Light Dark
June 10, 2024 By Jennifer Gregory 3 min read
News

The debate about the United States government banning companies from making ransomware payments is back in the headlines. Recently, the Ransomware Task Force for the Institute for Security and Technology released a memo on the topic. The task force stated that making a ban on ransomware payments in the U.S. at the current time will worsen the harm to victims, society and the economy. Additionally, small businesses cannot withstand a lengthy business disruption and might go out of business after a ransomware attack.

“At present, the limited data available indicates that the majority of organizations globally are still underprepared to defend against or recover from a ransomware attack. This preparedness gap remains particularly problematic in resource-constrained critical sectors that are currently being heavily impacted by ransomware attacks, such as healthcare, education and government,” wrote the task force in the memo.

Task force sets milestones to achieve before possible payment ban

The memo alluded to a potential ban in the future and stated that the most effective approach to reducing payments is a multiyear approach. As part of the plan, the task force stated that governments and the technical community need to help businesses that are victims of attacks with recovery options other than paying the ransomware.

Additionally, governments and the technical community need to strengthen victim support to give organizations affected by attacks alternative options for recovery beyond paying the ransomware payment. To increase an organization’s ability to recover from an attack without paying the ransomware, the task force proposed the following four lines of effort, each with specific milestones:

  • Line of effort 1: Ecosystem preparedness
  • Line of effort 2: Deterrence
  • Line of effort 3: Disruption
  • Line of effort 4: Response

Current regulations related to paying for ransomware

While the task force declined to set a ban on making ransomware payments at this time, there are currently other regulations and laws that affect companies in their decision to make a ransomware payment. In 2020, the Treasury Department added potential sanctions for cyber insurers, digital forensics and incident response.

Additionally, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), inspired by the SolarWinds, Microsoft Exchange Server and Colonial Pipeline attacks, outlines reporting requirements for ransomware payment requests. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements, as directed by CIRCIA, states that cyber incidents must be reported within 72 hours and ransomware payments must be reported within 24 hours.

Read the Definitive Guide to Ransomware

Is a ban a good idea or not?

As the debate about a federal ban continues as the U.S. works toward the milestones, organizations continue to make their own decisions to pay or not to pay ransomware. IBM’s official stance is never to pay ransomware attackers.

Positive effects of a federal ban on ransomware payments

  • A ban could result in less criminal activity. Because cyber criminals commit ransomware attacks to make money, a ban on paying ransomware could lead to fewer attacks. The 2024 IBM Threat Force Intelligence Report found an 11.5% drop in ransomware, likely due to many organizations no longer paying for ransomware.
  • Businesses do not always get their data back even after complying with cyber criminals’ demands. When a company makes a ransomware payment, they trust that the criminals will return their data. However, the Veeam Ransomware Trends Report found that 21% of companies did not receive their data back after paying.

Negative effects of a federal ban on ransomware payments

However, the task force and other experts feel there are many reasons not to put a ban into place at this time:

  • Organizations may go out of business. If an organization cannot recover its data and is prohibited from paying the ransomware, then they are not able to do business. As a result, the business, especially if it is smaller, may cease operations.
  • Victims may not report ransomware attacks and payments. If companies face penalties for paying, then they are likely to not report their payments. When payments are not reported, the government will no longer have accurate records.
  • There is potential for blackmail after the ransomware payment is made. Making payments illegal may produce unintended consequences, such as blackmail. After the attack, the criminals may blackmail the organization for more money to prevent publicity around the ransomware attack and payment.

Moving forward toward a ransomware-ready organization

With the task force providing a detailed roadmap, the goal is for organizations to improve their ability to defend and recover from an attack. Once businesses and government agencies make forward progress, the task force may revisit the feasibility of the ban. When businesses can recover their data relatively easily and get back online quickly, the question of paying ransomware payments becomes less of an issue.

 |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from News
March 26, 2025

We are moving!

< 1 min read - SecurityIntelligence.com is being sunset, but have no fear!We have a new home for all of your favorite security and X-Force content.Follow us to www.ibm.com/think to maintain access to the stories and news you love, both new and old.Security Intelligence will officially sunset on Friday, March 28, 2025. To access the latest security thought leadership, go here. To access the latest X-Force research, go here.If you are experiencing cybersecurity issues or an incident, contact X-Force® to help:US hotline: 1-888-241-9812 | Global hotline:…

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

January 13, 2025

Insights from CISA’s red team findings and the evolution of EDR

3 min read - A recent CISA red team assessment of a United States critical infrastructure organization revealed systemic vulnerabilities in modern cybersecurity. Among the most pressing issues was a heavy reliance on endpoint detection and response (EDR) solutions, paired with a lack of network-level protections. These findings underscore a familiar challenge: Why do organizations place so much trust in EDR alone, and what must change to address its shortcomings? EDR’s double-edged sword A cornerstone of cyber resilience strategy, EDR solutions are prized for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature