jamdesign - stock.adobe.com
The question of whether to ban ransomware payments is not a new one, but two events in recent weeks have fueled new discussions surrounding this question.
Last week, the U.S. Department of the Treasury's Office of Foreign Assets Control issued an advisory declaring that facilitating ransom payments for anyone on "OFAC's Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria)" would likely be violating OFAC regulations. If a victim was to violate said sanctions, penalties could vary from civil penalties and fines to criminal charges.
Ciaran Martin, managing director at cyber venture capital investor Paladin Capital (and previously the first CEO of the U.K.'s National Cyber Security Centre), raised issues about how companies would adhere to this.
"If a victim pays a ransom to someone subject to U.S. Treasury sanctions, that's unlawful," Martin said.
"First, there's a practical point: How are you supposed to know whether your attacker is on the U.S. sanctions list? And secondly, what's the policy outcome here? Why is it OK to pay someone who isn't on the U.S. sanctions list, a ransom for a criminal act of extortion?"
While there is technically a list of those sanctioned by OFAC, it's nearly impossible to tell where the threat actors in a ransomware attack are from.
The other event that triggered discussion about banning ransomware payments is the attack against Germany's University Hospital of Düsseldorf last month. The attack may have resulted in the first ransomware-related death.
In response to this, Emsisoft released a commentary arguing for banning ransomware payments.
"Organizations are currently providing cybercriminals with a multi-billion dollar revenue stream -- which is entirely funded by the public, albeit indirectly -- and it makes absolutely no sense to permit this situation to continue," the commentary read. "The best way to protect organizations from ransomware attacks and to protect individuals from the consequences of those attacks is to make it illegal for organizations to pay ransoms. This would stop the attacks, and stop them quickly."
Experts weigh in
SearchSecurity asked five cybersecurity experts from five organizations whether ransomware payments should be banned. While the idea was generally deemed worthy of consideration, all five stopped short of recommending a ban.
Martin, for instance, said that, "I don't think it's a slam-dunk case, but I would take the case for banning ransom payments very, very seriously."
Sophos senior security advisor John Shier said he doubted that a law against ransom payments would be effective.
John ShierSenior security advisor, Sophos
"I don't know that [banning ransom payments] is necessarily an answer," he said. "I was thinking about this the other day: If we make ransom payments illegal, as a cybercriminal I'll just charge you a 'consulting fee.' It's not going to be an extortion payment -- it's going to be a consulting fee to help you get your network to its previously operating condition. Or I'll just use intermediaries or shell companies or whatever. There are ways around that legally, and they're criminals -- they don't care. They're already breaking one law; they don't care if they're breaking a second law."
The idea of using something like "consulting fees" to get around cybercrime-related payments is not a new concept. Former Uber CSO Joe Sullivan was charged earlier this year for allegedly covering up the company's 2016 data breach by paying hackers to keep quiet under the guise of the payment being a bug bounty reward.
Cybereason CISO Israel Barak said that instead of banning ransomware payments, a standardized series of guidelines for organizations to follow could be more effective.
"While the negative implications of ransom payments are well known -- we've been discussing them for years, there's nothing new, we all know why it's bad to pay ransom -- I think categorically banning it and taking away professionals' discretion in this manner can actually have a boomerang effect," Barak said. "I think we need professionals to have the ability to weigh the pros and cons in each specific case, and decide based on a generally agreed-upon criteria what the right thing to do is. I think instead of categorically banning it, we need to establish guidelines and norms that professionals in the space will be educated to follow and adhere to."
Examples of these guidelines, he said, include determining under which circumstances should victims consider ransomware payment a viable option and, in situations where a professional does decide to pay a ransom, determining how they should engage with law enforcement.
Adam Meyers, senior vice president of intelligence at CrowdStrike, said that while he understands why people make the argument to ban ransomware payments, it's impractical. "It's one thing to ban it," he said. "It's another to enforce it."
Charles Carmakal, senior vice president and strategic services CTO at Mandiant, argued that while the intention for banning ransom payments is positive, it also risks adding "much more complexity to what is already a very complex situation for victim organizations."
"Over the years, we've seen so many organizations pay so much money to criminals, and the reason why there's such a big ransomware problem today is because so many criminals are getting paid. That's why. They're getting tens of millions of dollars in a very short period of time, so they're getting paid very well," he said. "While the intention is very positive, it's going to create a lot of pressure for organizations that are dealing with a data-theft situation, a business disruption situation, a shaming situation, that feel coerced and compelled to pay the threat actors because they want to come back online, and they want to resume their business operations and they want to protect their customers' information. And so it's going to add much more complexity to what is already a very complex situation for victim organizations."
Even if they're not banned, paying ransom is generally ill-advised
Regardless of whether a full ban on ransom payments one day comes to pass, there are numerous reasons to avoid paying ransoms, if possible.
In May, a Sophos white paper found that paying the ransom nearly doubles the cost of remediation versus not paying or relying on backups -- $1,448,458 vs. $732,520.
"This may sound counterintuitive: If you've paid the ransom, why does it cost more?" the authors of the report, "The State of Ransomware 2020," wrote. "Well, even if you pay the ransom, you still need to do a lot of work to restore the data. In fact, the costs to recover the data and get things back to normal are likely to be the same whether you get the data back from the criminals or from your backups. But if you pay the ransom, you've got another big cost on top."
In addition, even if a victim does decide to pay in order to get data back and the risk for a repeat cyberattack (either from poor cybersecurity posture or backdoors created the first time) somehow disappears, chances are that the victim organization is not getting all of its data back, according to a session at Gartner's Security & Risk Management Summit last month.
"What we see is that about 4% of the data is nonrecoverable," said Paul Furtado, a senior director and analyst of MSE security at Gartner, who lead a session at the event. "So that means, yes, you paid, and yes, you got a decryption key, but these bad actors don't care about what is happening to your data when they go through the encryption."
At RSA Conference in February, CrowdStrike CTO Mike Sentonas told SearchSecurity during a discussion about ransomware insurance that too many are choosing to pay the ransom, and that it's "fueling an industry."
"I think the problem, if we take a step back though, is that there are too many organizations, local governments, that are paying the ransoms. It's irrelevant to me if they have insurance or who's actually funding the payment. We shouldn't be paying it," he said. "I understand the need to recover as quickly as possible because people don't have a backup, et cetera. But ... have a backup. Have a plan. Have technology that can prevent against the attack. Because by paying it, we are seeing a huge rise because people are fueling an industry."