The Case For and Against Criminalizing Ransomware

Those who hold an interest in cybersecurity will not need to be told twice of the threat posed by ransomware. Last year was one of the most prolific on record for ransomware groups. According to Chainalysis, it accounted for financial gains of more than $350 million in 2020, a 331% increase over payments recorded in 2019. If there is a week that goes by without a ransomware incident making the headlines, it comes as something of a surprise.

Another related subject that has been at the forefront of debate in recent months is the contentious issue of ransomware payments. If companies are compliant, the excessive demands of hackers can be financially crippling. If they refuse, stolen data becomes vulnerable to public exposure and businesses can be subject to penalties from data protection authorities, as well as suffering reputational damage. With ransomware attacks skyrocketing, companies are increasingly turning to cyber insurance policies to recoup money paid to ransomware gangs. Unfortunately, this has created the perfect storm. Cyber-criminals are emboldened to launch ransomware attacks in the knowledge that many businesses now hold insurance policies. It has become something of a self-fulfilling prophecy – a vicious cycle. Unfortunately, ransomware is modern cybercrime’s killer tactic, so this problem is only going to get worse.

Earlier this year, the former CEO of the UK National Cyber Security Centre (NCSC), Ciaran Martin, spoke on the ransomware issue, arguing that it is being fuelled because there is no legal barrier to ransomware victims paying and then claiming back the expense on insurance. He argues that this means victims are incentivized to pay and believes that the time has come to look at changing the law on insurance to ban ransomware payments. This debate is likely to continue to divide opinion, but there is no doubt that paying ransoms is a fundamental reason why ransomware has increased in recent years. Whatever decision is made, it is certainly worth evaluating the implications of criminalizing payments, and weighing up the pros and cons.

Let’s first look at the reasons why ransomware payments should be made illegal. First, the obvious. Ransomware payments essentially fund cybercrime, and this is why ransomware attacks are becoming more common. There is no doubt that paying out leads to more attacks. There is also no guarantee that, after paying, hackers will release the data or cease to hold the organization to ransom. It could, in the worst case scenario, even result in further demands. Upon paying, there is no way of knowing whether hackers will withhold the decryption keys needed to unlock files or even conceal backdoors that will allow them to return at a later date to extort yet more payments. Cyber-space is highly unregulated, and cyber-criminals are responsive and agile, so it would be very bold indeed to assert that such a response on its own would be enough to eliminate the threat.

On the other hand, criminalizing the victim seems highly counter intuitive. We’re talking about a very harsh response to a prolific problem, which would undoubtedly result in business casualties in the short term. For many victims, paying the ransom is the only hope of getting data back and avoiding potentially crippling financial and reputational penalties. Looking at it from a law enforcement point of view, it could also be very difficult to impose the rule of law. How do you prove that an organization has paid the ransom? This could lead to organizations not properly disclosing breaches to prevent law authorities from becoming involved and protecting the option to make the ransomware payment secretly as a last resort.

While authorities and experts debate the issue, organizations must focus on understanding the evolving ecosystem of ransomware, and how to alleviate its risks. The focus should be on remediation plans, so the impact of a ransomware attack is reduced and therefore the compulsion to pay diminishes. To this end, simple steps to reduce the likelihood and the impact of an attack can be implemented.

For instance, organizations should avoid opening attachments or clicking on links unless they are known to be from a legitimate source. Systems must be kept up to date with new software patches and the latest versions of malware protection. Employees should be proactively monitoring network activity to identify and remove malware and phishing, which are common vehicles for ransomware. And finally, organizations must keep backups should the worst happen, and have a well understood incident response plan.

The ransomware problem is not going to go away anytime soon, and neither is the debate around criminalizing payments. All that organizations can do is ensure that they have the most robust combination of people, process and technology to prevent or, should the worst happen, react to ransomware incidents.

What’s Hot on Infosecurity Magazine?