July 8, 2024 By Jonathan Reed 3 min read

The FBI, CISA and NSA all strongly advise against organizations making ransomware payments if they fall victim to ransomware attacks. If so, why not place a ban on paying ransomware demands?

The topic came up at a recent Oxford Cyber Forum. Jen Easterly, Director of CISA, commented on the issue, saying, “I think within our system in the U.S. — just from a practical perspective — I don’t see it happening.” It’s unlikely this was a purely spontaneous remark as the issue of ransomware is top of mind for all cyber professionals, especially the director of CISA. For now, it looks like making ransomware payments a punishable offense is not going to happen.

Even more telling is that Easterly’s answer was made during an interview with Ciaran Martin, the former head of the U.K.’s National Cyber Security Centre. Earlier this year, Martin had called for a ban on all ransomware payments in an article she wrote for The Times newspaper.

So, should paying ransomware be banned or not?

Banning ransomware payments: More harm than good?

The Ransomware Task Force for the Institute for Security and Technology has also chimed in on the topic. The task force stated that placing a ban on ransomware payments in the U.S. at the current time will make it worse for victims, society and the economy. Small businesses typically cannot withstand a lengthy business disruption and might go out of business after a ransomware attack.

Additionally, if a ban was enforced, it could hamper the wider response to ransomware threats. If companies faced penalties for paying, they might be tempted to make ransomware payments secretly. This means accurate data about ransomware variants and threat intelligence would suffer.

Explore ransomware protection solutions

Fake ransomware rescue services

Other obstacles to a ransomware payment ban include fake “data recovery” firms. These scammers claim to be able to recover stolen data or crack encryption. But in reality, the alleged rescuers negotiate with ransomware gangs on the side, essentially paying the ransom and then charging the victims a fee. If ransomware payments were banned, these shady operations would likely increase.

Fight the good fight

Some say banning ransomware payments outright could be thought of as capitulation. It sends the message that the security community has no other means to thwart ransomware attacks. Instead, the federal government is mandating the reporting of cyber incidents, such as with the recent Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). By improving ransomware reporting rates, security teams can learn more about how attackers operate and share threat intelligence. This type of digital solidarity is believed to be more effective than trying to face these threats alone.

Law enforcement efforts should also be supported and ramped up in response to the ongoing ransomware threats. The LockBit ransomware-as-a-service gang is one example of a big win that brought intruders to justice.

Plus, there are efforts such as CISA’s pre-ransomware notification initiative, which aims to reduce risk by alerting organizations of early-stage ransomware activity. The initiative generated more than 1,200 pre-ransomware notifications in 2023.

The U.S. government also champions secure-by-design. At Oxford Cyber, Easterly said, “I do think we’ve made a difference, but I don’t think we’re going to make ransomware a shocking anomaly without successful implementation of a Secure-by-Design campaign,” said Easterly. “We cannot expect businesses that don’t have huge security teams to be able to secure that infrastructure unless that technology comes to them with dramatically reduced numbers of vulnerabilities.”

Setting priorities against ransomware

It’s no secret what the U.S. government feels is the best course for fighting ransomware—the plans are being laid out explicitly. They include stricter incident reporting standards, continued law enforcement efforts, shared intelligence, collaborative efforts and secure-by-design. For now, penalties for paying ransom aren’t part of the official game plan.

However, many entities, including IBM, strongly discourage paying ransomware. Instead, follow best practices and check out IBM’s Definitive Guide to Ransomware.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today