The general belief that a cyber breach is a matter of ‘if’ not ‘when’ means all organisations potentially face the highly unwelcome prospect of being infected by ransomware, with critical data and operational capabilities only being released following payment to the attacker.
Handling a ransomware attack calls for the enterprise to weigh up the value of the seized assets and determine the most viable course of action to limit cost and aid speedy recovery.
Before looking at whether ransomware payments should be banned, it’s helpful to acknowledge why an organisation might pay the ransom in the first place. Often, payment may seem the quickest way to resolve the incident; data is retrieved faster so that normal operations can be resumed with as little disruption as possible. Additionally, the overall cost of paying the hackers may be less than other steps required for recovery; long stretches of downtime waiting for backups to be restored might ultimately drain funds further for example, while for those that do not maintain backups the prospect of having to rebuild from scratch simply might not be viable.
With those practical reasons in mind, why could it make sense to ban ransomware payments?
The case for banning ransomware payments
Even when an organisation has paid the demand, there is no guarantee that the attackers will honour their side of the bargain, meaning victims may not regain access to their data at all (in March this year, for example, the ALPHV/BlackCat cybercrime group disappeared having collected $22m from a US healthcare business). Another possibility is that the data is released back to the company, but the attackers keep a copy that they can sell to the highest bidder, thereby leaving Personally Identifiable Information (PII) and intellectual property at risk.
In addition, evidence suggests that paying a ransom doesn’t protect organisations from being targeted again – if anything, it makes it more likely. A recent global study reported that 78% of organisations that had paid a ransom suffered a further attack, with 63% of these asked to pay more on the second occasion.
The tight timescale required to pay the ransom and return to business as usual can reduce the likelihood of victims involving law enforcement, making police investigations and charges being brought against the criminals rare. The threat of reputational damage can also deter companies from disclosing an incident, which has the broader impact of hampering the cyber sector’s ability to learn, and counter future attacks. This perpetuates the current cycle of ransomware behaviours; organisations passing over the opportunity to support wider anti-cybercrime efforts exposes them (and others) to further risk in the future.
Paying ransoms no doubt adds fuel to the fire; the more companies submit to attackers’ demands, the bigger the ransomware market grows, which increases the incentive for malicious actors to pursue this route. Banning payments altogether could remove the financial incentive for cyber criminals to conduct ransomware attacks, while multiple countries instigating a ban could encourage international cooperation in tackling what is a global problem.
It should also be noted that once paid, ransom money may be used to fund criminal organisations involved in various illicit activities beyond ransomware; banning payments could disrupt these funding streams and hinder their operations, in turn protecting businesses from association with illegal activities and known criminals.
Why a ban might not be effective
As noted above, non-payment of ransoms can increase costs for a business, adding to downtime and delaying the return to operational viability. Both these key factors make a strong case (from a business perspective) against implementing a ban.
While it’s usually the financial element that makes headlines, there are attackers for whom the key objective is to cause maximum disruption to the organisation or wider environment (for example to damage critical infrastructure or engage in ‘hacktivism’). The money is a secondary benefit, meaning banning payments may provide limited leverage in terms of stopping attacks.
Whether a ban would actually stop people from making payments is another consideration. One risk is that the whole process is driven underground with funds transferred covertly and victims scared to report attacks, while hackers target institutions that can least afford the downtime such as hospitals, schools, and SMEs.
On top of all these points, the reality is that enforcing a ban on ransomware pay-outs would be difficult, particularly given the use of cryptocurrencies which can facilitate anonymous payments.
In addition, any period of transition before a ban takes effect would require a rigorous national support framework for ransomware victims to prevent businesses suddenly finding themselves unable to quickly rectify their situation. Until a viable and clear ‘official’ response route is put forward that works fast enough for businesses, many may simply continue to take matters into their own hands.
What are the alternatives?
Whether or not ransomware payments are banned, organisations need to know how to protect themselves and manage risk. Developing strategies for the prevention of breaches in the first place should be a central pillar in every organisation’s operation, and these need to be reinforced with mitigation and response plans, should the worst occur.
Education and employee training is also critical here. Phishing in all its forms must be recognised, but there also needs to be a wider appreciation of human risk elements, such as organisational culture, and how to combat these through tailored training and procedural controls.
The human element is reinforced by technology. For example, the ongoing trend for remote and hybrid working makes employees highly reliant on laptops and mobile devices, where they may store critical information locally. Combining appropriate training with relevant technical controls can prevent major incidents, in this case through things like multifactor authentication (MFA) or a mobile device management (MDM) system.
A commitment to backing up data is also key to resilience in the face of an attack. One 2023 report puts the savings in recovery fees at $1 million for companies that used back-ups compared to those that hadn’t taken this necessary step, making this an important consideration during business continuity and disaster recover planning.
Other technological defences include AI, which has huge potential to spot and stop ransomware attacks before they happen. Machines can analyse data fast and find patterns that humans might miss. For example, email clients could include the ability to perform initial scans on email addresses and embedded links to identify any that look suspicious.
Moving away from technology, collaboration between government agencies, law enforcement bodies, cybersecurity experts and affected businesses could also produce a more joined-up framework for combating ransomware. The current culture of fear and self-preservation often prevents businesses from openly discussing their breaches and ‘weaknesses’, but this communication holds the key to unlocking greater resilience and understanding across the sector. This approach was adopted by the British Library, which has provided extensive details of the hack to which it was subjected in autumn 2023; the full transparency aims to provide other organisations with insight that will help them to avoid the same fate.
Multiple tools are required
There are valid arguments on both sides of the discussion on whether to ban ransomware payments. Preventing the growth of the cybercrime sector requires stopping the cycle of attack and payment through a combination of bolstering organisational cyber defences and cutting off the financial incentive for attackers. This is by no means the easy way forward for any business; true success in this area will need long-term vision to triumph over short-term pain, requiring a combined approach incorporating legal input, education, technology, and industry cooperation.