Security Think Tank: Banning ransomware payments is not so straightforward

I can understand why Ciaran Martin has taken the position of advocating for legal controls on ransomware payments, and the logic behind this proposal is simple: criminal gangs are a business, using ransomware attacks to generate revenue. Like any business, they operate on the principle of return on investment (RoI). So, if ransomware attacks consistently yield no returns, then it is not profitable and those engaging in it will move on to something else.

Not to mention, ransomware gangs are only getting greedier. It wasn't so long ago that there seemed to be almost a sense of honour among them. Several prominent gangs publicly pledged not to attack healthcare organisations during the Covid-19 pandemic, for example. However, an advisory notice issued by the FBI in February for US hospitals highlights that this was a temporary truce at best, warning that ransomware gangs are specifically targeting US hospitals.

Organisations that pay the ransom are also likely to be targeted again. Estimates from the NCSC suggest that around one-third of all organisations affected by ransomware are attacked again, with some experiencing multiple attacks in a year.  

And finally, there’s no guarantee that paying the ransom will even get you your files back. Firstly, the criminals might not play fair. Secondly, they might choose to double or even triple dip on the ransom – you might have to pay to have your files decrypted, pay not to have your files released on the dark web, and even pay for the criminals not to tell your regulator or the Information Commissioners Office (ICO) about your breach.

Those are some of the arguments for not paying. However, the issue is not that straightforward. Imagine a scenario where your company is under a ransomware attack, facing an existential threat. The dilemma becomes whether to pay up or refuse payment, risking the closure of the business and loss of jobs. Even if the attack might not directly finish off your organisation, the time it might take to recover could do so. Look at the example of the British Library – they were successfully attacked in October 2023, and as of March 2024, they are still not back to a full service – access to many of their online services is limited, and they estimate that it could take up to 12 months to recover fully.

There are also practicalities to consider. If ransom payments were criminalised, it might discourage organisations from reporting these incidents, driving the illegal practice further underground and making it more challenging for law enforcement to track and address. Just as individuals are encouraged to report social engineering attacks they encounter; companies must also feel safe to report ransomware incidents without fear of penalisation.

Both NCSC and the ICO currently ask that even if you’re going to pay the ransom, keep them informed, especially sharing information about indicators of compromise (IoCs) or how the attack succeeded. One of the few good things that has come out of the British Library attack is an in-depth report on how they were attacked, which can only help organisations in the future.

How can we effectively reduce the number of ransomware attacks? The truth is, as humans, we are prone to errors, which can be exploited by cyber criminals. While security training can minimise these mistakes by encouraging individuals to be more cautious, human error can never be eliminated.

A more sustainable approach is to focus on a multi-layered defence, emphasising security in design and hygiene practices. This involves integrating security measures into every level of an organisation's operations, making it more difficult for cyber criminals to exploit vulnerabilities.

Network design principles such as zero-trust should be incorporated to allow for quick isolation of infected machines and to limit and contain the spread of ransomware and other malware internally. Artificial intelligence (AI) could also play a role in bolstering cyber security. For instance, anomalous behavioural pattern matching would enable systems to quickly identify and isolate unusual behavioural patterns. For example, IBM’s X-Force report from 2023 suggested that machine learning algorithms had up to an 85% success rate in identifying ransomware attacks by analysing network traffic patterns. By quickly identifying and responding to unusual activities, such as the sudden encryption of large amounts of data, the impact of a ransomware attack can be more effectively mitigated.

In essence, the key to addressing ransomware attacks might not lie solely in banning payments. Instead, a combination of strategies, including robust security measures, transparency, continuous education, and leveraging AI technology, could be a more effective way forward.

John Scott is lead cyber security researcher at CultureAI