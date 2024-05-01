The general belief that a cyber breach is a matter of ‘if’ not ‘when’ means all organisations potentially face the highly unwelcome prospect of being infected by ransomware, with critical data and operational capabilities only being released following payment to the attacker.

Handling a ransomware attack calls for the enterprise to weigh up the value of the seized assets and determine the most viable course of action to limit cost and aid speedy recovery.

Before looking at whether ransomware payments should be banned, it’s helpful to acknowledge why an organisation might pay the ransom in the first place. Often, payment may seem the quickest way to resolve the incident; data is retrieved faster so that normal operations can be resumed with as little disruption as possible. Additionally, the overall cost of paying the hackers may be less than other steps required for recovery; long stretches of downtime waiting for backups to be restored might ultimately drain funds further for example, while for those that do not maintain backups the prospect of having to rebuild from scratch simply might not be viable.

With those practical reasons in mind, why could it make sense to ban ransomware payments?

The case for banning ransomware payments Even when an organisation has paid the demand, there is no guarantee that the attackers will honour their side of the bargain, meaning victims may not regain access to their data at all (in March this year, for example, the ALPHV/BlackCat cybercrime group disappeared having collected $22m from a US healthcare business). Another possibility is that the data is released back to the company, but the attackers keep a copy that they can sell to the highest bidder, thereby leaving Personally Identifiable Information (PII) and intellectual property at risk. In addition, evidence suggests that paying a ransom doesn’t protect organisations from being targeted again - if anything, it makes it more likely. A recent global study reported that 78% of organisations that had paid a ransom suffered a further attack, with 63% of these asked to pay more on the second occasion. The tight timescale required to pay the ransom and return to business as usual can reduce the likelihood of victims involving law enforcement, making police investigations and charges being brought against the criminals rare. The threat of reputational damage can also deter companies from disclosing an incident, which has the broader impact of hampering the cyber sector’s ability to learn, and counter future attacks. This perpetuates the current cycle of ransomware behaviours; organisations passing over the opportunity to support wider anti-cybercrime efforts exposes them (and others) to further risk in the future. Paying ransoms no doubt adds fuel to the fire; the more companies submit to attackers’ demands, the bigger the ransomware market grows, which increases the incentive for malicious actors to pursue this route. Banning payments altogether could remove the financial incentive for cyber criminals to conduct ransomware attacks, while multiple countries instigating a ban could encourage international cooperation in tackling what is a global problem. It should also be noted that once paid, ransom money may be used to fund criminal organisations involved in various illicit activities beyond ransomware; banning payments could disrupt these funding streams and hinder their operations, in turn protecting businesses from association with illegal activities and known criminals.

Why a ban might not be effective As noted above, non-payment of ransoms can increase costs for a business, adding to downtime and delaying the return to operational viability. Both these key factors make a strong case (from a business perspective) against implementing a ban. While it’s usually the financial element that makes headlines, there are attackers for whom the key objective is to cause maximum disruption to the organisation or wider environment (for example to damage critical infrastructure or engage in ‘hacktivism’). The money is a secondary benefit, meaning banning payments may provide limited leverage in terms of stopping attacks. Whether a ban would actually stop people from making payments is another consideration. One risk is that the whole process is driven underground with funds transferred covertly and victims scared to report attacks, while hackers target institutions that can least afford the downtime such as hospitals, schools, and SMEs. On top of all these points, the reality is that enforcing a ban on ransomware pay-outs would be difficult, particularly given the use of cryptocurrencies which can facilitate anonymous payments. In addition, any period of transition before a ban takes effect would require a rigorous national support framework for ransomware victims to prevent businesses suddenly finding themselves unable to quickly rectify their situation. Until a viable and clear ‘official’ response route is put forward that works fast enough for businesses, many may simply continue to take matters into their own hands.