Experts Clash Over Ransomware Payment Ban

Written by

Security experts have begun the year in combative mood after a leading security vendor called on the US government to ban ransomware payments.

Noted for its work in ransomware decryption, Emsisoft revealed new analysis this week claiming that 2207 US hospitals, schools and government entities were directly impacted by ransomware in 2023.

It argued that many more had been indirectly impacted via attacks on their supply chains, while thousands more private sector businesses were also likely to have suffered. It cited research estimating ransomware is likely to have killed about one American per month between 2016 and 2021.

Given the mounting economic and societal harm and risk to life posed by ransomware, Emsisoft argued that it’s time to take drastic action – noting that law enforcement, government and industry efforts have so far had minimal impact.

“Current counter-ransomware strategies amount to little more than building speed bumps and whacking moles. The reality is that we’re not going to defend our way out of this situation, and we’re not going to police our way out of it either,” argued Emsisoft threat analyst Brett Callow.

“For as long as ransomware payments remain lawful, cybercriminals will do whatever it takes to collect them. The only solution is to financially disincentivize attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work.”

A Total Ban is Neither Possible Nor Essential

The firm dismissed the notion that a ban would force payments underground, especially from critical infrastructure providers like hospitals that have no other option, and that it would encourage threat actors to target these organizations.

“Were there to be a ban, we believe that bad actors would quickly pivot and move from high impact encryption-based attacks to other less disruptive forms of cybercrime. It would really make no sense for them to expend time and effort attacking organizations which could not pay,” Emsisoft argued.

“Additionally, bad actors already do attack healthcare providers, local governments, and other custodians of critical infrastructure – relentlessly, day in, day out – and it’s far from certain that they would have either the incentive or the resources to attack them any more frequently.”

The vendor claimed that a ban would not have to be watertight – it’s just about ensuring that enough payments are stopped to ensure that ransomware ceases to become profitable.

The Wrong Focus

Forescout VP and Europol special advisor, Rik Ferguson, agreed that a ransomware payment ban could force organizations to focus more on improving their security posture. But he argued that “further punishing the victim of a criminal act” is the wrong approach.

“We should be focusing on the financial systems that make the paper trail so opaque,” he explained in a LinkedIn post.

“We can hope that as emerging cryptocurrency regulations come into effect, the identities of both senders and receivers of cryptocurrency transactions will become clear, forcing criminals to think again about their cashing-out strategies.”

Where critical services are pushed offline or lives are at risk, organizations should always have the option to pay, Ferguson concluded.

What’s hot on Infosecurity Magazine?