Infosec pros weigh in on proposed ransomware payment bans
Whether for or against a payment ban, security professionals are concerned regulations could negatively affect victims and result in fewer incident disclosures.
A record setting year for ransomware has caused the infosec community to reconsider a payment ban. But most vendors and experts say such a policy will be ineffective if enterprises do not improve security postures.
A plethora of new groups emerging in the threat landscape and threat actors employing more brazen extortion tactics to pressure payments all contributed to a surge in ransomware activity last year. Corvus Insurance declared 2023 a "record-setting year," and NCC Group documented an 84% increase in the number of ransomware attacks between 2022 and last year. Vendors also warned the threat will likely only increase in 2024 and might be exacerbated by AI tools in the future.
While payment bans are not a new idea, the steady influx of attacks throughout 2023, which have led to prolonged disruptions, outages and data breach notifications for millions of individuals, has prompted some to reconsider the approach. The problem has become so dire that in January, Emsisoft called to outlaw ransom payments, and some infosec professionals agreed.
"We believe that the only solution to the ransomware crisis -- which is as bad as it has ever been -- is to completely ban the payment of ransoms," Emsisoft wrote in the report.
The security vendor published "The State of Ransomware in the U.S.: Report and Statistics 2023" in January, which showed attacks against the healthcare, education and government sectors continue to mount. Due to a lack of transparency in ransomware reporting, Emsisoft estimates the number of attacks is likely much higher.
If it was illegal for organizations to pay ransoms, Emsisoft believes threat actors "would move from high impact encryption-based attacks to other less disruptive forms of cybercrime." Current government efforts to fight ransomware, such as the formation of the International Counter Ransomware Initiative and recent law enforcement actions that disrupted operations of the Alphv/BlackCat and LockBit ransomware groups, are not enough. Even a federal government pledge to not pay ransoms doesn't appear to have had an impact on the threat, Emsisoft said.
Government-issued sanctions against virtual currency exchanges over the past few years don't appear to be effective in reducing ransomware activity either. The Treasury Department's Office of Foreign Assets Control intended to disrupt the flow of cryptocurrency that actors rely on for profit by sanctioning platforms such as Russian-based Garantex in 2022 and Suex in 2021. However, Emsisoft revealed the average ransom payment jumped from $5,000 in 2018 to $1.5 million in 2023 and attributed the surge to the alarming increase in ransomware volumes.
Similarly, blockchain analysis firm Chainalsysis found ransomware payments surpassed $1 billion in 2023. According to a Wired report Monday, Alphv/BlackCat recently received a bitcoin payment equivalent to $22 million, which is one example of the exuberant amounts ransomware gangs may be collecting from victim organizations. TRM Labs, a blockchain analytics firm, and Recorded Future, a threat intelligence vendor, traced the payment to a cryptocurrency wallet associated with Alphv/BlackCat.
The ransomware gang was behind last month's attack on Change Healthcare, which has caused massive disruptions for pharmacies and healthcare providers across the U.S. Change Healthcare has not confirmed it made a ransom payment to Alphv/BlackCat at press time.
In Emsisoft's report, threat analyst Brett Callow said, "We're not going to defend our way out of this situation, and we're not going to police our way out of it either." The report also emphasized that banning ransomware payments is "the only quick solution." While successful ransomware attacks can cause economic and social harm for victim organizations, financial fallout pales in comparison to a much more daunting concern.
"As already noted, ransomware is estimated to have killed about one American per month between 2016 and 2021, and it likely continues to do so. The longer the ransomware problem remains unfixed, the more people will be killed by it," the report said.
This is a real problem, especially when healthcare organizations are involved, and the sector is involved often. A recent advisory from CISA showed the sector comprised the majority of Alphv/BlackCat victims since mid-December. Ransomware attacks against hospitals can lead to delayed care such as ambulance diversions, which can be life threatening. Additionally, several studies conducted over the years show ransomware has led to patient deaths.
While vendors and infosec experts agree that the significant increase in the volume and number of ransomware victims deserves attention and action, they are divided on the effectiveness of a ransom payment ban and whether it would hinder activity at all. For one, organizations will likely find ways to circumvent the ban as they do when using sanctioned cryptocurrency exchanges.
Emsisoft's counterargument is that a ransom payment ban isn't intended to stop all payments. The vendor believes "most companies would abide by the law," and if enough do so, it would significantly reduce ransomware groups' profits.
To pay or not to pay?
One of the primary arguments for banning payments is that continually giving into ransom demands incentivizes the ransomware threat actors and fuels further attacks. On the other hand, ransomware attacks can severely disrupt an organization and result in significant financial losses. Regardless of their stance on the matter, infosec experts agree there would be many challenges to implement and maintain a payment ban.
