The former chief executive of the UK's National Cyber Security Centre (NCSC) has called for the government to ban organizations from making ransomware payments.
Writing in The Times, Ciaran Martin, who served as the NCSC’s inaugural chief executive, suggested a ban could help put a stop to the ever-increasing proliferation of ransomware, referring to the 'apparently sanguine attitude' of British policymakers to cyber criminals groups.
"Ransomware is by far the most damaging cyber threat to most businesses right now. We have to find a way of making a ransom payments ban work," he wrote.
Martin suggested that any ban would need a better support network for affected companies. However, the lack of such a policy is in part down to the US' reluctance to introduce a ban amid concerns that it would unreasonably constrain businesses.
Similar concerns have been raised that this could be a particular problem for the country's hospitals, many of which are in the private sector.
Currently, many governments, including the UK, have a policy that they won't pay ransoms themselves. In October 2023, 40 countries pledged their support for the International Counter Ransomware Initiative (CRI) as part of an effort to create a more aligned global approach to cyber crime.
Participating nations agreed not to make payments and pledged to share information and create a blacklist of digital wallets being used to deposit and move ransomware payments.
The official advice for UK-based companies is that they should not pay ransoms under any circumstances. The NCSC suggests that even when companies do so, there's no guarantee that they will get access to their data or systems back, that computers will still be infected, and that those who pay are more likely to be targeted in the future.
Across the cyber security community, there are mixed feelings about whether or not a ban should be introduced.
Oliver Norman, vice president for UK and Ireland at data management firm Veritas, said that regardless of a ban, the outcome of incidents will remain the same, with organizations more likely to be targeted in future and given no guarantees of having data safely returned.
"Whether banned or not, paying not only puts a target on the organization’s back for future attacks," he said. "There’s also no guarantee all of the data will be returned even if a payment is made – we estimate that 32% of businesses that paid ransoms still lost over half their data."
Others, though, believe that a ban is impractical.
"Banning ransomware payments can often have further implications – and this is not the first time this idea has cropped up. Although prevention is better than cure, there are still multiple cases where the only option has been to pay," said Jake Moore, global cyber security advisor at security firm ESET.
"Being stuck between a rock and a hard place is no position any company wants to be in but if the law is directed only one way, then companies can easily fold and the potential of livelihoods lost can make this a damming and forced decision."
Moore warned there is also a danger that driving ransom payments underground could lead to further demands, as well as criminalizing victims.
"Although the long term effects of banning ransom payments may sound idyllic, the path needed to navigate all companies to this ideal is going to be challenging, if not impossible," he said.
Moore's comments follow hefty criticism for cyber security firm Emsisoft in January after it called for an outright ban on ransomware payments.
Emsisoft urged lawmakers to introduce legislation aimed at preventing firms from engaging with cyber criminals, but critics argued it would “shift the focus of criminality” from perpetrators to victims.
Currently, according to a recent report from data security and management firm Cohesity, more than nine-in-ten UK businesses have a no-pay policy - but virtually all of those that have fallen victim to a ransomware attack have in fact paid out.
