Calls for government bans on ransomware payments could risk criminalizing desperate victims, industry experts have claimed.
Dominic Trott, director of strategy and alliances at Orange Cyberdefense, told ITPro that a government-imposed blanket ban on complying with demands could “shift the focus of criminality” from perpetrators to victims.
The warning follows an advisory from cyber security firm, Emsisoft, which suggested government authorities must take tougher action against firms that make ransomware payments in a bid to cut the flow of cash to cyber criminals.
A study from the security firm warned that the more money ransomware groups have, the better they can scale operations and expand attacks.
As such, the firm said cutting the supply of money to these groups is key to limiting their impact and addressing the proliferation of attacks across the US.
According to Emsisoft, a blanket refusal to meet ransom demands would force threat actors to switch from high impact encryption-based attacks to less disruptive forms of cyber crime.
Brett Callow, threat analyst at Emsisoft, said a ban is the only realistic way of turning the tide against increasingly sophisticated and aggressive cyber crime groups.
“The reality is that we’re not going to defend our way out of this situation, and we’re not going to police our way out of it either. For as long as ransomware payments remain lawful, cyber criminals will do whatever it takes to collect them,” he said.
“The only solution is to financially disincentivize attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work.”
A ban on ransomware payments will “criminalize victims”
Trott agreed paying out can often backfire and embolden threat actors to increase the frequency of their attacks. Similarly, he warned that complying with demands may not even ensure the stolen data is released.
“If victims of ransomware – or ‘Cyber Extortion’ (Cy-X) – attacks continue to pay the ransoms demanded of them by cybercriminals, there is no reason to believe that this crime wave will abate. Ransom payments essentially fund cyber crime,” he said.
“Paying out leads to more attacks and there is no guarantee that hackers will release the data after receiving payment.”
Yet while he agreed paying ransoms contributes to the problem, Trott highlighted some potential problems with implementing criminal sanctions for those who give in to ransomware groups.
“Criminalizing ransom payments could shift the focus of criminality from the perpetrator to the victim, and set off a chain of unintended consequences, such as a reluctance to report breaches. Whether criminalized or not, businesses should not pay the ransom demanded of them.”
James Blake, EMEA CISO at Cohesity, aired similar concerns with criminalizing the victims of ransomware attacks. Blake told ITPro a better solution was to improve the cyber resilience of institutions to help them recover from attacks more quickly.
“We starve the adversary of funds by organizations being able to withstand attacks, not by legislation,” he said.
“That will only criminalize the victims. Fundamentally changing the perspective on the balance of Protection/Detection to Response/Recovery is where value will really be delivered.”
Blake added that legislation like the EU's DORA, which promotes digital operational resilience, will deliver “far better pragmatic cyber risk management than simply locking up executives”.
Efforts to cease payments to ransomware groups include the International Counter Ransomware Initiative (CRI), an international coalition of over 50 nations committed to building a collective resilience to ransomware.
The end of ransomware payments: how businesses fit into the fight
The initiative launched in 2021 and was expanded in 2023 to reflect a period of heightened activity of ransomware groups. The CRI launched its first joint policy statement in 2023 declaring member governments should not pay ransoms.
Yet despite significant effort among global governments and security agencies to prevent the practice, it still continues.
Ransomware attacks are taking their toll on the region
In its report, Emsisoft revealed a total of 2,207 US hospitals, schools, and governmental organizations were directly impacted by digital extortion attacks during 2023.
As well as the significant financial burdens placed on victims, ransomware attacks are also responsible for the loss of life in some instances, according to the report.
Learn about the evolution of ransomware and current attack sequences
The report cites a study from the Minnesota School of Health that estimated ransomware attacks were responsible for between 42 and 67 Medicare patients between 2016 and 2021.
One case cited by Emsisoft’s report detailed a three year old patient being given a fatal ‘megadose’ of pain medication due to the hospital’s computer systems being offline during treatment.
The financial impact of these attacks is considerable, the report includes research from Chainalysis’s mid-year update showing $449 million was paid during the first six months of 2023, the bulk of which is thought to have come from US organizations.
Emsisoft claims the overall cost of digital extortion in the US is in the billions of dollars, noting that recent attacks on MGM Resorts and Clorox are estimated at $100 million and $356 million respectively.
