There has been considerable debate about banning ransomware payments as a means of curbing the explosive growth of the crime, something that US government officials have even previously discussed. The assistant director of the FBI’s cyber division weighed in at a Congressional hearing, coming out against the ban and suggesting that it would create a second avenue of extortion for criminals to exploit; companies that paid up in spite of the law could then be held to ransom by anyone aware of the payment.
FBI takes a stance in debate over ransomware payments
The argument in favor of banning ransomware payments is essentially rooted in a belief that the average organization is simply never going to keep pace with threat actors in the cybersecurity landscape, and that the only way the explosive problem (currently about a $350 million global industry) is going to be contained is if the funding is cut off.
Of course, passing a law doesn’t mean that organizations will obey it. That is especially true if the only record of it is a cryptocurrency transaction that is very difficult to track, as most ransomware payments are. FBI cyber division assistant director Bryan Vorndran told a Senate Judiciary Committee hearing that organizations could be expected to continue to make ransomware payments anyway in the hopes of quickly resolving the issue, and be left even more vulnerable with an added possibility of blackmail and by cutting themselves off from federal assistance that might be able to track and “claw back” a good deal of the money.
Organizations frequently choose to make ransomware payments due to a variety of factors. One is simple expedience; even if the organization has adequate backups, they may find it much less disruptive to simply have their systems unlocked. Another is the growing trend of data exfiltration and extortion as a component of ransomware attacks, something that was very seldom seen prior to the past two years. A number of the biggest ransomware gangs now not only lock target systems, but steal sensitive internal information and threaten to dump it to the public via dark web sites and blogs. Some are so ill equipped to afford downtime (such as hospitals) that they are left with virtually no other strategy for dealing with the threat of ransomware.
Ban of ransomware payments
There have been some high-level discussions about banning ransomware payments in the US, but the government has tended to send signals that the idea is not in favor at the moment. The one concrete move made at the federal level has been to forbid ransomware payments made to entities under sanction, under threat of a fine. Colonial Pipeline appears to have done legal research into a potential violation of this rule before choosing to make a $4.4 million payment to the DarkSide hacking group to resolve its infamous situation.
Congress is holding hearings on the ransomware payments issue in the wake of an April report by the Institute for Security and Technology that did not come down on one side or the other firmly. The ransomware task force’s report suggested that the “ecosystem is not ready” at present for a ban on ransomware payments, but did not rule out the possibility of doing it in the future.
The Transportation Security Administration (TSA), which has direct authority over a number of critical infrastructure elements such as movement of gas and chemicals, has not taken an official position on the issue. However, in a recent interview with CNN, TSA administrator David Pekoske appeared to oppose banning ransomware payments saying that it should be an individual “business and security decision” supported by assistance from the government.
Vorndran noted the fairly recent development of stealing sensitive files and blackmailing companies with them as an example of the adaptability and innovation of ransomware gangs, which may very well find another tactic to compel targets with if pressure was turned up on them. He said that 25% to 35% of ransomware incidents are already not being reported to authorities, with that number likely to increase if ransomware payments were made illegal.
A new bill will, if passed, require federal contractors and companies in areas that potentially impact national security to report ransomware attacks to federal agencies within 24 hours. Some in government want to see a similar rule expanded to all the nation’s companies, a measure that Vorndran expressed support for (in the case of ransomware or severe data breaches).
While such legislation could clear a path toward outlawing ransomware payments, Roger Grimes (data driven defense evangelist at KnowBe4) thinks that a ban cannot ever be effective unless it was willingly supported by all the entities it covers: “It is a really tough call, and if we could get the entire world to truly not pay any ransom ever, ransomware would be gone in a week. But there are always going to be those who skirt the rules, just enough so that ransomware gangs will keep encrypting, exfiltrating and extorting. And the people who play by the rules will simply be hurt more than all the entities that do not. If you outlaw ransom paying, you will immediately explode the amount of “ransomware recovery” firms that claim they do not pay the ransom, but secretly do. There will be a whole lot of firms that claim AI or quantum computers or their own internal crypto experts allowed them to recover the encryption keys. You will have firms paying out of foreign-located entities. And you will have a lot more firms that simply do not get law enforcement involved, pay the ransom and never report it. You will be turning otherwise law abiding firms into unwanted criminals. So, I really get what people calling for a ban on paying the ransom are trying to do…but it is only going to work in a perfect world … one that we do not have.”