The FBI, CISA and NSA all strongly advise against organizations making ransomware payments if they fall victim to ransomware attacks. If so, why not place a ban on paying ransomware demands?

The topic came up at a recent Oxford Cyber Forum. Jen Easterly, Director of CISA, commented on the issue, saying, “I think within our system in the U.S. — just from a practical perspective — I don’t see it happening.” It’s unlikely this was a purely spontaneous remark as the issue of ransomware is top of mind for all cyber professionals, especially the director of CISA. For now, it looks like making ransomware payments a punishable offense is not going to happen.

Even more telling is that Easterly’s answer was made during an interview with Ciaran Martin, the former head of the U.K.’s National Cyber Security Centre. Earlier this year, Martin had called for a ban on all ransomware payments in an article she wrote for The Times newspaper.

So, should paying ransomware be banned or not?

Banning ransomware payments: More harm than good?

The Ransomware Task Force for the Institute for Security and Technology has also chimed in on the topic. The task force stated that placing a ban on ransomware payments in the U.S. at the current time will make it worse for victims, society and the economy. Small businesses typically cannot withstand a lengthy business disruption and might go out of business after a ransomware attack.

Additionally, if a ban was enforced, it could hamper the wider response to ransomware threats. If companies faced penalties for paying, they might be tempted to make ransomware payments secretly. This means accurate data about ransomware variants and threat intelligence would suffer.

Fake ransomware rescue services

Other obstacles to a ransomware payment ban include fake “data recovery” firms. These scammers claim to be able to recover stolen data or crack encryption. But in reality, the alleged rescuers negotiate with ransomware gangs on the side, essentially paying the ransom and then charging the victims a fee. If ransomware payments were banned, these shady operations would likely increase.

Fight the good fight

Some say banning ransomware payments outright could be thought of as capitulation. It sends the message that the security community has no other means to thwart ransomware attacks. Instead, the federal government is mandating the reporting of cyber incidents, such as with the recent Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). By improving ransomware reporting rates, security teams can learn more about how attackers operate and share threat intelligence. This type of digital solidarity is believed to be more effective than trying to face these threats alone.

Law enforcement efforts should also be supported and ramped up in response to the ongoing ransomware threats. The LockBit ransomware-as-a-service gang is one example of a big win that brought intruders to justice.

Plus, there are efforts such as CISA’s pre-ransomware notification initiative, which aims to reduce risk by alerting organizations of early-stage ransomware activity. The initiative generated more than 1,200 pre-ransomware notifications in 2023.

The U.S. government also champions secure-by-design. At Oxford Cyber, Easterly said, “I do think we’ve made a difference, but I don’t think we’re going to make ransomware a shocking anomaly without successful implementation of a Secure-by-Design campaign,” said Easterly. “We cannot expect businesses that don’t have huge security teams to be able to secure that infrastructure unless that technology comes to them with dramatically reduced numbers of vulnerabilities.”

Setting priorities against ransomware

It’s no secret what the U.S. government feels is the best course for fighting ransomware—the plans are being laid out explicitly. They include stricter incident reporting standards, continued law enforcement efforts, shared intelligence, collaborative efforts and secure-by-design. For now, penalties for paying ransom aren’t part of the official game plan.

However, many entities, including IBM, strongly discourage paying ransomware. Instead, follow best practices and check out IBM’s Definitive Guide to Ransomware.