As cybercriminals continue to reap the financial benefits of their attacks, talk of a federal ban on ransom payments is growing stronger.
US officials have long asked not to pay a ransom. However, while several US states – including North Carolina and Florida – have made it illegal for local government entities to pay ransom demands, the Biden administration only decided last fall not to ban ransom payments.
It’s easy to see why. Not only would a ban on ransom payments be difficult to enforce and require complex mechanisms that have yet to be put in place, but critics argue that criminalizing payments to hackers ultimately penalizes the victims of cybercrime they might eventually face legal ramifications to do what they deem necessary to protect — or in some cases, save — their business.
Although challenges remain, it appears that the mindset of the US government may be beginning to change.
In October 2023, a US-led alliance of more than 40 countries pledged as governments not to pay ransoms to cybercriminals in a bid to starve hackers of their source of income.
Since then, as talk of a possible ban on paying ransoms has grown louder, so has ransomware activity.
In 2024 alone, we saw financially driven hackers boldly exploit massive flaws in various remote access tools to deploy ransomware. Notorious ransomware groups bounce back from government crackdowns. and disruption to healthcare providers across the US following a ransomware attack on prescription processing giant Change Healthcare.
Is banning ransom payments the solution? It’s not that simple.
To ban or not to ban?
On the face of it, the ban on paying ransom makes logical sense. If victim organizations are prohibited from paying, attackers will have less of a financial incentive to steal their data. In theory, this means those looking to get rich quick will be forced to look elsewhere — and that ransomware attacks could become a thing of the past.
The flip side is that many believe that paying illegal ransoms is an overly simplistic solution to a complex problem.
Ransomware is a global problem. For a ban on ransom payments to be successful, international and universal regulation would have to be implemented — which, given the different international standards regarding ransom payments, would be nearly impossible to enforce. It would also require governments that provide safe harbor to cybercriminals—Russia gets an obvious name check—to crack down within their borders, which they have no incentive to do.
A blanket ban on ransom payments would also require exceptions in dire circumstances, such as ransomware attacks that pose a risk of loss of life to medical facilities or threats to critical national infrastructure.
These exemptions, while reasonable, would also apply to the hackers behind these attacks, which could lead to an attack on the country’s critical infrastructure. And as long as cybercriminals continue to make money, the threats of ransomware and extortion won’t go away.
Some also argue that if a ransom payment ban were imposed in the US or any other high-victimization country, companies would likely stop reporting these incidents to authorities, essentially reversing all previous cooperation between victims and law enforcement.
Allan Liska, ransomware expert and threat intelligence analyst at Recorded Future, told TechCrunch that before a blanket ban on payments to ransomware groups — or a ban with some exceptions — is imposed, we need to make a concerted effort to better record the number of ransomware attacks. so we can make an informed decision about the best steps.”
“In the United States, we actually have two test cases that prove this point,” Liska said. “Both North Carolina and Florida have implemented bans on public entities paying ransoms to ransomware groups. In both cases, looking at data from a year before the laws went into effect and the year after, there was no notable change in the number of publicly reported ransomware attacks against public organizations in these States.”
Would the ban even work?
There is also the question of how effective a ransom payment ban would be.
As history has shown, hackers are no respecters of the rules. Even when an organization gives in to an attacker’s ransom demand, the victim’s data isn’t always deleted — as evidenced by the recent legal takedown of the LockBit ransomware gang.
Given the brazenness of these attackers, they are unlikely to be deterred by a ban on ransom payments. On the contrary, criminalizing the payment would likely push it further and likely encourage attackers to change tactics, become more stealthy in their operations and transactions.
“Are ransom payments bad? Yes, there is no net good to society that comes from paying ransomware groups, in fact, there is direct net harm to society by paying these threat actors,” Liska said.
“Will Banning Ransom Payments Stop Ransomware Groups From Attacking? The answer to that is emphatically no.”
Read more at TechCrunch:
