.

Serrano and other scheme participants then called the man back and Serrano posed as a member of Gemini’s support team, prosecutors said.

While he talked to the victim, Serrano and his co-conspirators were communicating with each other on the Discord and Telegram messaging apps, strategizing on ways to “manipulate the victim into providing private keys to his virtual currency holdings and enough computer access for the conspirators to steal his entire savings,” the filing said.

The schemers then duped the man into downloading a program onto his computer to protect his Gemini holdings.

But the program actually gave the co-conspirators real-time access to the victim’s desktop, according to prosecutors.

“Serrano was eventually able to manipulate the victim into opening files with private keys
to over 4,100 Bitcoin,” the court filing said.

“While Serrano continued to manipulate the victim, his co-conspirator used this access to quickly steal the entirety of the victim’s virtual currency holdings.”

Prosecutors said the co-conspirators split the theft’s proceeds five ways.

The schemers then used “sophisticated money laundering techniques to hide the proceeds and mask their identities,” a court filing alleges.

Serrano created an account on TradeOgre.com and deposited $29 million worth of cryptocurrency, “believing it to be clean and successfully laundered,” the filing said.

While he used a virtual private network, or VPN, to mask his location when he accessed his account, Serrano had failed to use a VPN when he created the account.

“Records from TradeOgre show that the account was created from an IP address registered to Serrano’s $47,500 per month rental home in Encino, California,” the filing said.

By the time Serrano was identified by federal authorities, “he was already out of the country, vacationing in the Maldives,” the filing said.

“Meanwhile, his co-conspirator Malone Lam was spending hundreds of thousands of dollars per night at Los Angeles night clubs and amassing an impressive collection of custom Lamborghinis, Ferraris, and Porsches,” prosecutors wrote.

Lam, a Singapore native who was arrested in Miami after traveling there from Los Angeles on a private jet, was renting multiple homes in Miami, according to the filing.

One mansion he rented there cost $68,000 per month, the filing said.

Lam, who used the online handles “Anne Hathaway” and “$$$,” had also purchased a watch for $2 million, and a Lamborghini Revuelto for more than $1 million, prosecutors said.

But “many of Lam’s vehicles have not been located as of yet, such as his Pagani Huayra that he purchased for $3,800,000,” prosecutors wrote.

In all, Lam “admitted to purchasing 31 luxury automobiles, 22 of which have yet to be recovered by law enforcement,” prosecutors wrote.

Lam “also admitted to doing additional hacks and making millions from those separate cryptocurrency fraud schemes, which he states have supported his entire lifestyle since arriving in the United States in October 2023,” prosecutors wrote.

“The three vehicles Serrano admitted to purchasing have also not yet been located.”

Federal government surveillance captured Lam on “a spending spree of the victim’s assets,” which included sightings of him “at Los Angeles nightclubs … and gifting handbags valued at tens of thousands of dollars,” a court filing says.

Management at L.A. nightclubs told investigators that Lam tried to pay his tabs in cryptocurrency “and was spending approximately $400,000-$500,000 per night,” the filing said. One receipt from an L.A. club showed Lam spent “$569,528.39 in one night,” the filing said.

After Serrano was arrested at Los Angeles International Airport on Sept. 18, when he returned from the Maldives with his girlfriend, an FBI agent interviewed that woman, who denied knowledge of Serrano’s involvement in crimes, according to a court filing.

“The interviewing FBI Agent told her that the only way to make the situation worse would be for her to call Serrano’s associates and tip them off to the arrest,” the filing noted.

“Immediately after leaving the interview, Serrano’s girlfriend promptly called his criminal associates, tipped them off to his arrest, and these associated in turn deleted their Telegram accounts and all incriminating evidence included in saved chats,” the filing said.

“To date, approximately $70,000,000 has been recovered or frozen on various exchanges,” prosecutors wrote in a court filing.

“Even considering the millions of dollars that Serrano and his co-conspirators spent on automobiles and jewelry, well over $100,000,000 remains unaccounted for.”

Serrano had about $20 million of the victim’s stolen bitcoin on his phone, and agreed to transfer those funds back to the FBI, according to a court filing.

On Aug. 25, three weeks before Serrano and Lam were arrested, police in Danbury received multiple 911 calls reporting the abduction of a couple.

Court records and Castrovinci said the victims were driving a 2024 Lamborghini Urus, which they said had been rented by their son, when they were rear-ended by a white Honda Civic.

A work van then cut in front of the Lamborghini, and a half-dozen or so men wearing black masks surrounded the car.

The perpetrators pulled the two victims out of the car. The husband resisted, and the kidnappers punched him in the face and hit him with a baseball bat, authorities said.

“The suspects repeatedly told [the couple] that they would ‘kill them,'” FBI Agent Matthew Loucks wrote in an affidavit supporting a criminal complaint against the alleged kidnappers filed in U.S. District Court in Connecticut.

“The victims were pushed into the back of the work van and held down. The suspects then bound both victims’ arms and feet with silver duct tape, which they also used to cover [the husband’s] face. The suspects forced [his wife] to lie face down and ordered her not to look at them,” according to Loucks’ affidavit.

“The couple heard police sirens shortly after the van began moving, and heard one of the suspects yell, ‘Call Rick … we are in deep s—,'” according to the FBI agent. Shortly afterward, the van crashed and the suspects fled on foot, leaving the victims behind.

Police arrested four suspects later that day, and two more the following day. All six suspects are from the Miami area.

The couple, who were briefly hospitalized after the incident, had no idea why they had been targeted in the kidnapping, Castrovinci told CNBC.

“They kept asking us, ‘Why?'” Castrovinci said.

Danbury police were already familiar with the couple who were abducted, Castrovinci said, because their home had been targeted by “swatting” calls.

Swatting is the practice of calling police and falsely reporting that a crime is occurring at someone else’s residence or business, often causing police to descend upon that location.

Castrovinci said they had suspected the swatting calls were being made by people who knew the couple’s son from his online gaming.

The Danbury News-Times first reported Oct. 11 that Danbury police had planned to interview the couple’s son but held off at the request of the FBI.

“We were contacted by the FBI and told there’s an ongoing investigation into the son in regards to a cryptocurrency theft that occurred,” Castrovinci told the newspaper.

“That’s how we knew — and even at that time, we didn’t really know to what extent he was involved in it. We just knew that there was an investigation into him regarding a crypto heist,” he said.

“I don’t know how (the six Florida men) knew this kid had that type of money, but everything leads to them going after the parents because of what this kid was involved in,” he told the newspaper.

A spokesman for the U.S. Attorney’s Office in Connecticut declined to comment when asked about the possible connection between the carjacking and kidnapping of the couple, and their son’s potential role in the August crypto heist.

The U.S. Attorney’s Office in the District of Columbia did not immediately respond to requests for comment.