To Ban or Not to Ban? The Experts Weigh in on Ransomware Payments

Is a total ransomware payment ban the only way to stop mounting carnage? Phil Muncaster finds that the arguments for and against are finely balanced

In a year defined by economic malaise and business uncertainty, ransomware continued to cement its reputation as a major growth industry in 2023. This growth feeds a cybercrime economy now estimated at over $9 trillion. At the same time, it’s disrupting critical infrastructure, forcing companies into bankruptcy, and even putting lives at risk. Against this backdrop, one cybersecurity vendor has had enough.

Emsisoft kicked off the year by proposing a radical solution: a total ban on all ransom payments. According to the anti-virus firm, it’s the only way to halt a cybercrime pandemic that continues growing, spreading, and morphing into dangerous new variants. Assured Intelligence spoke to conflicted experts about whether such a plan would work.

Something’s got to give

That ransomware has become a serious economic and societal problem is not in dispute. Emsisoft claims it impacted 2,207 US hospitals, schools and governments last year, with many more indirectly affected via attacks on their supply chains. Accurate private sector figures are almost impossible to come by, given that many organisations still do not report ransomware. But Emsisoft believes thousands of US firms were impacted directly or indirectly in 2023, causing billions of dollars worth of damages. It also cites research estimating that ransomware attacks on healthcare organisations probably killed around one American per month between 2016 and 2021.

Things are no better in the UK – one of the most frequently targeted countries after the US. A recent parliamentary committee warned the country is at “high risk” of a catastrophic ransomware attack in the near future. But aside from the threat to critical infrastructure and thus loss of life, it also portends mass financial and reputational damage for victim organisations, stemming from large-scale theft of IP and personal information. Comparitech claims that 1067 ransomware breaches compromised over 127 million records in 2023, more than double the figure two years previous. ‘General business’ was the most affected sector, accounting for over 108 million.

Time to ban?

Ransomware payments would seem like an obvious place to hit back. Blockchain analysis by Chainalysis reveals that threat actors extorted at least $449m (£352m) in the first half of 2023, putting the year on track to be the second most profitable on record. Emsisoft cites research claiming average payments rose an astonishing 29,900% between 2018 and 2023 to reach $1.5m (£1.2m).

The idea of banning ransom payments is not new. The Australian government mulled a similar proposal in 2022 following a significant ransomware breach by Russian cyber criminals at Medibank. It has also been suggested by think tank the Royal United Service Institute (RUSI). Additionally, 40 governments and counting have already pledged not to pay digital extortionists, although crucially, this agreement doesn’t cover the private sector.

“Faced with potentially losing their entire business, [leaders] may be more likely to make a payment under the table” Jen Ellis

Emsisoft argues that banning payments is the only viable means governments have left to rapidly reduce ransomware volumes – by effectively making it unprofitable for cyber criminals to launch attacks. Government task forces, international coalitions and law enforcement takedowns have failed to make a significant impact on the underground ransomware economy thus far, it claims. Emsisoft threat analyst, Brett Callow, argues that such activity amounts to “little more than building speed bumps and whacking moles.”

However, several experts that Assured Intelligence spoke to warn that banning ransomware payments outright may force those with no other choice – such as SMEs or critical infrastructure (CNI) providers – to do so illegally.

“Attackers may believe that leaders of these types of organisations – faced with potentially losing their entire business – may be more likely to make a payment under the table. This would put these business owners very much in the pocket of their attackers,” Ransomware Task Force (RTF) co-chair, Jen Ellis, tells Assured Intelligence.

Lacework field CISO, Merritt Baer, agrees. “Paying a ransom is like negotiating with terrorists. Overall, we don’t want anyone to pay, and theoretically, that would make the bad behaviour go away. But in the real world, when our own entities are at stake, we become tempted to engage with the criminal,” she tells Assured Intelligence. “Putting a categorical ban on ransomware payments might also dissuade victims from reporting it to law enforcers, who could otherwise help coordinate a response.”

Emsisoft’s response to such arguments is simple: 100% of global organisations don’t need to adhere to a payment ban, just enough so that ransomware becomes broadly unprofitable for threat actors.

Could it improve security posture?

Forescout VP, Rik Ferguson, argues that under-utilised technologies like dynamic network segmentation and data encryption would go a long way to mitigating ransomware risk. So, might a payment ban force organisations to focus on improving security posture? That’s the hope, Recorded Future threat intelligence analyst, Allan Liska, tells Assured Intelligence.

