Should we ban ransomware payments?

Image of money - Destination Certification

Ransomware is a scourge of the Internet. Of course, it’s already illegal to hack into someone’s network, encrypt their files, and then extort the victim into paying you a ransom. But should we also ban the victims from paying the attacker to get their files back?

On one hand, this almost seems like punishing victims—they lose access to their files, and then they cop criminal charges, just for trying to get their files back. But there is a sense of logic here, especially if we zoom out a little bit.

Over the last few years, ransomware has become incredibly popular. It’s not because it’s fun, but because it can be very profitable. Instead of hacking into a company, exfiltrating their data, and then selling it on the darknet, attackers may be able to make even more money by locking up the data and then selling it back to the victim. Depending on the data, much of it may be useless to outside entities, but incredibly valuable to the victim organization. This can make ransomware a highly profitable enterprise.

The theory behind banning ransomware victims from paying the attacker for the encryption keys is that a ban will result in far fewer victims paying the ransom—they will be wary of facing criminal prosecution on top of losing their files. If fewer victims pay, the ransomware industry as a whole will become less profitable, which should hopefully mean that fewer people engage in these attacks because the rewards no longer justify the risks. If there are fewer hackers launching ransomware attacks, there should be fewer victims, which would ultimately mean that ransomware becomes less of a problem overall. That’s the theory, at least.

Another major reason to ban ransomware payments is that even if you do pay up, there’s no guarantee that the hacker will actually send you through the encryption keys so that you can unlock your files. You may have just sent a ton of money to some random bitcoin wallet, without getting anything in return.

The current state of ransomware payment bans

The states of North Carolina and Florida have already banned state and local government entities from making ransomware payments, while Australia was also considering similar bans. The Ransomware Task Force recently issued a roadmap in which they stated “…a ban on payments could eventually result in less criminal activity. However, for several reasons detailed below, we believe a ban on payments under current circumstances will likely worsen the harms both for direct victims and, in turn, for society and the economy.”

The Ransomware Task Force went on to say that too many organizations are underprepared to defend against ransomware, and that banning payments could result in fewer organizations reporting the attacks–they may just make payments underground instead. With this in mind, the Ransomware Task Force recommends that governments push toward 16 milestones that will increase resilience prior to introducing any ransomware payment bans.

Protect your organization from ransomware

For a ransomware attack to be successful, it requires two things:

  • The attackers must be able to breach your network and encrypt valuable files.
  • You must have no extra copies of the files. If you did, you could just restore the files from the backups, and would not need to make any payments in the hopes of getting the encryption key from the attackers.

To take care of the first aspect, you need to ensure that you have strong perimeter defenses to limit the ability of an attacker to access your valuable files. A zero trust approach is a great way to do this, because you can divide up your network into many granular segments, with each requiring authentication to enter. This can help to prevent attackers from moving laterally through the network. Requiring multifactor authentication to access sensitive systems is also crucial for hampering attackers from breaking deep into your network.

Having an appropriate backup strategy is also important for limiting the risks of ransomware. You should ensure that all of your valuable data is backed up at regular intervals, and that the backups are stored in a location that an attacker is unlikely to be able to access, such as third-party cloud storage, or an off-site data center.

Image of the author

Cybersecurity and privacy writer.

Would you like to receive the DestCert Weekly via email?

Your information will remain 100% private. Unsubscribe with 1 click.

Page [tcb_pagination_current_page] of [tcb_pagination_total_pages]

>