Ransomware attacks are an ongoing scourge on businesses – not to mention national security. Over the last year, we have seen notable attacks on the healthcare organisation UnitedHealth, the software provider CDK Global, and the UK Ministry of Defence, to name a few. In June 2024, an attack on the pathology lab Synnovis disrupted more than 3,000 medical appointments, severely reduced blood stocks, and affected nearly a million NHS patients.
According to Chainanalyis, victims paid a record $1.1bn to cybercriminal gangs in 2023, with around three-quarters of incidents yielding over $1m (a big change from ten years ago, when attacks were more frequent but extorted much smaller sums.) Even when businesses refuse to pay, they’re still likely to take a significant financial hit. When hospitality giant MGM Resorts was targeted last year, it lost $100m in earnings, plus a further $10m in legal fees, risk remediation and incident response measures.
For many smaller businesses, forking out the money may be the only way to resume operations, while a hospital or government department simply can’t afford the downtime. But paying out is ethically complicated, providing a huge boost to a shadowy economy worth an estimated $42bn a year.
“The decision of whether to pay comes with high-stakes reputational risks,” comments Brett Callow, a managing director at FTI Consulting who specialises in cybersecurity. “If an organisation chooses to pay, some may perceive that it was underprepared or lacked a strong disaster recovery plan. On the other hand, the prolonged service outages that may result from a decision not to pay can also result in reputational and financial harm.”
Against this backdrop, a seductive idea has emerged: why not institute a ransomware payment ban? As the thinking goes, blocking cybercriminals from this lucrative source of revenue would strip away any incentive to attack.
This idea has gained support from various quarters, not least Ciaran Martin, former chief executive of GCHQ’s National Cyber Security Centre. Writing in The Times, he noted that ransom payments to terrorists were banned during the heyday of al-Qaeda, for the simple reason that ‘criminality could not be rewarded or incentivised’. Martin argued that ransomware payments are no different, reasoning that ‘paying only encourages more ransomware’.
Lawmakers across the world have repeatedly called for the practice to be outlawed. Although the Biden administration rejected a wholesale ban in 2022, it wasn’t long before officials were reconsidering the measure. Several states have already implemented partial bans: North Carolina and Florida now prohibit certain state agencies from paying ransoms, while a proposed bill in New York would apply to private companies too.
In May 2024, the UK government said it was planning a major consultation that would overhaul the law around ransomware attacks. While this consultation was put on ice following the general election, the question of what to do hangs in the balance. Australia, too, pondered a ban after the Medibank data breach.
“Companies are stuck between a rock and a hard place,” says Jake Moore, global cybersecurity advisor for ESET. “We understand this is a business model – in order to make the ransomware work, criminals require companies to pay ransoms. So of course, the government line is to cut that cycle by not paying the ransom.”
The case for a ransomware payment ban
Despite the evident need to disrupt the ransomware economy, it is striking that all this talk hasn’t led to action. Whatever the theoretical benefits, critics say a ransomware payment ban could be tricky to implement and all but certain to backfire. As a result, governments remain conspicuously stuck in the deliberation phase.
“Honestly, I think a ban is very unlikely,” says Tom Ricketts, a managing director at Aon with expertise in cyber insurance. “There is very similar thinking being applied to this between the US and the UK, which are the two most targeted countries for ransomware. But they’re both running into the same two major issues – how would you enforce this, and should the government be essentially condemning businesses to die by banning their ability to pay a ransom?”
On the enforcement issue, he notes that ransomware payments are underreported by upwards of 700%. That means, even within the current legislative environment, there’s a lot of activity that falls under the radar – a situation that would surely be exacerbated by a ban.
Ignoring the prohibition would “get complicated when you come to do your end-of-year finances,” thinks ESET’s Moore. “You’d be bound to get found out.” But if companies have no other recourse, it’s entirely possible that the problem would be driven underground.
As for ‘condemning businesses to die’, this is not hyperbole. According to data backup company Datto, three-quarters of businesses already believe that a ransomware attack would threaten their survival as a going concern. As Ricketts points out, “if these victims are prohibited from paying a ransom, that’s going to increase the ‘death toll’ significantly.” He doesn’t think the authorities have the stomach to deal with the human impact, especially when it comes to healthcare providers going offline.
A further problem comes when you consider the criminal mindset. Will cybercriminals, not known for their obeisance to authorities, actually be deterred by a ransomware payment ban? The evidence we have is not encouraging: despite the legislation in North Carolina and Florida, the number of attacks in those states does not appear to be dropping.
“If criminal groups no longer have this particular path to revenue, I find it highly unlikely they’re going to go straight,” remarks Jen Ellis, co-chair of the Institute for Security and Technology’s (IST’s) Ransomware Task Force (RTF). “I think cybercriminals will ask, ‘Well, who is the most likely to pay?’ They will go to the most vulnerable organisations, which have no resilience, or to critical infrastructure that has the least ability to tolerate disruption.”
Ricketts agrees that criminals, being flexible, would just change tactics. “If the US authorities could make a ban stick, then the ransomware actors would potentially move on to other countries where they can get paid,” he says.
How to solve a problem like ransomware
In April this year, the RTF argued that a ban wasn’t feasible ‘under current circumstances’. Instead, it published a series of measures that might reduce the need for a ban or, alternatively, provide a roadmap towards one.
The report called for better deterrence (e.g. an international law enforcement partnership to target ransomware criminals), better disruption capabilities (like holding cryptocurrency exchanges to account) and superior lines of response, possibly including the creation of a fund that would aid recovery for victims. Above all, it argued for better preparedness, remarking that organisations across the digital ecosystem need to be better placed to fend off attacks.
“If the ban is your goal, you have to say: ‘The ban is two, three years out and here are the things we’re doing to get to that point’,” says Ellis. “‘Here’s how we’re going to help organisations become resilient.’”
As a first step, she thinks we need to look more granularly at why companies are falling behind on security. “Like, if the problem is cost, what do we do about that?” she says. “If the problem is complexity, what do we do about that? How do we get people to a point where they’re not just seeing headlines about ransomware, but they understand the relevance of it to themselves as organisations?”
Moore agrees that businesses need to step up their security procedures. “You’d be surprised how many companies still put off their auditing and testing for a whole host of reasons,” he says. He thinks the best way of enforcing this might be via cyber insurance providers, which routinely mandate these kinds of checks as a condition of coverage. Ultimately, Moore reasons, insurance providers would be the ones to pay any ransoms, but tighter security standards would reduce their incidence.
Looking towards the future, neither Ellis nor Moore rules out a ban entirely. They just don’t think it’s workable over the short term, given the current state of play for cybersecurity.
Ricketts, for his part, thinks the likelihood of a ban is ‘zero’. After all, imposing this kind of legislation could deal a death blow to corporations (read: some major taxpayers.) “Killing the goose that lays the golden egg by regulating them out of existence,” he says, “is a very sensitive topic.”
In his view, momentum towards a ban started to build a few years ago, but since then it has failed to gather pace. “I think the reason is that the dynamics of it are so unappealing compared to the alternative, which is to allow people to pay ransoms,” he says. “Governments are accepting the reality that this isn’t the way to solve the problem.”
Read more: Open-source sustainability software is undergoing a renaissance. So why aren’t enterprises interested?
