The UK may not have a choice on a ransomware payment ban

Banning ransomware payments is a simple, elegant idea, with the potential for terrible unintended consequences. It’s attractive because it would, if it worked, stop the incentive for ransomware. If you can’t get paid, what’s the point? Cyber crime is a business like any other. If the paying customers suddenly stop paying, it’s time to pivot or shut up shop.

But will they stop paying? The big problem with a UK ransomware payment ban is that it would only be effective in the UK. Businesses with an international footprint may pay elsewhere, or use a third-party based abroad to make any payments, possibly with a cryptocurrency that’s nearly impossible to trace back to the source. A ban could also have a chilling effect on reporting data breaches, as businesses weigh up the cost of keeping secrets against the cost of systems being unrecoverable.

But the discussion, while interesting, may be moot if the US government bans ransomware payments first.

According to research cited by the US government, the US suffers 46% of all ransomware attacks, and is the most-targeted country in the world. It has already signed a pledge, along with 40 other countries, not to pay ransoms, along with information sharing schemes. And while a pledge is a long way short of legislation, it does show the way the US government is thinking.

Of course, “what the US government is thinking” is a little unpredictable right now, especially with the big divides in US politics and a presidential election looming. But the imminent ban on TikTok shows that it is prepared to take strong action against perceived threats, and regulation such as Sarbanes-Oxley demonstrates a certain willingness to crack down hard on white collar crime. The issue of ransomware may be dire enough to bring the sides together.

Ransomware targets have changed since the concept was born. A decade ago it was often used to attack private citizens, locking up personal files and photos and demanding a few hundred dollars (or, back then, a couple of Bitcoin) for their safe release. Now it’s big companies with big pockets, MGM and Clorox being two such examples. Or, increasingly, critical national infrastructure.

The attack on UnitedHealth led to healthcare providers borrowing money to cover a three week gap in expenses and payroll, and shut down operations for many hospitals and pharmacies for over a week. It was, according to the CEO, “straight out an attack on the US health system and designed to create maximum damage”. UnitedHealth paid up, reportedly to the tune of $22m, but this was a fraction of the total cost of the attack.

In summary: a criminal gang took down a healthcare provider, put lives at risk, and got paid for its trouble, in effect financing the next attempt at extortion. Even without considering the links between cybercriminals, unfriendly regimes and terrorism, it has to be very tempting for legislators to try and stop this cycle using the levers they have access to. Hunting down ransomware groups requires a lot of shoe leather, virtual or otherwise. Even when they’re located, they may not be somewhere law enforcement has access to. A ban on ransom payments may quickly seem like the only option.

If the ban works in the way it’s hoped, what would that mean for every other country without a ban? That 46% of ransomware attacks on the US wouldn’t just stop, they would instead be targeted elsewhere, at countries where it’s legal to pay out. The UK could expect ransomware attacks to increase massively, and the only sensible response is a ban of our very own.

A ban on ransom payments would undoubtedly have unintended consequences, the most worrying one being a lack of reporting. Businesses hit with an attack will have a choice, be honest, and risk all of the consequences of a data breach plus the possibility that systems may never be recovered, or keep everything quiet, face far fewer consequences and get everything back to normal after some disruption. To keep this option open, businesses would have to be more secretive about security in general. The culture of honesty and openness that is vital to good security practice could be irreparably harmed.

The UK, while it thinks about a ban on ransomware payments, may end up with no choice. We need to start thinking about the consequences, or alternatives to get ransomware under control, now.

Ian Thornton-Trump is CISO at Cyjax, a threat intelligence and risk management specialist.