Light Dark
June 10, 2024 By Jennifer Gregory 3 min read
News

The debate about the United States government banning companies from making ransomware payments is back in the headlines. Recently, the Ransomware Task Force for the Institute for Security and Technology released a memo on the topic. The task force stated that making a ban on ransomware payments in the U.S. at the current time will worsen the harm to victims, society and the economy. Additionally, small businesses cannot withstand a lengthy business disruption and might go out of business after a ransomware attack.

“At present, the limited data available indicates that the majority of organizations globally are still underprepared to defend against or recover from a ransomware attack. This preparedness gap remains particularly problematic in resource-constrained critical sectors that are currently being heavily impacted by ransomware attacks, such as healthcare, education and government,” wrote the task force in the memo.

Task force sets milestones to achieve before possible payment ban

The memo alluded to a potential ban in the future and stated that the most effective approach to reducing payments is a multiyear approach. As part of the plan, the task force stated that governments and the technical community need to help businesses that are victims of attacks with recovery options other than paying the ransomware.

Additionally, governments and the technical community need to strengthen victim support to give organizations affected by attacks alternative options for recovery beyond paying the ransomware payment. To increase an organization’s ability to recover from an attack without paying the ransomware, the task force proposed the following four lines of effort, each with specific milestones:

  • Line of effort 1: Ecosystem preparedness
  • Line of effort 2: Deterrence
  • Line of effort 3: Disruption
  • Line of effort 4: Response

Current regulations related to paying for ransomware

While the task force declined to set a ban on making ransomware payments at this time, there are currently other regulations and laws that affect companies in their decision to make a ransomware payment. In 2020, the Treasury Department added potential sanctions for cyber insurers, digital forensics and incident response.

Additionally, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), inspired by the SolarWinds, Microsoft Exchange Server and Colonial Pipeline attacks, outlines reporting requirements for ransomware payment requests. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements, as directed by CIRCIA, states that cyber incidents must be reported within 72 hours and ransomware payments must be reported within 24 hours.

Read the Definitive Guide to Ransomware

Is a ban a good idea or not?

As the debate about a federal ban continues as the U.S. works toward the milestones, organizations continue to make their own decisions to pay or not to pay ransomware. IBM’s official stance is never to pay ransomware attackers.

Positive effects of a federal ban on ransomware payments

  • A ban could result in less criminal activity. Because cyber criminals commit ransomware attacks to make money, a ban on paying ransomware could lead to fewer attacks. The 2024 IBM Threat Force Intelligence Report found an 11.5% drop in ransomware, likely due to many organizations no longer paying for ransomware.
  • Businesses do not always get their data back even after complying with cyber criminals’ demands. When a company makes a ransomware payment, they trust that the criminals will return their data. However, the Veeam Ransomware Trends Report found that 21% of companies did not receive their data back after paying.

Negative effects of a federal ban on ransomware payments

However, the task force and other experts feel there are many reasons not to put a ban into place at this time:

  • Organizations may go out of business. If an organization cannot recover its data and is prohibited from paying the ransomware, then they are not able to do business. As a result, the business, especially if it is smaller, may cease operations.
  • Victims may not report ransomware attacks and payments. If companies face penalties for paying, then they are likely to not report their payments. When payments are not reported, the government will no longer have accurate records.
  • There is potential for blackmail after the ransomware payment is made. Making payments illegal may produce unintended consequences, such as blackmail. After the attack, the criminals may blackmail the organization for more money to prevent publicity around the ransomware attack and payment.

Moving forward toward a ransomware-ready organization

With the task force providing a detailed roadmap, the goal is for organizations to improve their ability to defend and recover from an attack. Once businesses and government agencies make forward progress, the task force may revisit the feasibility of the ban. When businesses can recover their data relatively easily and get back online quickly, the question of paying ransomware payments becomes less of an issue.

 |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from News
November 18, 2024

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

November 4, 2024

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

October 28, 2024

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature