Ransom payment prohibition potentially criminalizes ransomware victims

Ransom payment prohibition potentially criminalizes ransomware victims

In the ongoing battle against cybercrime, a government ban on ransomware payments for public sector and critical national infrastructure (CNI) organizations is being considered as a potential solution to reduce the incentives for cybercriminals. However, such a ban has complex potential consequences and has sparked a discussion on alternative approaches.

The fundamental theory behind the ban is that if attackers know they will not be paid, ransomware attacks become less profitable and thus less frequent. A report by Emsisoft indicates that in 2023, a total of 2,207 US hospitals, schools, and governmental organizations were directly impacted by digital extortion attacks. The Minnesota School of Health's study estimates that ransomware attacks were responsible for between 42 and 67 Medicare patients between 2016 and 2021.

However, the operational and ethical dilemmas posed by such a ban are significant. Public sector organizations often provide essential services where ransomware disruption could risk lives, such as hospitals. Refusing payment may prolong downtime, jeopardizing critical operations. This raises ethical and moral issues when weighing refusal to pay against service disruption and safety risks.

A prohibition on ransom payments may not halt attacks but instead transfers the burden onto victims who must either endure service interruptions or attempt costly and complex recovery without guaranteed success. Victims could face greater operational, financial, and safety pressures since attackers may still encrypt data but receive no ransom, leaving victims to cope with the aftermath.

Legal compliance and enforcement challenges also arise from such a ban. Public organizations must comply with bans, yet private entities may only face reporting requirements or advisory support when paying ransoms. This uneven application might lead to risk-shifting to private organizations or more covert ransom payments to evade detection.

Alternatives to a strict payment ban include mandatory incident reporting and government guidance, improved incident preparedness and resilience, ransomware payment prevention regimes, and international cooperation and enforcement. Mandatory reporting enables authorities to provide tailored advice, strengthen threat intelligence, and coordinate responses without instantly forbidding payments. Organizations are encouraged to invest in offline backups, recovery plans, and operational continuity strategies that reduce reliance on ransom payments to restore systems.

Some proposals include structured frameworks to prevent payments selectively or under controlled conditions, balancing operational continuity needs against fueling criminal enterprises. Addressing ransomware financially involves global cooperation to track and block criminal funding channels, applying pressure on cybercrime infrastructure and reducing attackers’ reach beyond national laws.

In conclusion, while banning ransomware payments aims to deter attacks by removing attackers’ financial incentives, it may also intensify risks and burdens on victims who must recover from attacks without ransom payments. Alternatives such as mandatory reporting, resilience-building, targeted payment prevention, and governmental support are critical to complement or substitute outright bans, ensuring security without compromising essential service delivery.

The warning for a ban on ransomware payments comes from cyber security firm Emsisoft, who also highlights the financial impact of these attacks. Chainalysis's mid-year update reports $449 million paid during the first six months of 2023. A blanket refusal to meet ransom demands could force threat actors to switch to less disruptive forms of cybercrime.

Paying ransoms contributes to the proliferation of ransomware attacks. Recent high-profile attacks on MGM Resorts and Clorox are estimated at $100 million and $356 million respectively. Despite significant effort among global governments and security agencies to prevent the practice, ransomware payments still continue.

One case cited by Emsisoft's report detailed a three-year-old patient being given a fatal 'megadose' of pain medication due to the hospital's computer systems being offline during treatment. The overall cost of digital extortion in the US is in the billions of dollars, according to Emsisoft.

The International Counter Ransomware Initiative (CRI), an international coalition of over 50 nations committed to building a collective resilience to ransomware, launched in 2021 and was expanded in 2023 to reflect a period of heightened activity of ransomware groups. Cutting the supply of money to ransomware groups is key to limiting their impact, according to Emsisoft. However, a ban on ransomware payments is unlikely to ensure the stolen data will be released.

James Blake, EMEA CISO at Cohesity, suggests improving the cyber resilience of institutions as a better solution than criminalizing victims of ransomware attacks. As the debate continues, it is clear that a multi-faceted approach, combining prevention, detection, and recovery strategies, will be necessary to effectively combat the threat of ransomware.

1. The debate over a government ban on ransomware payments for public sector and critical national infrastructure organizations is complex, as the potential consequences could include prolonged downtime for essential services like hospitals, leading to increased operational, financial, and safety pressures on victims.
2. Improving cyber resilience of institutions might be a more effective solution than criminalizing victims of ransomware attacks, as reported by James Blake, EMEA CISO at Cohesity, considering the multi-faceted approach required to combat the threat of ransomware, including prevention, detection, and recovery strategies.

Read also: