Over the last few years, several different government entities (federal, state, and foreign) have pitched the idea of banning ransomware payments. Even as recently as May, the White House mentioned that it was once again contemplating such a ban. But is a ban on ransomware payments really the best way to reduce ransomware attacks?
On the surface, banning ransomware payments seems like the perfect solution. Ransomware attacks are financially motivated after all, and so making it illegal to pay the ransom should in theory remove the incentive for such attacks. Even so, an outright ban could prove to be extremely problematic.
Just to be clear, I am of the mindset that you should never pay a ransom unless there is absolutely no other option. Paying the ransom only emboldens cybercriminals. Additionally, a portion of the ransom payment is inevitably used to fund next-generation ransomware development, thereby making the problem worse. Still, banning ransomware payments poses problems.
Automated Ransomware Attacks Will Still Happen
Let’s suppose that a ban on ransomware payments somehow magically stopped all future ransomware development and all human-operated ransomware attacks. Even if that were to happen, existing automated ransomware would remain in the wild. This automated ransomware would continue to pose a threat to anyone unlucky enough to accidentally click on it.
A Ban Is Nothing More Than a Checklist for Attackers
Another problem with banning ransomware payments is that such an action probably wouldn’t truly ban all ransomware payments. Politicians rarely seem to resist the temptation of creating carveouts and exceptions in the bills that they write. As such, a ransomware payment ban would likely include several exceptions for which a ransom could be paid. For example, a law might ban ransomware payments unless the ransomware affects a public utility or causes more than $50 million in potential losses – something like that.
The point is that these exceptions and carveouts would do little more than act as a checklist for ransomware authors. Remember, a ransomware author’s primary goal is to get paid. If a law states that ransom demands cannot be made unless certain conditions are met, ransomware authors will do everything in their power to make sure that those conditions are met so that they can get paid.
This simply means that banning ransomware payments could backfire spectacularly. Imagine that the government was to ban all ransomware payments unless the ransomware affected the nation’s critical infrastructure. What’s then likely is that the ransomware community would immediately begin focusing their efforts on attacking critical infrastructure, because it would represent their best chance for being paid. In fact, the attacks on critical infrastructure would likely increase exponentially over the volume of attacks that occur today. In other words, there would be a relentless assault on the nation’s critical infrastructure as a result of an exception to the payment ban.
Some Businesses Will Inevitably Fail
Another consequence of banning ransomware payments is that some businesses will inevitably fail as a result. If a business’s mission-critical data is wiped out by ransomware and that data cannot be restored from a backup, the business would likely have to make a difficult choice: either close its doors or break the law by paying the ransom.
Ransomware Authors Will Find a Way
A final reason why a ban on ransomware payments would not work is that ransomware authors will always find a way to get paid.
I can’t help but remember a story about a college fraternity fundraiser that wanted to throw a party and use liquor sales as a way of raising revenue. Of course, most states do not allow booze to be sold without a liquor license. Ultimately, the fraternity allegedly got around the law by selling drinking glasses instead of selling liquor. The liquor was “free,” but the glasses were sold at a price based on how much the average attendee was likely to drink throughout an evening.
Cybercriminals would likely use a similar technique if ransomware payments were made illegal. Rather than demand a ransom payment, ransomware authors might instead go into the business of selling ransomware recovery software (some already do this). It would essentially be no different than demanding a ransom in exchange for a decryption key. Instead, the ransom demand might be presented as an advertisement for recovery software since it is legal for an organization to purchase software.
Comments