Should ransomware payments be illegal?
Ransomware has been becoming an increasingly common problem in recent years for organizations, regardless of size, sector or location. Indeed, Netwrix’s 2024 Hybrid Security Trends Report revealed that malware attacks like ransomware are one the three most common types of security incidents that organizations experienced in the last year. According to the Information Commissioner’s Office report, in 2023 organizations in Britain reported more data breaches due to ransomware attacks than ever before.
In response to this threat, proposals to make ransomware payments illegal have been gaining traction. For example, earlier this year, Ciaran Martin, ex-CEO of the UK National Cyber Security Centre, called for a ransomware payment ban. The reasoning is that if ransomware payments were illegal, organizations would stop making them, so malicious actors would no longer have an incentive to carry out ransomware attacks.
But is this approach really a viable solution to the scourge of ransomware?
Security Strategist & VP of User Experience at Netwrix.
The moral imperative in some ransomware situations
Ransomware is clearly different from cases of physical extortion like kidnapping and hostage situations. But a ransomware attack can still pose a serious danger to human lives. Notably, an attack on critical national infrastructure (CNI), such as hospitals and other healthcare facilities, can put patients’ lives at risk. In June 2024, Synnovis, a blood test provider for major London hospitals, fell victim to a ransomware attack that resulted in cancellation or postponing over 1600 operations and outpatient appointments. In such cases, it’s much harder to say that paying the ransom should be prohibited by law.
Moreover, cybercriminals quickly adapt to changing circumstances. If legal limitations are put into effect, threat actors will likely find ways to overcome them quite swiftly. Ultimately, banning ransom payments could push business leaders into further moral conundrums while under pressure.
The possibility of reduced reporting of ransomware incidents
In July the UK Government announced their intention to introduce mandatory reporting of all ransomware incidents as a part of the Cyber Security and Resilience Bill. Thus, the Government prioritized transparency of the ransomware incidents over an attempt to completely ban them.
Indeed, a well-executed ransomware attack can potentially hinder the victim’s business operations to the point of near bankruptcy. Under the proposed new regulations, decision-makers would be expected to report the incident and not pay the ransom. But would they take that path, given that their livelihood, and the livelihood of many others within the organization, hang in the balance? Or might some organizations choose to pay the ransom without informing government agencies of the attack?
We have to remember that the latter option is a viable choice, and it has ramifications beyond the organization that makes it. Not reporting the incident reduces visibility in cybercriminals’ activity, which in turn affects the ability of law enforcement and software vendors to take appropriate steps in response. Without all the information, addressing the challenge of ransomware will become much more difficult.
The banking industry experience — a better way forward?
Various risks are inherent in the nature of the banking industry, and the sector has developed ways to mitigate them. For example, years ago, the main threat was a physical bank robbery, so banks reduced cash handling and installed security cameras, alarm systems and, finally, time-lock safes. Adopting the right security measures is still essential for banks to keep their licenses today.
Following this example, governments could create cybersecurity benchmarks and make risk mitigation strategies the norm for other high-risk industries like energy, manufacturing and healthcare. With standards in place, organizations would have appropriate guidance for establishing an efficient strategy against the threat of ransomware.
Additionally, law enforcement worldwide has a crucial role to play when it comes to collaborating to take down ransomware networks. The recent dismantling of the ransomware gang LockBit performed by the National Crime Agency, FBI, and international partners from nine other countries proves the effectiveness of such collaboration. Government institutions from all over the world released a cybersecurity advisory that summarized LockBit’s tools and tactics. That work resulted in the group’s attack assets being seized, which has made it difficult for them to operate.
Looking ahead: how to combat the threat of ransomware
Ransomware continues to cause significant damage to organizations worldwide, and it is natural for governments to consider legislation that could help reduce the threat. However, denying victim companies the option of paying a ransom to restore their data and operations is not a practical solution. Instead, organizations must prioritize improving their cybersecurity measures, while government departments should increase their vigilance, assistance and investigations.
We’ve listed the best small and medium business (SMB) firewall software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Ransomware has been becoming an increasingly common problem in recent years for organizations, regardless of size, sector or location. Indeed, Netwrix’s 2024 Hybrid Security Trends Report revealed that malware attacks like ransomware are one the three most common types of security incidents that organizations experienced in the last year. According…
