The topic of whether or not it would be appropriate to enact a legal ban on making or facilitating a ransomware payment is once again on the agenda, after being raised by Ciaran Martin, leading cyber security expert and inaugural chief executive of the UK’s National Cyber Security Centre (NCSC), in The Times.
This comes a fortnight after the infamous LockBit extortion gang was taken down in Operation Cronos – a multinational law enforcement operation spearheaded by the National Crime Agency (NCA) – and a week after LockBit’s ringleader appeared to dismiss the impact, posting new victims to a rebuilt leak site, taunting the police and threatening to double down on its crime spree.
“Ransomware is by far the most damaging cyber threat to most businesses right now. We have to find a way of making a ransom payments ban work,” wrote Martin, who is outspoken on the threat presented by ransomware and has previously advocated for banning cyber insurers from covering ransomware payments.
In his piece in The Times, Martin argued that inertia and reluctance to challenge the status quo were holding back an idea whose time has now come.
He also dismissed some of the arguments often made against banning such payments – namely that to do so risks driving the problem underground by incentivising organisations to fail to report or seek assistance when attacked, and criminalises victims.
Martin described the idea that company directors would knowingly break the law in this regard as “nonsensical”, although he acknowledged that a framework would need to be put in place to assist and support victims before a ban was implemented.
Martin is not alone in his assessment – the idea of banning payments is increasingly attractive to many in the industry. One factor driving this opinion shift is that, as actions against LockBit and ALPHV/BlackCat have proven, ransomware gangs are highly adaptable and resilient.
Ciaran Martin, National Cyber Security Centre
Moreover, as long as their members remain at large – usually but not always in Russia – and are not being arrested and deprived of their computers, they can shrug off such setbacks with relative ease.
Responding to Martin’s article on social media site Mastodon, security analyst and commentator Kevin Beaumont said the arguments against banning ransomware payments were being made by people representing organisations with a vested interest in maintaining the status quo – that is to say, selling cyber security services – and fell apart with any real scrutiny.
“It is the elephant in the room. It is allowing the industry – including me – to fail upwards. I wish it wasn’t controversial to point this out,” he wrote.
A recent report from Emsisoft, which draws on statistics from the US but is equally relevant from a global perspective, said a ban was now “the only viable mechanism” by which governments could hope to reduce ransomware volumes.
“Current counter-ransomware strategies amount to little more than building speed bumps and whacking moles,” said Emsisoft threat analyst Brett Callow in the report.
“The reality is that we’re not going to defend our way out of this situation, and we’re not going to police our way out of it either. For as long as ransomware payments remain lawful, cyber criminals will do whatever it takes to collect them. The only solution is to financially disincentivise attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work.”
Brett Callow, Emsisoft
Recorded Future’s Allan Liska, also quoted in the report, said he had resisted the idea of blanket bans but that this now needed to change. “What we are doing simply isn’t working. Yes, law enforcement has gotten better, but law enforcement cannot act fast enough and is powerless against recalcitrant states, like Russia, that refuse to cooperate.
“A ban on ransom payments will be painful and, if history is any guide, will likely lead to a short-term increase in ransomware attacks, but it seems this is the only solution that has a chance of long-term success at this point. That is unfortunate, but it is the reality we face.”
Carl Leonard, EMEA cyber security strategist at Proofpoint, said: “In 2023, ransomware attacks plagued a staggering 64% of UK organisations, with 64% of companies agreeing to pay their attackers, according to a report. These figures paint a grim picture of the challenge at hand. By consistently acquiescing to ransom demands, organisations inadvertently fuel the profitability of ransomware schemes, emboldening cyber criminals to target them repeatedly.
“Paying a ransom also does not guarantee the retrieval of data. In 2023, the percentage of respondents in the UK who regained access to their data after a single payment was 34%.
“Given these sobering statistics, proposals to ban ransom payments might be seen as a long-overdue response. Such a measure would disrupt the financial incentives driving cyber extortion. It would also compel executives, particularly CEOs and CFOs, to prioritise fortifying their cyber security defences,” said Leonard.
“The noticeable uptick in organisations refusing subsequent ransom payments, increasing from 6% to 15%, reflects a growing awareness of the risks associated with paying a ransom. But until this practice remains commonplace, its impact on data recovery will continue to diminish – fuelling a vicious cycle from which only cyber criminals benefit,” he said.