June 10, 2024 By Jennifer Gregory 3 min read

The debate about the United States government banning companies from making ransomware payments is back in the headlines. Recently, the Ransomware Task Force for the Institute for Security and Technology released a memo on the topic. The task force stated that making a ban on ransomware payments in the U.S. at the current time will worsen the harm to victims, society and the economy. Additionally, small businesses cannot withstand a lengthy business disruption and might go out of business after a ransomware attack.

“At present, the limited data available indicates that the majority of organizations globally are still underprepared to defend against or recover from a ransomware attack. This preparedness gap remains particularly problematic in resource-constrained critical sectors that are currently being heavily impacted by ransomware attacks, such as healthcare, education and government,” wrote the task force in the memo.

Task force sets milestones to achieve before possible payment ban

The memo alluded to a potential ban in the future and stated that the most effective approach to reducing payments is a multiyear approach. As part of the plan, the task force stated that governments and the technical community need to help businesses that are victims of attacks with recovery options other than paying the ransomware.

Additionally, governments and the technical community need to strengthen victim support to give organizations affected by attacks alternative options for recovery beyond paying the ransomware payment. To increase an organization’s ability to recover from an attack without paying the ransomware, the task force proposed the following four lines of effort, each with specific milestones:

  • Line of effort 1: Ecosystem preparedness
  • Line of effort 2: Deterrence
  • Line of effort 3: Disruption
  • Line of effort 4: Response

Current regulations related to paying for ransomware

While the task force declined to set a ban on making ransomware payments at this time, there are currently other regulations and laws that affect companies in their decision to make a ransomware payment. In 2020, the Treasury Department added potential sanctions for cyber insurers, digital forensics and incident response.

Additionally, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), inspired by the SolarWinds, Microsoft Exchange Server and Colonial Pipeline attacks, outlines reporting requirements for ransomware payment requests. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements, as directed by CIRCIA, states that cyber incidents must be reported within 72 hours and ransomware payments must be reported within 24 hours.

Read the Definitive Guide to Ransomware

Is a ban a good idea or not?

As the debate about a federal ban continues as the U.S. works toward the milestones, organizations continue to make their own decisions to pay or not to pay ransomware. IBM’s official stance is never to pay ransomware attackers.

Positive effects of a federal ban on ransomware payments

  • A ban could result in less criminal activity. Because cyber criminals commit ransomware attacks to make money, a ban on paying ransomware could lead to fewer attacks. The 2024 IBM Threat Force Intelligence Report found an 11.5% drop in ransomware, likely due to many organizations no longer paying for ransomware.
  • Businesses do not always get their data back even after complying with cyber criminals’ demands. When a company makes a ransomware payment, they trust that the criminals will return their data. However, the Veeam Ransomware Trends Report found that 21% of companies did not receive their data back after paying.

Negative effects of a federal ban on ransomware payments

However, the task force and other experts feel there are many reasons not to put a ban into place at this time:

  • Organizations may go out of business. If an organization cannot recover its data and is prohibited from paying the ransomware, then they are not able to do business. As a result, the business, especially if it is smaller, may cease operations.
  • Victims may not report ransomware attacks and payments. If companies face penalties for paying, then they are likely to not report their payments. When payments are not reported, the government will no longer have accurate records.
  • There is potential for blackmail after the ransomware payment is made. Making payments illegal may produce unintended consequences, such as blackmail. After the attack, the criminals may blackmail the organization for more money to prevent publicity around the ransomware attack and payment.

Moving forward toward a ransomware-ready organization

With the task force providing a detailed roadmap, the goal is for organizations to improve their ability to defend and recover from an attack. Once businesses and government agencies make forward progress, the task force may revisit the feasibility of the ban. When businesses can recover their data relatively easily and get back online quickly, the question of paying ransomware payments becomes less of an issue.

More from News

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Why the Christie’s auction house hack is different

3 min read - Christie's, one of the world's leading auction houses, was hacked in May, and the cyber group RansomHub has claimed responsibility. On May 12, Christie’s CEO Guillaume Cerutti announced on LinkedIn that the company had “experienced a technology security incident.” RansomHub threatened to leak “sensitive personal information” from exfiltrated ID document data, including names, dates of birth and nationalities. On the group’s dark website, RansomHub claims to possess 2GB of data on “at least 500,000” Christie’s clients from around the world.…

5 takeaways from the White House cybersecurity workforce discussion

3 min read - The Office of the National Cyber Director (ONCD) recently hosted a 3-hour discussion on creating a strong cybersecurity workforce; the results are enlightening. The session involved representatives from more than 30 public and private organizations spanning 12 industries. The ONCD advises the United States President on cybersecurity policy and strategy. Its mission is to advance national security, economic prosperity and technological innovation through cybersecurity policy leadership. “In our increasingly digital world, where cyber threats are growing more frequent and more…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today