While Dan Draper, CEO of data security startup CipherStash, agreed that ransom payments should be banned, he also believes clear exceptions need to be outlined in such policies. For instance, a ban could make fallout immeasurably worse for healthcare or any organization where a life-threatening risk is imposed if the victim does not pay. The healthcare aspect is a common concern among security professionals.
A nationwide cyber hygiene resilience culture is crucial to the ransomware fight, Draper said, but adoption is decades away, and the growing threat requires a solution now. At the same time, he expressed concern that a ban puts additional pressure on organizations rather than more consequences for the ransomware actors.
"It's victim blaming at a corporate level," Draper said.
Tim Morris, chief security advisor at Tanium, also leans toward implementing a payment ban but said he is concerned it might not result in a substantial change to the threat landscape. Introducing and maintaining bans would create a lot of work, he said, but could also incentivize enterprises to improve security postures, specifically around maintaining effective backup and recovery plans to minimize disruptions.
Like many cybersecurity companies, NCC Group saw a significant increase in the number of ransomware attacks globally in 2023.
Morris highlighted many concerns about paying ransoms. Enterprises may question whether it's cheaper to pay the ransom for a decryption key to get business up and running again, versus going through all the incident response and backup procedures. One example he provided was the attacks against two Las Vegas casino giants last year. Following a social engineering campaign focusing on Okta credentials, two of its customers, MGM Resorts International and Caesar's Entertainment suffered ransomware attacks that threatened to halt operations. Caesars ended up paying the ransom to resume operations, but MGM chose not to, and racked up more than $100 million in losses.
To Morris, those attacks demonstrated the typical debate that occurs within an organization during a ransomware attack. There are legal and ethical considerations and then there's the business side. In any case, Morris advised enterprises to verify that the threat actor is not bluffing about the extent of stolen data.
Cyber insurance also plays a role in the decision to pay. Policies offer reimbursement for ransom payments and insurers often provide breach coaches and negotiators, who Morris said are successful in reducing the amounts that organizations then pay. Morris also said cyber insurance can influence decisions to put off addressing security shortcomings. He recalled one conversation with a banking executive who said the bank's vulnerability management and patching numbers were horrible, but they relied on cyber insurance rather than improving its security posture.
"If you look at all attacks and breaches, [you'll] see all the high percentages come down to two things: stolen credentials, which means poor authentication, identity management or poor patching, and vulnerability management. Those are preventable things," Morris said.
Even if organizations do pay, there is no guarantee the threat actors will keep their word to provide a decryptor or delete sensitive stolen data. Nick DeLena, cybersecurity and privacy advisory at PFK O'Connor Davies, cited many cases where the attackers disappeared after receiving a payment, leaving enterprises without a decryptor. He added that even when a key is provided, the decryption process can be flawed and render a significant amount of data unusable.
"In my opinion, a payment ban would not materially change things for victims since payments often do not result in a restoration of data," DeLena wrote in an email to TechTarget Editorial.
James Turgal, vice president of cyber risk and strategy at Optiv, agreed that there are a few threat actors and groups that never intend to give victim organizations a decryptor. Even if they do, Turgal said on average only 16% to 20% of the data is fully recoverable.
"There's a trend in the last couple of years where that decryption key is actually embedded with more malware. It's deploying new malware so they can come back six months, nine months, 18 months later and basically reinfiltrate your system," Turgal said.
Before paying, it's important for victim organizations to understand what kind of ransomware it is. For example, it could be a wiper posing as ransomware, Turgal said. He also said there are existing state laws that ban payments for some organizations but stressed that just because something is illegal, it doesn't mean people won't break the law.
"I would support a ban on ransom payments if both the government and the private sector get together to actually agree to do this across the board. You're not going to stop it unless everybody agrees to do it," he said.
While he does favor a payment ban, Turgal shared Draper's concerns from a victim shaming standpoint. Many organizations can't afford the downtime or lack the resources to maintain strong security postures, leaving them with little choice but to pay. Small and medium-sized businesses are feeling the brunt of ransomware, and Turgal called for federal funding for state and local agencies to help those victims.
Alejandro Rivas-Vasquez, global head of digital forensics and incident response at NCC Group, agreed that regulators should consider the victim organizations and potential for shaming them. He pushed back against claims that ransom payments fuel cybercriminal activity because digital fraud, such as business email compromise, is a bigger moneymaker.
"The global financial impact of digital fraud exceeds total losses from ransomware, according to many sources, including the FBI," Rivas-Vasquez said in an email to TechTarget Editorial.