“History suggests that organisations that don’t invest in security will continue to roll the dice on not being a victim in the first place” Rafe Piling

“It is hard to force real security change onto organisations, and the actions taken by governments to date don’t seem to be working,” he continues. “So, while banning ransom payments is a drastic step, it may be the only thing that accelerates the move to a more secure environment for everyone.”

Others aren’t so sure. “There’s no real reason to think banning ransom payments would force organisations to improve security posture,” Secureworks director of threat research, Rafe Pilling, tells Assured Intelligence. “History suggests that organisations that don’t invest in security will continue to roll the dice on not being a victim in the first place.”

The RTF’s Jen Ellis says smaller businesses – which comprise over 99% of UK PLC – are unlikely to change.

“These organisations are constantly resource-constrained and, for the most part, lack awareness and understanding of security threats and responses,” she argues. “Banning payments isn’t going to change those facts and drive mass adoption of security capabilities. SMEs will still struggle to invest and may face an existential crisis if they fall victim to a successful attack.”

Fraught with practical difficulties

Banning ransom payments would also be “fraught with difficulty” from a practical implementation perspective, argues Secureworks’ Pilling.

“Aside from the issue of enforcement of a ban, merely scoping a ban would be difficult,” he claims. “Would the attack have to involve encryption? Does payment to prevent data leaking from data-theft-only extortion count? What if the payment is in the form of a ‘recovery fee’ to a third party that just so happens to have a key to decrypt the victim’s data? Would that criminalise legitimate security companies that provide decryption services?”

Non-profit the Center for Cybersecurity Policy and Law posits a range of options to make payments either more difficult or illegal. These include fines and criminal charges at one end and compulsory reporting and government oversight of breached firms’ security programmes at the other. It also suggests that a special regulator or panel would need to be set up to decide on exceptions or exemptions. That points to a significant amount of work for policymakers.

Following the money

Forescout’s Ferguson argues that rather than create these “regulatory and legal problems” for organisations “at a time when they are least equipped to deal with it”, the ransomware challenge should be approached from another direction.

“We should be focusing on the financial systems that make the paper trail so opaque,” he writes.

“We can hope that as emerging cryptocurrency regulations come into effect, the identities of both senders and receivers of cryptocurrency transactions will become clear, forcing criminals to think again about their cashing-out strategies.”

Emsisoft’s Callow fires back that a global, harmonised know-your-customer (KYC) framework for digital currency is unlikely any time soon.

“We should be focusing on the financial systems that make the paper trail so opaque” Rik Ferguson

“However, even if such a framework could be created, it wouldn’t necessarily solve the problem,” he tells ISMSonline. “Unless a ban is in place, companies and cyber criminals will always be able to find ways to transact, albeit possibly not as easily as at present. It’s also worth keeping in mind that business email compromise and other forms of fraud use the mainstream banking system.”

Many experts agree. Secureworks’ Pilling argues that greater transparency in digital payment could raise the barrier to entry for some criminals, “but this will likely result in the creation of new payment brokering services from larger and better resourced criminal groups”.

Recorded Future’s Liska adds that even if a transaction can be traced, it doesn’t mean that action can be taken at the “other end” of a payment flow.

No simple answers

Another hope for progress may lie with cyber insurance. The industry has been blamed at times for exacerbating the global ransomware problem. But more realistically, it can also be part of the solution, says Recorded Future’s Liska, explaining it can do so “by instituting guidelines that forbid insured victims from using insurance payouts to pay ransoms and by requiring more stringent security guidelines before offering insurance.” However, progress could be slow.

“It will take time for the cyber insurance market to learn the lessons of years of claims to see a normalisation of approach and requirements,” warns Ellis.

Ed Ventham, head of broking at Assured, has an informed take on this. “The insurance industry already requires stringent security guidelines for a business to be able to acquire insurance protection. Cyber insurance is, quite simply, for when there is a failure of cybersecurity. Even the best security sometimes fails, and a high degree of security is already demanded by insurers before they offer any form of insurance.”

He continues: “The repercussions of a cyber incident can be big, but usually the shockwaves are ‘short-tail’, meaning the claims are realised within a 12-month period. This means that insurers can learn fast. It’s a fast paced risk and the lessons are learnt quickly because they have to be.”

There are clearly no easy answers. The best organisations can do in the meantime is focus on the technologies most likely to build resilience against a ransomware breach, such as effective software patching and credential and access management, says Lacework’s Baer.

“But it’s hard,” she concludes. “Ransomware is tough to defend against because it looks a lot like doing security right every day.”