Ransomware Experts See Problems With Banning Ransom Payments

To end the scourge of ransomware, one easy solution seems perennially obvious: Dry up the extortion pipeline by banning victims from paying.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

While a ban might sound fine in theory, open questions remain about the effects this might have on cybercrime, such as whether it would alter attackers’ behavior or lead to unforeseen consequences, according to an expert-filled panel discussion hosted Thursday by the Institute for Security and Technology.

“There is so much work to do before we get to a ban,” said panelist Sezaneh Seymour, head of regulatory risk and policy at cyber insurer Coalition, who previously served on the U.S. National Security Council.

Despite Western governments encouraging better business resilience and tasking more law enforcement resources to battle ransomware, ransomware attacks continue to pummel critical infrastructure sectors, apparently racking up more victims and higher criminal profits than ever before.

In April 2021, the IST launched a Ransomware Task Force aimed at coordinating the public and private approach to better combating to such attacks. The task force has not recommended banning ransomware payments. Rather, it has detailed 15 prerequisites that encompass “ecosystem preparedness, deterrence, disruption and response” – areas it deems as essential before trying to phase in any type of ban.

How to Improve Transparency?

One policymaking challenge remains a lack of insight into how and when hackers attack organizations, as well as when victims pay, said Allan Liska, a threat intelligence analyst at Recorded Future.

The world needs “a better reporting regimen” to assess the current state of affairs and to measure the impact of any fresh policy moves, he said. “We don’t necessarily have to name each individual victim, but we need to share what the true scope of the problem is, because right now, we rely too often on bad guys to give us the numbers of victims.”

Multiple panelists emphasized the need for greater transparency to bolster any attempt to craft fresh policies. “Sunlight is the best disinfectant,” said panelist Bill Siegel, CEO of ransomware incident response firm Coveware.

Will Criminals Care?

While banning ransom payments might seem to be a black-and-white policy move, exceptions would likely apply, such as complying with the sanctions list maintained by the U.S. Department of the Treasury’s Office of Foreign Assets Control, Seymour said. The nation’s most critical of critical infrastructure – such as hospitals – would likely sometimes still be granted an exemption to pay, especially if lives are at risk, and criminals might quickly discern this pattern.

Seymour said her “personal view” is that criminals “will adapt, and will turn their attention to those entities that are most likely to receive an exception to pay, and that will likely result in increased attacks on the very infrastructure that a ban really seeks to protect.”

What’s the Risk?

Another question related to a ban: What happens if a victim violates it?

Siegel, who said his firm charges a flat fee to assist organizations – meaning it takes no cut of any ransom that is paid – said that a ban could force executives into choosing whether to stay on the right side of the law and let their company going bankrupt or violate the ban and risk paying a civil penalty. He said executives would choose the option that keeps them in business.

“By essentially creating this ban, you’re ignoring the fact that it’s not going to change the victim’s behavior,” he said. “They’re just going to go underground. There will be an illegal market that will spawn immediately. It actually already exists today. It’s just a cottage of firms that claim they can ‘crack the encryption’ that every supercomputer in the world can’t actually crack,” meaning they’re just acting as cut-outs for negotiating with criminals and obtaining a decryptor.

“Those types of vendors will explode, and the victims will go there,” Siegel said, which would have the added effect of removing “the visibility that the U.S. government is just starting to get” into ransomware attacks. “Because those companies are not going to report this, obviously. They’re not going to self-report and get themselves in trouble.”

Would a Ban Reduce Attacks?

One oft-stated impetus for banning ransom payments is to kill attackers’ cash cow, thereby driving a decline in attacks.

The state governments of North Carolina and Florida have banned public entities from paying a ransom, and “that has not slowed down ransomware attacks against public entities in those two states,” Recorded Future’s Liska said.

Ransomware-wielding criminals often prefer to amass targets of opportunity rather than meticulously selecting targets in advance, he said. That’s one reason why healthcare organizations continue to be hit, even by groups that claim to not target them.

An from the attacker perspective, if a victim doesn’t pay, that doesn’t mean the attack was a bust. For them, stealing valuable data is incentive enough to keep hacking. “Especially when you’re talking about healthcare – patient records are very valuable on underground forums, and so there’s really no incentive to slow down,” Liska said.