Ransomware payments are banned in the public sector: should businesses still pay?

The UK could soon become the first country to ban ransomware payments, or at least, payments from public funds. This is the result of a new government consultation on legislation that, if enacted, could create a legal ban on ransomware payments by the public sector and regulated organizations that oversee critical national infrastructure (CNI).

The UK could soon become the first country to ban ransomware payments, or at least, payments from public funds. This is the result of a new government consultation on legislation that, if enacted, could create a legal ban on ransomware payments by the public sector and regulated organizations that oversee critical national infrastructure (CNI).

These proposals also put forward measures to increase cyber incident reporting, from organizations not covered by the “targeted ban” on ransomware payments. The goal, according to the Home Office, is to increase transparency and intelligence around cyber attacks, and disrupt the flow of public funds to criminal groups.

“The ban would target the business model that fuels cyber criminals’ activities and makes the vital services the public rely on a less attractive target for ransomware groups,” the Home Office wrote.

Mandatory reporting, for its part, should improve the intelligence available to law enforcement agencies. Businesses not covered by the ban would have to tell the Government if they intended to pay a ransom.

As security minister Dan Jarvis said, announcing the consultation results last month, “ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on. That’s why we’re determined to smash the cyber criminal business model and protect the services we all rely on.”

Banning ransomware payments by the public sector is popular, at least according to the consultation. The Government says that 72% of respondents agreed to the idea of a “targeted ban” for public sector bodies and CNI owners and operators. Mandatory reporting for organizations outside the ban was supported by 63%.

Unintended consequences

The question, though, is whether the measures can achieve their intended results or might cause wider security problems.

“The banning of ransomware payments by UK public bodies and formalizing of ransomware reporting will have a positive impact,” Chris Atkinson, cyber security expert at PA Consulting told ITPro.

“It will help disrupt cyber criminals and give UK authorities even greater visibility of the problem. It will not be the end of ransomware though, ransomware as a service (RaaS) will continue and – at least in the near term – be displaced to other sectors. These sectors are already facing cyber-attacks, but these could increase.”

This, and other unintended consequences, are causing concern among cybersecurity experts.

As Atkinson suggests, criminal groups might simply switch their attention away from public sector bodies, to those that do not fall under the proposed new rules.

“The intent is to remove financial incentives from targeting public sector and CNI organizations and reduce the profitability of ransomware,” he explains. “This is a good thing but will likely lead to displacement of ransomware attacks to other sectors not covered by the ban – though no sector has been safe so far.”

As recent ransomware attacks against the retail sector show, cybercriminals are adept at finding weak spots.

Public sector organizations, including parts of the NHS and education, were being targeted because their cybersecurity measures are relatively weak. Much of this is down to resource constraints, and the need to support older technology.

But Atkinson warns that ransomware is not the only way attackers make money, so any payment ban can only be a partial solution. “Fraud, theft, and money laundering will continue to be incentives to cyber criminals,” he says. And the public sector will still be vulnerable to those other forms of attacks, especially if funding for security measures remains tight.

“There's a couple different ways this could go,” Crystal Morin, cybersecurity strategist at Sysdig, tells ITPro.

“It depends on who the attacker is and what they want to gain. They could continue to target the public sector and government because they may be ill-prepared and slow to respond. They may know that they’re not going to receive payment, but they’re going to be able to take down a network, or obtain public information or government data.”

This, she suggests, could be sold on the dark web, passed on to nation state adversaries, or used by crime groups for other purposes such as extortion. So a ransomware ban will certainly not remove the need for public sector bodies to invest in security.

“You have to assume there is someone in your environment, especially in the public sector or critical national infrastructure,” she says.

Facts on the ground

Nonetheless, there is growing interest in ransomware payment bans.

The UK's proposal to ban ransomware payments is by no means the only measure governments are taking to counter ransomware attacks. What sets the UK proposals apart is that the plans will have the backing of the law.

Most other measures, at least so far, are voluntary. One example is the International Counter Ransomware Initiative, a US-led alliance of 40 countries. Launched some two years ago, the signatories also includes the UK, Canada, India, and almost every EU member state, all of whom pledged not to pay ransoms. And law enforcement agencies, such as the FBI, strongly discourage ransom payments.

There is also the possibility, in the US and elsewhere, of prosecution under existing counter-terrorism, organised crime, and sanctions legislation.

But as Stephen Boyer, chief innovation officer at cybersecurity firm Bitsight, points out, there have not yet been any documented cases of the threat being carried through. “I’ve not seen it yet, though [payment] is strongly discouraged,” he tells ITPro. But the risks of penalties are there.

He adds that alongside evidence that public sector bodies are moving away from ransomware payments, internal bans have long been the case at many controlled organizations. The UK government already has a policy of not paying ransoms. “The UK public sector hasn’t really been paying, so this is not a huge deviation,” he says.

The proposals will extend the non-payment rule to CNI and publicly funded “arms-length bodies”, but Boyer, at least, expects centralized reporting to have more of an impact on countering ransomware.

At the same time, ransomware payment bans could have other impacts. As well as pushing ransomware groups to target other sectors, it ties the hands of public sector bodies CISOs when their firms are attacked.

The brutal truth is that organizations often pay ransoms because it’s cheaper and less disruptive than recovery. As Boyer points out, no one wants to fund criminal groups. But there are documented cases where public authorities have paid substantially more in remediation than the original ransom.

“Full prohibition with no exceptions means you are not allowed to make a real risk trade off,” he says. And ransomware groups are adept at setting ransoms at a level victims are willing to pay. “They are very strategic in what they charge.”

The ransom payment ban could, as the UK government hopes, disrupt the business model of cybercrime. But it's likely to come at a cost.