Light Dark
June 10, 2024 By Jennifer Gregory 3 min read
News

The debate about the United States government banning companies from making ransomware payments is back in the headlines. Recently, the Ransomware Task Force for the Institute for Security and Technology released a memo on the topic. The task force stated that making a ban on ransomware payments in the U.S. at the current time will worsen the harm to victims, society and the economy. Additionally, small businesses cannot withstand a lengthy business disruption and might go out of business after a ransomware attack.

“At present, the limited data available indicates that the majority of organizations globally are still underprepared to defend against or recover from a ransomware attack. This preparedness gap remains particularly problematic in resource-constrained critical sectors that are currently being heavily impacted by ransomware attacks, such as healthcare, education and government,” wrote the task force in the memo.

Task force sets milestones to achieve before possible payment ban

The memo alluded to a potential ban in the future and stated that the most effective approach to reducing payments is a multiyear approach. As part of the plan, the task force stated that governments and the technical community need to help businesses that are victims of attacks with recovery options other than paying the ransomware.

Additionally, governments and the technical community need to strengthen victim support to give organizations affected by attacks alternative options for recovery beyond paying the ransomware payment. To increase an organization’s ability to recover from an attack without paying the ransomware, the task force proposed the following four lines of effort, each with specific milestones:

  • Line of effort 1: Ecosystem preparedness
  • Line of effort 2: Deterrence
  • Line of effort 3: Disruption
  • Line of effort 4: Response

Current regulations related to paying for ransomware

While the task force declined to set a ban on making ransomware payments at this time, there are currently other regulations and laws that affect companies in their decision to make a ransomware payment. In 2020, the Treasury Department added potential sanctions for cyber insurers, digital forensics and incident response.

Additionally, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), inspired by the SolarWinds, Microsoft Exchange Server and Colonial Pipeline attacks, outlines reporting requirements for ransomware payment requests. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements, as directed by CIRCIA, states that cyber incidents must be reported within 72 hours and ransomware payments must be reported within 24 hours.

Read the Definitive Guide to Ransomware

Is a ban a good idea or not?

As the debate about a federal ban continues as the U.S. works toward the milestones, organizations continue to make their own decisions to pay or not to pay ransomware. IBM’s official stance is never to pay ransomware attackers.

Positive effects of a federal ban on ransomware payments

  • A ban could result in less criminal activity. Because cyber criminals commit ransomware attacks to make money, a ban on paying ransomware could lead to fewer attacks. The 2024 IBM Threat Force Intelligence Report found an 11.5% drop in ransomware, likely due to many organizations no longer paying for ransomware.
  • Businesses do not always get their data back even after complying with cyber criminals’ demands. When a company makes a ransomware payment, they trust that the criminals will return their data. However, the Veeam Ransomware Trends Report found that 21% of companies did not receive their data back after paying.

Negative effects of a federal ban on ransomware payments

However, the task force and other experts feel there are many reasons not to put a ban into place at this time:

  • Organizations may go out of business. If an organization cannot recover its data and is prohibited from paying the ransomware, then they are not able to do business. As a result, the business, especially if it is smaller, may cease operations.
  • Victims may not report ransomware attacks and payments. If companies face penalties for paying, then they are likely to not report their payments. When payments are not reported, the government will no longer have accurate records.
  • There is potential for blackmail after the ransomware payment is made. Making payments illegal may produce unintended consequences, such as blackmail. After the attack, the criminals may blackmail the organization for more money to prevent publicity around the ransomware attack and payment.

Moving forward toward a ransomware-ready organization

With the task force providing a detailed roadmap, the goal is for organizations to improve their ability to defend and recover from an attack. Once businesses and government agencies make forward progress, the task force may revisit the feasibility of the ban. When businesses can recover their data relatively easily and get back online quickly, the question of paying ransomware payments becomes less of an issue.

 |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from News
July 23, 2024

Recent CrowdStrike outage: What you should know

3 min read - On Friday, July 19, 2024, nearly 8.5 million Microsoft devices were affected by a faulty system update, causing a major outage of businesses and services worldwide. This equates to nearly 1% of all Microsoft systems globally and has led to significant disruptions to airlines, police departments, banks, hospitals, emergency call centers and hundreds of thousands of other private and public businesses. What caused this outage in Microsoft systems? The global outage of specific Microsoft-enabled systems and servers was isolated to…

July 22, 2024

White House mandates stricter cybersecurity for R&D institutions

2 min read - Federal cyber regulation is edging further into research and development (R&D) and higher education. A recent memo from the Office of Science and Technology Policy (OSTP) states that certain covered institutions will be required to implement cybersecurity programs for R&D security. These mandates will also apply to institutions of higher education that support R&D. Beyond strengthening the overall U.S. security posture, this move is also in direct response to growing threats posed by the People's Republic of China (PRC), as…

July 19, 2024

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature