Fraud Management & Cybercrime , Ransomware
Banning Ransom Payments: Calls Grow to 'Figure Out' Approach
As Ransomware Disruption Mounts, More Experts Seek Path to Banning PaymentsHow might banning ransomware victims from paying a ransom to their attacker work in practice?
See Also: Webinar | Prisma Access Browser: Boosting Security for Browser-Based Work
As ransomware groups are causing massive damage and disruption and showing no signs of stopping, Ciaran Martin, the former head of Britain's National Cyber Security Center, said "it's time to figure out how to make a ransomware payments ban work."
Writing in a recent London Times op-ed, he emphasized that while governments need to start finding answers to this question, bans shouldn't be immediate. "Note: I said how to make a ban work," said Martin, who's now a professor of practice at Oxford University. "We're not ready for one tomorrow. But we're not trying to get ready either."
He isn't alone in saying tough questions need to be asked about how to make ransom bans work in practice. Such calls have become more urgent as ransomware groups continue to disrupt everything from energy delivery and government services to children's hospitals and access to essential medication.
"Ransomware is getting worse, not just in the number of attacks but in the aggressive nature of the attacks and the groups behind them," said Allan Liska, a ransomware researcher at Recorded Future. "What we are doing simply isn't working."
Estimates of how many victims pay a ransom vary. In late 2022, cybersecurity firm Proofpoint reported that 58% of organizations infected by ransomware paid a ransom. For the last three months of 2023, ransomware incident response firm Coveware reported seeing an average of 29% of victims pay, while cyber insurer Corvus' claims data put the figure at 27%.
Western governments have been devoting greater resources to improving domestic organizations' resilience, to make them tougher to hack. Governments have also been bolstering and coordinating international law enforcement resources, leading to notable infiltrations and disruptions, including those of Hive in January 2023, Alphv/BlackCat last December and in recent weeks, LockBit.
Even so, ransomware groups last year amassed more known victims than ever before, while receiving record-breaking cryptocurrency ransom payments totaling at least $1.1 billion, according to blockchain analytics firm Chainalysis.
Quest for 'Long-Term Success'
In January, Liska began calling for a ransom ban. "A ban on ransom payments will be painful and, if history is any guide, will likely lead to a short-term increase in ransomware attacks, but it seems like this is the only solution that has a chance of long-term success at this point," he said. "That is unfortunate, but it is the reality we face."
Banning ransoms would likely incentivize criminals to pursue other, less disruptive strategies, said Brett Callow, a threat analyst with Emsisoft.
"For as long as ransomware payments remain lawful, cybercriminals will do whatever it takes to collect them," he said. "The only solution is to financially disincentivize attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work."
Challenges remain. While the state governments of North Carolina and Florida have banned public entities from paying a ransom, experts say those entities haven't seen a decrease in the volume of ransomware targeting them.
In 2021, the Institute for Security and Technology launched a Ransomware Task Force to better coordinate the public and private approach to combating ransomware, and it released a pivotal report outlining key strategies. While all of its working groups considered banning ransoms, none recommended it, citing concerns about widespread, poor resilience. They also predicted a ban would reduce information sharing with law enforcement.
The question of banning ransoms was the focus of a Ransomware Task Force panel hosted last month (see: Ransomware Experts See Problems With Banning Ransom Payments).
"There is so much work to do before we get to a ban," said panelist Sezaneh Seymour, head of regulatory risk and policy at cyber insurer Coalition, who previously served on the U.S. National Security Council.
Enforcement remains another question, and experts are raising concerns that businesses would go underground to evade a ban or potentially use an offshore entity. Seymour said if U.S. businesses face clear obligations, they will comply. "Businesses tend to be quite careful about wanting to comply - because they are worried about the sanctions," she said. "The real concern then becomes: What are the second- and third-order effects of those policies?"
Articulating how a ban might work seems a crucial next step to addressing such concerns.
The Institute for Security and Technology says the eight co-chairs of its Ransomware Task Force "have developed a phased approach to potentially reach payment prohibition, with 15 milestones marking progress in ecosystem preparedness, deterrence, disruption and response." The RTF hasn't released those milestones yet but tells me it hopes to do so this spring.
One continuing challenge with ransomware is that we still don't know how bad it is. The quantity of victims often is counted based on the data leak sites run by ransomware groups, which only list a subset of nonpaying victims. Compare that to the international Hive ransomware sting that found only 20% of the group's victims reported the crime to law enforcement, the FBI said.
Since criminals too often continue to control the narrative and prefer to obscure the problem, Bill Siegel, the CEO of ransomware incident response firm Coveware, called for much greater information sharing by victims, saying on the RTF panel that law enforcement and policymakers need the best possible intelligence for crafting effective policies to combat ransomware. "Sunlight is the best disinfectant," he said. "This needs to be dragged out in the open and discussed."