A business decision
Like Turgal, Steve Winterfeld, advisory CISO for Akamai, agreed that paying a ransom is a corporate decision between the company's leadership and legal team. While Akamai doesn't have an opinion regarding a payment ban, he said the best way to avoid paying is by having good backups and network segmentation.
"One piece of advice I'd give is, don't decide [whether to pay] during the crisis," Winterfeld said.
He also addressed ransomware attacks against the healthcare sector. In those instances, data encryption is not the problem, but disrupting the machines that keep people alive is. The business model for healthcare providers is not about the data, but about the equipment, he emphasized which is different compared to other sectors. That can make ransom payment decisions much more challenging.
Joseph Carson, chief security scientist and advisory CISO at Delinea, a privileged access management vendor, also argued that paying the ransom is a business decision. He highlighted many challenges, including whether the cybercriminal is based in a sanctioned country, whether the organization will survive if the payment is not made, and if the ransomware gang is part of a ransomware as a service (RaaS) operation.
RaaS contributed to the rise in the number of attacks last year because the business model allows threat actors of all technical skill levels to engage in attacks. Developers will sell ransomware strains to affiliates who then deploy attacks, opening the flood gates for more threat activity.
"I, many years ago, was in favor of making ransomware payments more difficult. But after being involved in assisting with multiple ransomware incident responses and recovery, I began to realize that it is a business decision on whether or not a ransom should be paid and not a security one. So I am no longer in a position to advise on whether or not a ransom should be paid," Carson wrote in an email to TechTarget Editorial.
Rather than enacting a payment ban, NCC Group director Stephen Bailey believes regulations should focus on helping organizations avoid and recover from attacks.
"Taking away the only lifeline for some organizations when they have been 'done over' does not seem like the sensible thing to do, even if you ignore the fact that the money will still flow somehow," Bailey wrote in an email to TechTarget Editorial.
Transparency concerns
Another negative consequence of outlawing ransom payments could be a continued lack of transparency around the threat. As Emsisoft addressed, ransomware is often underreported, making it difficult to assess the real number of attacks. The transparency problem contributed to the U.S. Securities and Exchange Commission implementing a four-day reporting rule that took effect in December. Now public companies are required to report cyberattacks they deem material on Form 8-K filings within four business days.
I would support a ban on ransom payments if both the government and the private sector get together to actually agree to do this across the board. You're not going to stop it unless everybody agrees to do it.
James TurgalVice president of cyber risk and strategy, Optiv
In a January blog post, Coveware, a ransomware incident response vendor, outlined several challenges it anticipates with a payment ban. The blog emphasized that historically bans have not been effective. For example, Florida enforces a payment ban, but Coveware said it has not resulted in fewer attacks. If a federal ban was implemented, Coveware is concerned it would affect transparency and reverse any progress made on reporting attacks to government and law enforcement agencies.
"Victim reporting would drop dramatically, and victim cooperation with law enforcement that contributes to their ongoing disruption efforts would dissipate dramatically," Coveware wrote in the blog.
Similarly, Tim Rawlins, senior advisory and director of security at NCC Group, said a ban will likely force payments underground. "Organizations will then be put in an even more difficult position if they take the decision to pay and then have to conceal that from the government and regulators, leaving themselves open to further extortion," Rawlins wrote in an email to TechTarget Editorial.
In an email to TechTarget Editorial, Callow emphasized how there's already problems with transparency and reporting.
"While I've no doubt that some companies would make illegal payments -- I mean, they already do! -- most would not, especially if the law created consequences for executives," he said. "We need to try new things, and realistically, a ban is likely the only way to quickly reduce volumes."
Ian Usher, deputy global practice lead for strategic threat intelligence at NCC Group, emphasized that banning payments is not a new idea. The Australian government considered it in its new 2023-2030 Cyber Security Strategy, but Usher said they opted for an approach that "strongly discourages" paying ransoms to cybercriminals instead. Usher also said organizations would not disclose attacks to avoid punitive action for paying. That would negatively impact ransomware tracking and defenders' ability to gather and share intelligence.
Like Draper, Usher addressed the need for clear exceptions, especially regarding organizations where human life is at risk or ones that provide public services. However, he's also concerned that ransomware groups would likely target the exceptions to maintain their illicit revenue streams and highlighted how threat groups rapidly evolve to any changes that affect their success.
"We applaud global efforts to help tackle the global problem that is ransomware, but with hundreds of victims every month, a legislative approach is unlikely to see any tangible results for years," Usher wrote in an email to TechTarget Editorial. "The most effective route is to discourage ransom payment and then work with industry to improve reporting of incidents, intelligence sharing and the cybersecurity preparedness of organizations."
Arielle Waldman is a Boston-based reporter covering enterprise security news.
