Banning Ransomware Payments
I was recently quoted in an article by Katie Prescott in The Times, regarding the discussion on whether ransom payments should simply be banned. The discussion is probably longer than the single quote used, so to expand on it a little…
Criminalising being a victim
By making it illegal to pay a ransom, the person breaking the law is the one that makes the payment, not the one who receives it. This is on top of already having their company’s sensitive data potentially exposed on-line and the regulatory fines associated to that; lost revenue from business disruption, which for a large company can be in the millions of dollars a day; let alone the reputation damage and resulting impact to share price1.
There is also the perception of prosecutorial imbalance here, as in this scenario it’s significantly easier to identify and prosecute a victim organisation, rather than the international band of cyber criminals who caused the compromise in the first place, often operating outside the judicial reach of most Western Law Enforcement.
It doesn’t actually stop the payments
I’d also argue that it won’t fundamentally stop ransom payments. Maybe in some highly visible or regulated industries; but some victims will still pay if it’s the only route available - but by making it illegal, it would drive the payments underground, or force attackers to find alternative mechanisms to achieve payment. We may well see an increase in examples like the recently reported case of the Uber CISO who tried to hide a ransom payment as a bug bounty reward, or maybe an increase in payments simply marked as “Security Consultancy”.
And all of this has the impact that it will only reduce the likelihood that a victim organisation will reach out to authorities for assistance (whether they plan to pay, or just want to keep the ability to pay in reserve), reducing reporting and knowledge of the true impact, but also limiting their ability to draw on the best available resources to support their recovery. The subsequent under-reporting also means less chances for law enforcement to reach a successful prosecution. A move which therefore hurts Law Enforcement just as much as it hurts victims.
Exceptions to the rule
Wherever I see the idea of banning payments, most articles normally contain the argument of “… well obviously there are scenarios where we would want to have an exception, like hospitals or other areas of critical infrastructure …”. This fundamentally undermines any prosecution brought against a victim who is not exempt, as it goes to show that sometimes paying a ransom is the ONLY way out.
Whilst I disagree with that as a point of principle, it also introduces another issue. If a ransomware actor knows that if they target certain industries, their targets might have regulatory and legal reasons not to pay (which is, after all, their overall intention), why not focus their efforts where those legal restrictions don’t apply, thus improving their Return on Investment. In other words, this could lead to an INCREASE in the targeting of those critical infrastructure organisations that we’re trying to protect through this exemption - and likely see higher ransom demands because of the limited “addressable market”. Essentially, we could see more ransomware hitting hospitals, not less!
Extrinsic vs Intrinsic Motivations
This forms part of a larger discussion on ransomware payments in general, for which my view is that we should be considering the differences between extrinsic and intrinsic motivators. It is my belief that the effect is more compounding when organisations choose not to pay, rather than being forced not to. The former is the true death knoll for ransomware, the latter is more a stumbling block whilst an alternative method is found.
If you would like to see some intrinsic motivators for not paying, I discuss this further in my post here: https://tobylewis.substack.com/p/paying-a-ransom
Although there is some evidence that share prices actually do better post-incident - not that should be a reason to get ransomware in the first place!
https://www.comparitech.com/blog/information-security/ransomware-share-price-analysis/