It’s simple: we don’t seem to be able to stop ransomware attacks, so what if we banned ransomware payments?
The logic is that if organizations are forbidden from paying ransoms, the ransomware industry would be starved of easy money, and crumble. This is dangerously naive. Rather than a smart piece of lateral thinking, it fails to consider the effect ransomware has on small and medium enterprises (SMEs), and would have many unintended consequences.
That hasn’t stopped some, including the US government, considering such a move. It’s a topic that comes around every few months, often after a big incident, and this time thanks to a comment from the former head of UK’s National Cyber Security Centre (NCSC), Ciaran Martin. But while it’s always tempting to do something rather than nothing, it’s worth thinking about what such a ban would mean.
A Two-Tier System
There’s a simple principle behind the idea of a ransom payments ban. If a group knows you cannot pay out, then you are much less likely to be targeted. A company banned from paying out is effectively the same as one with no means to pay out. There’s a reason why, in more traditional ransom situations, the target has a rich family to pay out. There’s no reason to ransom someone without the means to pay up.
If we consider this carefully, a ban would affect some businesses in different ways to others. For large multinational businesses, would the ban be effective at all? As regulation would only be effective within national borders, making it possible for multinationals to pay a ransom elsewhere if necessary.
Would this be enough for ransomware gangs to give up on smaller businesses and target larger corporations? Perhaps not. Bigger businesses tend to have much better cybersecurity protection, while SMEs are much less likely to have backups of vital data and systems.
In reality, they would still be a target, but one without an alternative path to recovering their data. While bigger businesses have the resources to stop an attack, and have options if something goes wrong, SMEs are more vulnerable and out of options.
What happens when a business cannot legally pay a ransom? One of two things – it will either go out of business or pay the ransom illegally. By driving this activity underground, the unintended consequences kick in.
"As is so often the case with simple solutions, it’s not as simple as it first appears"
There may be opportunities for blackmail after payment is made. The ransom attack won’t be reported. Customers that have had their data stolen will be none the wiser, putting them at risk as they use compromised details. The agencies tasked with preventing cybercrime will have less visibility of ransomware activity. We could see ransomware stats fall… but have no idea if any ban on ransomware payments is actually effective.
And what about critical national infrastructure (CNI)? Are vital services such as energy and healthcare allowed an exemption in the case that the alternatives are pay or risk loss of life? If the law has this exemption, aren’t we asking criminals to hit CNI with everything they’ve got to ensure a payout? As is so often the case with simple solutions, it’s not as simple as it first appears.
What Can Be Done to Aid Ransomware Recovery?
This isn’t to say there aren’t policies and actions that help, though solving the problem completely may be some distance away.
Better than a ban on ransom payments would be policies that support businesses in enhancing their cybersecurity infrastructure and provide clear recovery pathways after an attack. This would include frameworks for government support akin to disaster relief efforts, offering a lifeline to businesses devastated by cyber-attacks.
Without support from the government or law enforcement, SMEs will take the easiest route to save their livelihood – paying ransomware attackers. With a ban, this would still happen. Without a ban, and with policies that help, SMEs are likely to be more transparent.
If we are going to create laws, it should perhaps be on a minimum level of cybersecurity, with varying levels depending on the size of a business, and its sector. While some businesses may find it difficult to increase their cyber spend, providing incentives and support for exceptional circumstances could help.
Older businesses, those that have dragged the same tech stack from the 90s into the modern day, may be more at risk and require more help. A mixture of stick and carrot is likely to be most effective.
Insurance plays a critical role. The cyber insurance industry incentivizes organizations to improve their security, only covering those businesses with the right protection in place. Just as drivers are required to be insured before driving, maybe governments should make cyber insurance a requirement with minimum standards of protection to ensure cover.
The debate on ransomware payments is not black and white, and there is often no simple solution to a complex problem.
The focus should be on fostering a resilient cybersecurity ecosystem, supporting victims, and dismantling the economic incentives for attackers. Those who believe the solution to ransomware is straightforward may not fully understand the depth and complexity of the issue.