Ransomware attacks pose a significant threat to businesses and national security, with notable incidents involving healthcare organizations like UnitedHealth, CDK Global, and the UK Ministry of Defence, causing disruptions in medical appointments and blood stocks.
In 2023, cybercriminal gangs extorted $1.1bn from victims, with three-quarters of incidents yielding over $1m. This increase from ten years ago is significant. Even if businesses refuse to pay, they still face financial losses, as seen with MGM Resorts. This ethically complex process boosts a shadowy economy worth $42bn a year, affecting small businesses, hospitals, and government departments.
Brett Callow, managing director at FTI Consulting, warns that organizations must weigh the high-stakes reputational risks of paying for cybersecurity services. If they choose to pay, they may be perceived as underprepared or lacking a strong disaster recovery plan, while not paying can lead to prolonged service outages and financial harm.
Former GCHQ chief executive Ciaran Martin has proposed banning ransomware payments, arguing they encourage more attacks and criminality cannot be rewarded. The idea has gained support from The Times and other quarters, as it aligns with al-Qaeda’s heyday and is similar to those banned during al-Qaeda’s era.
Lawmakers worldwide are advocating for the prohibition of ransomware payments, with partial bans in North Carolina and Florida and a proposed bill in New York extending to private companies. The UK government plans a consultation to overhaul the law, but the decision remains uncertain. Australia considered a ban after the Medibank data breach, leaving the issue of a comprehensive ban on ransomware payments in the hands of the public.
The case for prohibiting ransomware payments
Governments are debating the implementation of a ransomware payment ban, with critics arguing it could be difficult and potentially backfire. Aon managing director Tom Ricketts believes a ban is unlikely. The US and UK are also considering the ban but face issues of enforcement and whether businesses should be condemned to death. Governments are still in the deliberation phase.
Ransomware payments are 700% underreported, making enforcement difficult. Ignoring the prohibition would complicate end-of-year finances and make it difficult for companies to detect them. If companies have no recourse, the problem could be driven underground, making enforcement difficult and potentially worsened by a ban.
Data backup company Datto reports that three-quarters of businesses believe a ransomware attack would threaten their survival. Prohibiting victims from paying a ransom would increase the death toll significantly. Ricketts believes authorities may not have the stomach to handle the human impact, especially when healthcare providers go offline.
Cybercriminals’ criminal mindset is a concern, as ransomware payment bans in North Carolina and Florida have not significantly reduced attacks. Jen Ellis, co-chair of the Institute for Security and Technology’s Ransomware Task Force, believes criminal groups may not be able to stop if they lack a specific revenue path.
Cybercriminals target vulnerable organizations or critical infrastructure with low resilience, as they are more likely to pay. If US authorities enforce a ban, ransomware actors may move to other countries for payment, indicating their flexibility in tactics.
How to deal with issues like ransomware
The RTF proposes measures to reduce the need for a ransomware ban, including international law enforcement partnerships, holding cryptocurrency exchanges accountable, and creating a fund for victim recovery. It also emphasizes the need for better preparedness across the digital ecosystem to fend off attacks.
Ellis suggests that a ban on ransomware should be accompanied by a plan to help organizations become resilient. Companies should address root causes of security issues, such as cost and complexity, rather than just headlines, to help employees understand the relevance of ransomware and its impact on operations.
Moore believes businesses need to improve their security procedures, as many delay auditing and testing due to various reasons. He suggests that cyber insurance providers could enforce these checks as a condition of coverage. Insurance providers would be responsible for paying ransoms, but tighter security standards could reduce their incidence.
Ellis and Moore don’t rule out a ban on cybersecurity in the future, but they don’t believe it’s feasible in the short term. Ricketts believes the likelihood of a ban is zero, as it could harm corporations and taxpayers. He believes regulating corporations out of existence is a sensitive topic.
The momentum towards a ban on ransom payments has stalled for a few years, according to a source. The lack of appeal in the current dynamics compared to the alternative of allowing ransom payments is causing governments to recognize this as ineffective.