Would criminalising ransomware payments be a positive move for businesses?

Would criminalising ransomware payments be a positive move for businesses?

Preventing and preparing for ransomware attacks can prove extremely challenging for businesses. Zeki Turedi, CTO EMEA, CrowdStrike, analyses the threat of ransomware and its complex capabilities, and discusses the way forward for businesses and society.

When there are difficult problems to solve — like the massive surge in ransomware attacks over the last three to four years — people are attracted by swift, simple, decisive solutions which will allegedly make the problem disappear. The idea of criminalising ransomware payments potentially falls into this category.

Unfortunately, what makes problems difficult is that simple solutions don’t always end up as simple as initially perceived, and in some ways, might make the situation worse.

The appeal of simple common sense

It’s easy to understand the attraction of criminalising ransomware payments, though. First, it has a broad moral and logical appeal. We don’t negotiate with terrorists, runs the logic, because doing so empowers them and funds future crime. When ransoms are paid, cybercriminals are encouraged to attack more and more organisations. A ransom payment thus affects the future risk levels of businesses, hospitals and schools everywhere — paying up might be described as socially irresponsible in this context. Legislation would take this further: it would be criminal.

Second, it’s easy to imagine that the reverse is true: if criminals can’t make money from their attacks, because the victim is unable to pay, then putting time and effort into sophisticated ransomware attacks should surely become significantly less appealing. Current ransomware gangs aren’t a couple of teenagers in a basement somewhere, they’re part of a complex and mature, multi-layer shadow-business ecosystem. If their tactics aren’t making money, they’ll change those tactics and shift attention elsewhere.

And finally, paying ransoms is very rarely an effective solution anyway. There’s absolutely no guarantee that criminals will honour their side of the bargain when businesses pay up — they’re criminals, after all, and there’s no honour among thieves. Cybercriminals also return to the scene of the crime — if data has been extradited following a breach, they may well not delete it following a payment, and instead ask for more money or launch further attacks later down the line. A 2021 survey from the insurer, Hiscox, found that 28% of the businesses that suffered attacks were targeted on more than five occasions in 2020. So, given that paying ransoms is such a weak tactic, wouldn’t criminalising it rightly discourage businesses from following this route?

Criminal enterprise and agility

However, while these are reasonable arguments, they’re not without flaws.

The key problem is that adversary groups are extremely agile and clever: they’re not going to allow their major source of revenue to simply disappear through a new law. As I said, adversary groups ‘shift tactics’ when something isn’t working. In the last two years, for example, ransomware has moved away from simply encrypting file systems. One reason for this is that, over time, potential victims have become more and more likely to possess reliable, recent backups which can be deployed quickly, and so encrypted file systems are not the disaster they have been historically. Businesses could simply delete the infected systems and restore from backups.

Hence the rise of extortionware — copying information and using the threat of leaking stolen data — and the fines, lawsuits and reputational damage that entails — to extort payments. Ransomware has evolved and grown up — with all the ingredients of a modern IT business emerging in cybercriminal groups. They buy in Ransomware-as-a-Service from other groups, run dedicated websites to disperse leaks, and even employ customer service agents to ‘help’ victims purchase and transfer cryptocurrency payments. If ransomware payments are made illegal, adversary groups will very quickly set up a system of brokerages and shell businesses to negate the problem of making payments for victims. They’re already experts at money-laundering — they have to be — a simple act of legislation won’t make them break a sweat.

Then, victims might also wish to break the law if a criminal ban on ransomware payments is enacted. If a business determines that the effects of a current ransomware attack will be catastrophic, then they might decide to pay in an act of desperation, no matter that, as we’ve discussed, it’s not likely to be a successful tactic. In this circumstance, legislation would criminalise the victims of the real criminals, adding to their financial burden and lessening their ability to recover from the attack. And law enforcement agencies will have considerably less chance of stopping and apprehending adversary groups, because victims will be much more motivated to keep attacks on their systems a secret.

We should also understand that legal bans on activities people want to do are often unenforceable and can have deeper, pernicious effects, sometimes outweighing the benefits of the bans. Prohibition famously led to the rise of bootlegging, speakeasies and criminal gangs in 1920s America. Bans on other drugs have fuelled criminal empires. Desired-but-illegal activities all over the world have created vast, shadow economies. A ban is by no means always a cure.

Hard solutions

Whether to formally ban ransomware payments is a complex policy matter that may not be dealt with for some time, so what then is the way forward for businesses and society?

At a broad level, there needs to be a much wider understanding why paying ransoms is such a very bad idea. Paying up probably won’t work for the individual business for the reasons we’ve discussed, their efforts should therefore be laser-focused on preventing, intercepting, eliminating and recovering from breaches. They need enforceable, comprehensive policies on all IT activities, next-generation antivirus software and endpoint protection that can cover their entire IT estate, wherever it is and whatever form it takes. They need strong identity controls based on ‘Zero Trust’ principles, threat intelligence and threat hunting capabilities and they need to be able to immediately respond and stop threats as they arise.

More broadly, they need thorough, working incident response and Disaster Recovery plans. Developing cyber-resilience should be a key imperative for organisations. Breaches happen and even the best-protected systems can be penetrated given the right combination of luck, skill and effort. But such disasters will not be catastrophic if the right systems, processes and policies are in place. If businesses don’t have the people internally to provide these, they need to work with a partner who can.

There is no ‘quick fix’ to the ransomware scourge through legislation, but developing and maintaining cyber maturity provides a positive, achievable and effective approach to making its existence much less of a threat.

Browse our latest issue

Intelligent CISO

View Magazine Archive