Should ransom payments be banned?
No, I’m not talking about incidents of kidnap. These days the word “ransom” is far more likely to refer to the ransomware attacks which are impacting organisations around the world. These incidents – which involve hackers encrypting data and demanding payment for it to be restored – are now increasingly seen as the number one cyber threat in the world today.
And that’s exactly why The Intelligence Network (TIN) has placed this issue under our spotlight. Not only do we want to understand our adversaries, but we want to help find ways to repel their advances. But does that include banning ransom payments?
Members of The Intelligence Network, including representatives from major technology companies, insurers, and different Critical National Infrastructure (CNI) sectors, have recently discussed ransomware’s rapid rise, and whether the payment of ransomware demands should be outlawed.
Removing the economic incentives arising from ransomware found general support – and for a variety of reasons. For example, stopping payments forces criminals to change their model. Assuming that a ban ‘dries up’ this criminal revenue stream, ransomware-as-a-service and ransomware directed at organisations would lose popularity among cyber criminals.
Banning payments could also change the mindset of executives in a quandary over whether to pay. Although this would not be absolute, it is likely that knowing that paying a ransom is illegal (and subject to further penalties), CEOs and board members would be inclined to find alternative means of recovering. However, there are drawbacks.
Although recovery via bulk decryption is often slow and impractical, and relatively rare, organisations facing an existential crisis with no other way of recovering may choose to pay the ransom and obtain a decryptor. Given that such payments would be illegal under a ban, these would likely be hidden away and not reported to governments/regulators; alternatively, the company may plead for exception to their respective government in exceptional circumstances.
Attempting to permit payments from organisations in certain CNI sectors, or under certain conditions, may also have inadvertently negative consequences. For example, a hypothetical policy that outlawed ransom payments unless there was a demonstrable threat to national security, economic security, healthcare, or other factors, would likely lead to criminal operators focusing their efforts on the sectors that could give rise to such an occurrence.
A number of additional complexities came out of our discussion. Take the implications for cyber insurance as a case in point.
Enforcing a ban on ransom payments would presumably mean cyber insurance policies cannot cover reimbursement of ransom payments; this could be seen in a similar light to the fact that insurance cannot generally cover regulatory or legal penalties/fines. Interestingly, AXA France recently made this move.
Clearly, any governmental policy change will require close co-ordination with the insurance industry, whose regulatory and associative bodies see ransomware as a major issue at present.
However, it is important to note that the costs of downtime and recovery from a ransomware attack (regardless of whether ransom payment is made) often dwarfs the ransom demand itself; cyber insurance policies would still be able to cover recovery costs and support organisational resilience, despite any ban on ransom payments. RUSI’s recent paper, ‘Cyber Insurance and the Cyber Security Challenge’, is recommended reading on cyber insurance.
There are also implications for policymakers. If ransom payments are banned, governments would either need to accept that there will be a small number of organisational casualties, or provide sufficient financial and technical support to avoid this situation arising in exceptional circumstances. This could challenge the scale of public resources and ability to respond in this way.
And then there’s regulation on cryptocurrency. Accumulation of information about cryptocurrency wallets and transactions on any ransom payments enable a better understanding of the criminal ecosystem, which may be the best way to stop the flow of money.
The FBI’s recovery of funds from a DarkSide affiliate following the Colonial Pipeline attack may not be widely transferable to other cases, but the more timely information that can be gathered on this ecosystem, the better. The sanctioning of criminal groups (such as Evil Corp) is also a key consideration – payments to sanctioned entities may violate sanctions laws, and more criminal groups may be designated as sanctioned entities in future.
The prospect of ransomware-as-a-service and ransomware targeted at organisations ‘going away’ seems a long way off, though banning ransom payments may be one of the most effective tools to get there, along with coordinated law enforcement action against criminal groups. In a situation where large numbers of cyber criminals are forced to change their model, it is likely that some would move to business email compromise (BEC), and others may move back to targeting individuals and smaller businesses with ransomware.
Ultimately, the policy calculus around banning ransom payments, or the less extreme measure of enforcing the reporting of payments and attacks, will vary from country to country. A ramp-up in international co-ordination is already happening, but mismatches between ransomware policies at a governmental level could create issues in the long term.
Banning ransomware payments is one of many ways to potentially counter the ransomware problem, and, if done correctly, could have a significant impact. However, this would require careful co-ordination with law enforcement, the insurance industry, and other stakeholders.
Whether this is feasible and suitable will likely vary on a country-by-country basis. In the short term, though, we recommend a policy requirement that ransomware attacks, and any payments made, are reported at a national level, and that regulation around ransom payment reimbursement in cyber insurance policies is examined closely.
Moreover, any ban on ransom payments should not come at the expense of initiatives to improve cyber security and organisation preparedness and ability to recover, nor hamper law enforcement pursuit of the criminal enablers of ransomware. Diplomatic engagement regarding safe harbour for criminal activity is also a key facet of this problem, which needs to continue.
About the author
James Muir is the Threat Intelligence Research Lead at BAE Systems Applied Intelligence
james.muir2@baesystems.com
About TIN
The Intelligence Network is an industry initiative launched by BAE Systems Applied Intelligence in July 2018, powered by a global community of like-minded cyber and financial crime experts, and industry influencers, committed to creating a safer society in the digital age. If you want to become a corporate supporter to help us accelerate our plans, please get in touch. The more input from members across various sectors, skills and experiences, the more The Intelligence Network will strengthen, grow and thrive.