Would Making Ransom Payments Illegal Result in Fewer Attacks?

COMMENTARY

Ransomware and other malware attacks are among the top three types of security incidents that organizations experience, according to Netwrix's "2024 Hybrid Security Trends Report." In a bid to curb this menace, for several years now there have been discussions around a radical approach: making ransomware payments illegal. The rationale is straightforward. If paying a ransom is prohibited, organizations won't do it — thus eliminating the incentive for cybercriminals to launch ransomware attacks. Problem solved. Or is it?

All Ransoms Are Not Equal

We must first recognize that there are multiple types of extortion. Ransomware is generally different from physical extortion cases like kidnappings, hostage situations, and threats of violence against individuals or public spaces. However, a ransomware attack, for example, on a hospital, literally endangers patients' lives. 

In scenarios where human lives are directly at stake, the ethical and legal considerations surrounding ransom payments are more complex than a simple ban allows for. Given the adaptability and resourcefulness of ransomware attackers, it is highly likely that they will push the boundaries of such a ban and test the limits of enforcement. As a result, a blanket ban on all ransom payments could force decision-makers into impossible moral dilemmas.

The Law of Unintended Consequences

Let's suppose for a moment that ransom payments have been legally prohibited, and a ransomware attack has just crippled your business. You need to get back online quickly or your business may go under. While the law forbids you from paying the ransom, enforcement agencies cannot stop what they don't know about. Almost certainly, some companies would quietly pay the ransom and simply not report the incident. This hesitancy to report attacks affects visibility into the actual scope of the problem and hinders law enforcement from acting accordingly. If the challenge is unknown, it cannot be addressed. 

In addition, there would be a disproportionate impact on small and medium-sized businesses. While large organizations might possess the resources to endure a ransomware attack without caving in to ransom demands, small businesses could face existential threats. A blanket ban on ransom payments could leave them in a precarious position of having to choose between resorting to illegal payments or risking going out of business.

Case in Point: Cyber Insurance 

No legislative action or policy change occurs in isolation; it inevitably has ripple effects and unintended consequences. Cyber insurance provides a prime example in the arena of ransomware. By securing a cyber-insurance policy, businesses aim to protect themselves from the financial fallout of a ransomware attack, as the insurance provider would cover the ransom payment. 

Indeed, this is how it worked just several years ago. However, cybercriminals quickly recognized that insured organizations are more likely to pay ransoms, since their insurance company covers these expenses. It is reasonable to assume that threat actors started conducting reconnaissance on the cyber-insurance coverage of potential victims to tailor their attacks and maximize their profits. This is how cyber insurance might have contributed to the growth of the ransomware epidemic. 

Currently, one can hardly find an insurance company ready to reimburse the ransom payment.

A Better Model: Follow the Banking Industry

Bank robberies were once a prevalent threat, but they have significantly declined in recent decades. This reduction was not achieved by banning bank tellers from handing over cash. Instead, banks have adopted a multifaceted approach to mitigate the risk. To deter potential robbers, they use measures such as reduced cash handling, time-lock safes, enhanced security cameras, and alarm systems. Dye packs, decoy money, and GPS trackers reduce the risk of financial loss in cases where cash is ultimately handed over. What's more, appropriate security measures are a must to obtain and keep the license to operate. 

A similar approach may prove equally effective for other high-risk industries. Governments can establish cybersecurity benchmarks and recommend risk mitigation strategies, just as they have for the public sector and critical infrastructure. Such standards offer essential guidance for organizations that lack the strategic leadership necessary to develop an effective ransomware defense strategy independently. 

Finally, law enforcement agencies take their share of the responsibility and increase international collaboration to dismantle ransomware networks. The benefits of this approach are already paying off, as evidenced by the recent takedown of the LockBit ransomware gang. Agencies from more than half a dozen countries issued a detailed joint cybersecurity advisory that outlined LockBit's tactics and tools. They also seized some of the group's attack assets, significantly hindering their ability to initiate attacks.

Conclusion

Frustration is understandable as ransomware attacks continue around the globe, but simply denying victim organizations the option of paying the ransom is neither realistic nor practical. There will always be exceptions to the law, and unanticipated repercussions could make the cure worse than the disease. Instead, an effective response will require organizations to take greater responsibility for cybersecurity and government agencies to engage in good old-fashioned police work. This strategy may not be as straightforward as a ban on ransom payments, but the war against ransomware is winnable through a comprehensive, nuanced approach.