The only way to hurt ransomware hijackers is in the wallet by making ransom payments illegal, some cybersecurity experts say. But what are the consequences of that? Will it hurt small businesses? Could it cause some businesses to shut down entirely?
While banning ransom payments is one way to thwart cyber extortionists, it is an enigmatic course to follow for all but a few organizations, others say.
The Push to Not Pay Ransom
Lawmakers have discussed and put forth bills to ban ransomware payments. However, as of right now it is still legal to pay the ransom in the U.S. Will it stay that way?
Is prohibiting ransom payments even possible given the number of moving parts that would need to coalesce? Last November, a U.S.-led international alliance of at least 40 countries vowed not to pay ransoms to cyber hijackers, lining up with efforts by some in private industry to push back on hackers’ demands to unlock their systems.
Indeed, the call for a counteroffensive by government entities has become louder. But this pledge is not legally binding, and it does not extend to private industry.
"As long as there is money flowing to ransomware criminals, this is a problem that will continue to grow," said Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies, at a recent cybersecurity event.
The fallout from ransomware incidents in 2023 that threatened critical infrastructure, addled manufacturing and denied Americans access to critical services owed to financially motivated cyber attackers orchestrating systematic, worldwide digital hijackings.
In 2023, some 2,200 U.S. healthcare facilities, education institutions and governments at the federal, state and local level, were directly impacted by ransomware over the course of the year, cyber protector Emsisoft calculated. Add in large supply chain attacks that led to even more incidents, compromising customers and businesses, and the number of incidents spikes dramatically upward.
Ransomware isn’t just a financial issue. It’s a people issue, too. From 2016 to 2021, ransomware attacks killed between 42 and 67 Medicare patients or upwards of one per month, according to Stat, a healthcare and medicine website. Many more have experienced extended hospital stays following a ransomware attack.
How Victims Can Fight Back
How do the victims fight back? So far, the answer has been to play defense by maintaining strong backups, reinforcing damage control, training employees, shutting down systems and networks and refusing to pay ransoms. In a few cases, declining to pay ransoms has saved organizations struck by ransomware. But in other incidents, files have not been unlocked or sensitive data has been uploaded to the dark web despite payments.
The best offensive answer left standing is to deem ransom payments to be illegal, Emsisoft said in a blog post.
But how could that be implemented? Would a financial fine for violating a law banning ransom payments be enough of a deterrent? And, what if non-compliant companies and governments were willing to pony up a fine in exchange for meeting a higher ransom demand but retaining their data? Would fines need to be higher than the actual ransom?
What the Experts Say
“Governments have formed task forces, international coalitions, and pledged at the federal level not to pay ransoms, while law enforcement has disrupted operations across the ransomware ecosystem, dismantled botnets, seized crypto assets, and made arrests,” said Emsisoft.
It has worked to a degree but rewards for the payment deniers are inconsistent.
Paying a ransom does not guarantee you will get your data back in whole or in part, Wayne Selk, CompTIA vice president of Cybersecurity Programs, told MSSP Alert. Governments are trying to crack down on paying the ransom as a means to "cut the head off the snake. Passing laws internationally may be the only way to accomplish the goal.”
At the same time, Selk said, “Businesses want to feel they have some control over the incident, and the trusting nature of humans is to believe paying the ransom will make everything okay. Unfortunately, bad people do exist, and they take great pleasure in exploiting that trust. Monies for ransom would be better served implementing better processes and programs to minimize the impact of ransomware.”
Ransomware Ban: The Only Solution
Brett Callow, a threat analyst with Emsisoft, supports a ban. “Current counter-ransomware strategies amount to little more than building speed bumps and whacking moles,” he said.
Callow added, “The reality is that we’re not going to defend our way out of this situation, and we’re not going to police our way out of it either. For as long as ransomware payments remain lawful, cybercriminals will do whatever it takes to collect them. The only solution is to financially disincentivize attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work.”
Ransomware Ban: SMBs Would Be Hurt the Most
However, were a ban on ransom payments be codified into law, unintended consequences would likely result, Joseph Brunsman, founder and managing member of Brunsman Advisory Group, a Maryland-based cyber insurance consultancy, told MSSP Alert.
“An outright ban sounds good at face value, but the second and third order effects could prove economically and socially worse than paying the ransom,” he said. “There is a justifiable fear that banning ransom payments could force companies to choose between shutting down their business and livelihood, or surreptitiously making a payment with the hopes that none would be the wiser. In turn this would make gathering information on dealing with, and preventing ransomware, effectively impossible.”
Large companies would likely be able to “weather the ransom-ban storm” through increased cybersecurity budgets, Brunsman said. But small businesses could face a “financial burden that could be passed onto consumers... a very unpopular and likely untenable move at the moment.”
For the time being, state and industry regulators, although admittedly moving slowly, will continue to require controls that deter the most serious of cyber incidents, according to Brunsman.
“The sooner organizations begin to take their cybersecurity seriously, the less likely they will fall victim to these attacks," he said. "Yes, this sounds like we're foregoing offense to play pure defense, but I see no other feasible alternative.”
