Talk of a federal ban on ransom payments is growing as cybercriminals continue to reap the financial benefits of attacks.
U.S. officials have long opposed paying ransom demands. But while several U.S. states, including North Carolina and Florida, have made it illegal for local governments to pay ransom demands, the Biden administration also decided last fall against a nationwide ban on ransom payments. did.
The reason is simple. Not only would banning ransom payments be difficult to enforce and require complex mechanisms that are not yet in place, but criminalizing payments to hackers would ultimately penalize victims of cybercrime. Critics argue that victims could ultimately face legal repercussions for doing what they deem necessary to protect them. In some cases, it saves their business.
Although challenges remain, the US government's thinking appears to be beginning to change.
In October 2023, a U.S.-led coalition of more than 40 countries pledged that governments would no longer pay ransoms to cybercriminals, with the aim of cutting off hackers' sources of income.
Since then, just as talk has grown about the possibility of ransom payments being banned, so too has ransomware activity.
In 2024 alone, we saw financially driven hackers brazenly exploit flaws in various remote access tools at scale to deploy ransomware. Notorious ransomware group recovers from government takedown. A ransomware attack on prescription processing giant Change Healthcare has disrupted healthcare providers across the United States.
Is banning ransom payments the answer? It's not that simple.
To ban or not to ban?
At first glance, the ban on ransom payments makes logical sense. If victim organizations are prohibited from paying, attackers have less financial incentive to steal data. In theory, this means get-rich-quick people will be forced to go elsewhere, and ransomware attacks could become a thing of the past.
Another aspect is that many believe that making ransom payments illegal is an overly simplistic solution to a complex problem.
Ransomware is a global problem. A successful ransom ban would require the introduction of international and universal regulations, which are nearly impossible to enforce given the varying international standards regarding ransom payments. . It would also require governments that provide safe havens for cybercriminals (Russia is subject to obvious name checks) to crack down within their own borders, but governments have no incentive to do so. is not given.
A blanket ban on ransom payments would likely require exceptions for dire situations, such as ransomware attacks that risk loss of life at medical facilities or threats to national critical infrastructure.
Although these exceptions are logical, they also apply to the hackers behind these attacks, which could lead to attacks on the nation's critical infrastructure. And as long as cybercriminals continue to make money, the threat of ransomware and extortion will persist.
Additionally, if a ban on ransom payments is imposed in the United States or other hard-hit countries, companies are likely to stop reporting these incidents to authorities, increasing the likelihood of past conflicts between victims and law enforcement. Some argue that virtually all cooperation is null and void.
Alan Liska, a ransomware expert and threat intelligence analyst at Recorded Future, told TechCrunch that the ban will be enforced either entirely or with some exceptions to payments to ransomware groups. We said earlier that we need to make a concerted effort to better catalog ransomware numbers. “This is so that we can make an informed decision on the best course of action” regarding ransomware attacks.
“There are two test cases in the U.S. that actually prove this point,” Liska said. “North Carolina and Florida both prohibited public entities from paying ransoms to ransomware groups. In both cases, looking at data from the year before and the year after the laws went into effect, these states There has been no noticeable change in the number of publicly reported ransomware attacks against public sector organizations.
Would a ban even be effective?
There is also the question of how effective a ban on ransom payments will be.
As history has shown, hackers pay little attention to rules. Even if an organization complies with an attacker's ransom demand, the victim's data is not necessarily deleted, as the recent legal takedown of her LockBit ransomware gang shows.
Given the brazen nature of these attackers, banning ransom payments is unlikely to deter them. On the contrary, criminalizing payments is likely to drive them further underground and may encourage attackers to change their tactics and operate and transact more clandestinely.
“Is paying a ransom a bad thing? Yes, there is no net benefit to society by paying money to ransomware groups. In fact, there is no net direct harm to society by paying money to these threat actors. ,” Liska said.
“Will banning ransom payments stop ransomware groups from attacking? The answer is clearly no.”
Read more on TechCrunch: