As cybercriminals continue to reap the financial rewards of their attacks, talk of a federal ban on ransom payments is getting louder.
U.S. officials have long urged against paying ransom demands. But while several U.S. states — including North Carolina and Florida — have made it illegal for local government entities to pay ransom demands, the Biden administration as recently as last fall decided against an outright national ban on ransom payments.
It’s easy to see why. Not only would banning ransom payment be difficult to enforce and require complex mechanisms not yet in place, but critics argue that criminalizing payments to hackers ultimately punishes the victims of cybercrime who could ultimately face legal repercussions for doing what they deem necessary to protect — or, in some cases, save — their business.
Although challenges persist, it appears the U.S. government’s mindset might be starting to shift.
In October 2023, a U.S.-led alliance of more than 40 countries vowed as governments not to pay ransoms to cybercriminals in a bid to starve the hackers from their source of income.
Since then, just as talk of a potential ransom payment ban has gotten louder, so has the ransomware activity.
In 2024 alone, we’ve seen financially driven hackers brazenly mass-exploiting flaws in various remote access tools to deploy ransomware; notorious ransomware groups bounce back from government takedowns; and disruption at healthcare providers across the U.S. after a ransomware attack on prescription processing giant Change Healthcare.
Is a ban on ransom payments the solution? It’s not that simple.
To ban or not to ban?
On the face of it, a ransom payment ban makes logical sense. If victim organizations are prohibited from paying, attackers will have less of a financial incentive to steal their data. In theory, this means those seeking to get rich quick will be forced to go elsewhere — and that ransomware attacks could become a thing of the past.
The other side is that many believe making ransom payments illegal is an over-simplistic solution to a complex problem.
Ransomware is a global problem. For a ban on ransom payments to be successful, international and universal regulation would need to be implemented — which, given varying international standards around ransom payments, would be almost impossible to enforce. It would also require governments that grant safe harbor to cybercriminals — Russia gets an obvious namecheck — to crack down within their own borders, which they’re not incentivized to do.
A blanket ban on ransom payments would also likely necessitate exceptions in dire circumstances, such as ransomware attacks involving the risk of loss of life in medical facilities or threats to national critical infrastructure.
These exceptions, while logical, would also apply to the hackers behind these attacks, which could lead to an assault on the nation’s critical infrastructure. And as long as cybercriminals continue to make money, ransomware and extortion threats won’t go away.
Some also argue that if a ransom payment ban were imposed in the U.S. or any other highly victimized country, companies would likely stop reporting these incidents to the authorities, effectively reversing all of the past cooperation between victims and law enforcement.
Allan Liska, a ransomware expert and threat intelligence analyst at Recorded Future, told TechCrunch that before a blanket ban on payments to ransomware groups — or a ban with some exceptions — is enforced, we need to make a concerted effort to better catalog the number of ransomware attacks “so we can make an informed decision on the best steps.”
“In the United States, we actually have two test cases that prove this point,” said Liska. “Both North Carolina and Florida have implemented bans on public entities paying ransom to ransomware groups. In both cases, looking at the data from a year before the laws went into effect and the year after, there has been no discernible change in the number of publicly reported ransomware attacks against public organizations in those States.”
Would a ban even work?
There’s also the issue of how effective a ransom payment ban would be.
As history has shown, hackers have little regard for rules. Even when an organization does relent to an attacker’s ransom demand, the victim’s data is not always deleted — as demonstrated by the recent lawful takedown of the LockBit ransomware gang.
Given the brazen nature of these attackers, it’s unlikely that they would be deterred by a ban on ransom payments. Rather, criminalizing payment would likely push it further underground and would likely encourage attackers to change tactics, becoming more covert in their operations and transactions.
“Are ransom payments bad? Yes, there is no net good to society that comes from paying ransomware groups, in fact, there is a direct net harm to society by paying these threat actors,” said Liska.
“Will banning ransom payments stop ransomware groups from carrying out attacks? The answer to that is unequivocally no.”
Read more on TechCrunch: